code audit "eat chicken" auxiliary external black industry chain

Posted by punzalan at 2020-03-21

*Author of this article: Draven, this article is an original award program of freebuf, and can't be reproduced without permission

Jedi survival is arguably the hottest game of the year. The down payment is 99, and the monthly payment is 30. It can also be said to be a game of local tyrants. After waiting for loser to eat instant noodles for a month, I managed to make it to 99 to get on the chicken car. It's easy to get on the bus, but hard to eat chicken. As a box master and a courier, I always respect my duty and devote myself to my work. I give M4 to all kinds of tycoons, and only I know the bitterness in my heart.

Where there is heat, there is black production. Although the game official time after time, but there is no lack of plug-in rampant. In order to eat chicken, I decided to explore alone and uncover the black industrial chain for you (find a bull to hang out to "eat chicken").

On the Internet, I searched chicken eating assistant to find an external card issuing platform.

Many friends heard the concept of "card issuing platform" for the first time. Here is a brief introduction. Card issuing platform is a third-party sales platform, just like a treasure. The manufacturer or agent of the plug-in system registers a merchant on the card issuing platform, and the card issuing platform will draw a percentage from each order sold. So, as long as we have finished the card issuing platform, we can recharge ourselves and have a good time eating chicken.

I looked outside, but I didn't find anything to use. Therefore, we have to audit the whole set of source code. Then we have to use our artifact. First extract the key words of the card issuing platform, and then search engine crawls the website.

Scan the backup files (mainly my awesome Dictionary) of the collected website again to get a source code. Local construction and audit.

The file structure is as follows:

The figure below shows how to process parameters.

All the parameters in the form must be "baptized" by makesafe, basically adding "\". The protection is still weak. Let's think of some ways to get around it.

1. Wrong use of parameters

The problem of parameter usage error is illustrated by the examples of_p and $_post.

_P is the result of $POST being "baptized" by makeSafe. Sometimes, however, the programmer hesitates to pay attention to the latter's habit. When he takes parameters, he does not use \\\\\\\\\\\\\\\\\.

The file admin / admininfo.php just has this problem.

Because there is no echo, time blind note

Such injection is not easy to use at all, so continue to search.

2. Points without quotes to protect

Although the injection can be bypassed by wide bytes, I still hope to find the kill position in (mainly I am lazy).

The query $userid, $goodid and $channelid in file / Lin / ajax.php are not protected by quotes.


However, in terms of parameter acquisition, $userid and $googid all have int cast. But $channelid did not convert.

Constitutes an injection


There are still many places to inject, but this time is enough.

Next, let's find some other fun.

Open the admin background directory and find that its main authentication depends on common.php.

Other files contain it for authentication. At this time, a strange file, admininfo.php, is found. This file doesn't contain this file, isn't it unauthorized access? Direct access to the discovery is blank display, quickly open the source code to see its functions.


We see that there are two methods after the action is accepted.

Let's try to visit the first method.


In a moment, it's not the back door left by developers... That's much better than injection.

But sometimes the MD5 ciphertext can't be cracked. I can't afford to pay for it.

Let's look at the second way.


This method is invincible. We can log in the background as any administrator.

Let's visit first


Then visit / Admin and go directly to the background.


It's much easier..

Take a look at our card issuing platform


Terrible running bill


Come on, I'm just looking for my assistant carMy


Pick up the Carmi, top up the account number, and go to "eat chicken".

Eat chicken every day.

The technical details mentioned in the article are for communication only and should not be used for illegal activities.

*Author of this article: Draven, this article is an original award program of freebuf, and can't be reproduced without permission