Title: Record a harvest of BC Tianheng Shengda

0x00 Introduction

With the raging of illegal spinach sites, countless wives and children have been separated. To this end, I have contributed a meager effort, hoping to provide some help to the "relevant departments". What I will perform for you today is Harvest BC Tianheng Shengda.

The

0x01 Program Introduction

program adopts PHP5.4 + MySQL program structure is as follows

Basically, the criminals who currently do such illegal sites have modified several sets of program models in addition to outsourcing. For the time being, due to technical level issues, Tianheng can only be issued. The version may be a bit old. However, a large part of it is used. According to an actual test by a netizen who did not want to disclose his name in mid-April, about 70% of these problems existed, while illegal sites using this program collected about 5,000 to 20,000 yuan in half an hour.

0x02 Vulnerability Details

1. money - SQL injection

web\wjaction\default\PayOnlineBack.class.php

Continue to follow up with money, here is GET to obtain, and then look at the conditions

Condition display, the first one is Key verification, this one is in the configuration file. If the Key is wrong, it means that all orders cannot take effect. In other words, the Key is definitely within the URL request, and this verification can be bypassed.

Continue to look at the conditions, here is to generate an MD5 value for verification. However, this verification is flawed, and the value of the key is not brought into it here. So when we submit directly, set $tno.$payno.$money to empty. Then we will get the MD5 value of $md5key. Because $sign can be displayed in the URL. After decryption, we can write scripts and inject them according to its verification mechanism.

Keep reading down, just randomly come.

Keep reading, the last verification. The username here must be real, so the verification here is considered to be invalid.

Next, according to the previous analysis, you can inject it. The most important point is to guess the value of md5Key.

2. Order information - Storage XSS

Order information - Username

Where the default payment submits the form, the front desk and backend are not filtered and cause XSS storage vulnerabilities.

3. No verification in the background - Getshell

lib/classes/googleChart/markers/GoogleChartMapMarker.php

A random code execution vulnerability, Google variables get data through GET and then execute it. I won’t write the code part for relatively low-level problems. (This vulnerability is not efficient, about 30% chance)

0x03 Summary

This set of source code is not just these few holes, you can practice digging it yourself. Secondly, I originally thought of releasing and collecting illegal site tools that did not include them, but later I thought about it to avoid letting "other" security personnel go astray, which eliminates this idea. I still have a hydrology article, I hope you all have more advice!

Reprinted from the original link: https://mp.weixin.qq.com/s/7R3OrGPmUesDz4YKuxoJjw