Hacking Book | Free Online Hacking Learning


wechat casino - h5 chess and card game penetration tour

Posted by graebner at 2020-03-29

0x01 Preface

Originally do not want to send, involving too many interests, the source code of these chess and card games can be sold to tens of thousands. It's no more difficult to develop than a shopping mall program. I've been too busy recently. I don't have time to do code audit articles, but I accidentally robbed a lucky King...

0x02 start

One day, my friends in this field came to me to help audit the next set of procedures. I happened to have a look at the missing article here. Started to look at the next directory, found a few with this set of source platform to test, looked at the functions inside. This set of source code framework is based on thinkmf of thinkmp3.2. Now thinkmf has been updated to thinkmp5.0. No H5 code audit has been done before. Now H5 is developing rapidly, and you can basically discard flash.

0x03 background entrance

The background path hasn't been changed. You can enter admin directly. Some back ends need to be followed by the authentication code, but you can also enter it. You can understand after reading the log. I've made a verification code judgment here. I'm too lazy to explode.

0x04 log file disclosure

Look at the vulnerability of T00ls about thinkcmf. You can see the SQL execution record in a log. The log is stored in the location access path data / Runtime / logs / admin / 18 ﹐ 05 ﹐ 09.log, followed by the date of. Let's find the administrator's account password. There are two ways to encrypt CMF. Now this one uses MD5 encryption (authentication code + password) for two times. The SQL execution log decryption we find from the log can go to https://cmd5.la/ss/ or directly write a script to run. Generally, the authentication code is the same, as long as the password after running. Get the account password and log in to the background to get the shell.

data/runtime/Logs/Admin/18_05_09.log ###+两次MD5加密(认证码+密码)

0x05 Getshell

I wanted to write the shell in the background configuration file. Later, my friend threw an editor directly. Address: index.php/portal/adminpage/add. Because I have background permission, I directly visit index.php/admin/setting/upload to modify the suffix that is allowed to be uploaded. Then I wrote a sentence to upload, connect with c-knife, and it's a success!

index.php/Portal/AdminPage/add index.php/Admin/Setting/upload

0x06 end

This kind of chess and card game was quite popular a while ago. It's just a table account. I don't know how much profit other games have.