Bind any lol role to the hero League box

You can bind any lol role to the hero League box, select the number of the bound YY number, and bind any number of lol roles, and forcibly bind the bound roles.
Detailed description:
Let's talk about some simple ideas.
Recently, when I hit lol, I suddenly found that the corresponding lol role can be bound to the multi-Play box is displayed on YY. So I wondered if I could bind another high-performing hero role, so I started to try again.
Click "bind" first, capture the packet, and view the sent packet. the encrypted data is found.

POST/api_bind_yy_new.php HTTP/1.1
User-Agent: YYBind
Host: lolbox.duowan.com
Accept :*/*
Content-Length: 190
Content-Type: application/x-www-form-urlencoded

Str = response/api_bind_yy_new.php HTTP/1.1

Then drag the OD analysis,
The procedure for binding the program is as follows:
1. LOLBox.exe first reads the role data stored in Tool. ini (all logged-in games are saved in it)

2. The program decodes and Concatenates the string to obtain the content to be sent.

 


 

{"Role name": {"global": {"sn": "server name", "pn": "role name", "lat": "1359469539 ", "level": 14, "icon": 26, "good": "18", "blocked": "4", "honor": "1", "save_hero_100 ": "0", "cache": 1}, "normal": {"sn": "server name", "pn": "role name", "clat ": & quot; 1359469539 & quot;, & quot; olat & quot;: & quot; 0 & quot;, & quot; w & quot;: 19, & quot; lo & quot;: 11, & quot; le & quot;: 0, & quot; o_w & quot;: & quot ", "o_lo": "0", "o_le": "0", "cache": 1}, "zdl": {"eloScore": 1549, "winRatioScore": 879, "winBattleScore": 52, "totalScore": 2480, "originalWinRatio": 63.33, "elo": "0", "winRatio": 63.33, "wins": 19, "updatedTime": 1359469540, "cache": 1}, "mostUsedHeros": {"Lux": 10, "Veigar": 4, "FiddleSticks": 4, "Twitch ": 3, "Ashe": 2 }}} e ": 2 }}}

You can see the code. you only need to change the specific role name and server name to bind another role. If the server name and role name are Chinese characters, You Need To transcode them. For example: \ u7535 \ u4fe1 \ u5341 \ u56db
3. The program encrypts the preceding strings in the following format:
Bytes

Then create a process with the following parameters:
X: \ LOLBox \ YYBind.exe "YYBind" "encrypted string above"

4.then, run yybind.exe. We can see the modified role information, and click bind. If the role has been bound to another user, a message is displayed, indicating that the role has been bound and is bypassed by modifying a jump. in this way, the binding is successful.

Postscript: I once asked the author on Weibo. He said this is not a BUG, but it is not a BUG. Okay. I admit that it may not be very harmful,
However, I often use a large number of users, and I also hope that the product will become better and better.
This is probably the case.

Later, I tried to change the role name to </img> or xss statement. I found that the role can be parsed, but the window cannot be displayed in YY. Other roles were not carefully tested.

In fact, I think the main danger is that it may cause XSS storage and can be bound to multiple lol roles. If all the lol player roles are bound to one YY .. the corresponding YY number will be displayed on other users' boxes.

 

What if I change the YY number to an XSS statement? It is not tested because it seems complicated to unbind it.
 

Solution:
.. You know me better.
It is recommended that some verification or judgment be placed on the server side.