飘零网络验证4.0 用户数据清空的问题研究
本帖最后由 18288658820 于 2019-8-6 15:42 编辑看了恒大的教程,感觉飘零网络验证也很简单就破了,山寨最简单,或者转本地也比较容易 ,可是发现管理端在线一段时间后,用户数据库就被清空了。
于是就想发解下这个管理端干什么才导致用户数据库被清空的,
首先想到的是管理端肯定有后门,所以就用抓包工具去看它倒底是连接了什么网站,果然它会偷偷连接飘的一个验证服务器,IP是:36.27.212.97端口是80,网址是:http://plsyes.plyz.net
它连接了向这个地址两次,其中有一次发送了一次数据,接着这个地址向管理端返回了两次数据,这时OD中看内存数据中多了几段代码,其中就包含上边提到的,域名 ,访问了该域名下的/sys/aip.asp 可以确定这几段代码是这个域名返回数据后才解码的。这个应该是管理端调用了某个模块访问http://plsyes.plyz.net ,如果连接成功就解码一段代码到内存并执行它,它的功能就是清空用户数据的。(这段代码也有可能是验证服务器返回来的),我想过程就是这样。但是并不知道怎么去除它,下载了PL的模块源码也看不懂。
不过倒是在网上找到一个解决的方法,原贴:https://www.52pojie.cn/thread-340090-1-1.html
不过有副作用, 原理:就是修改piaomanage.asp ,中的代码 把删除数据的功能代码清除, 副作用就是删除功能失效,不过这并不难解决,对不对?
需要清空或删除的时候 把数据库转到本地,断网操作啊,连网的话也会被清空的,然后把该清空的清空 ,该删除的删除,完了以后关闭管理端,连接网络 ,上传到网络。
下边附上修改过的:piaomanage.asp,代码,
就是说把这段代码保存为:piaomanage.asp, 上传到网络, 那飘,L的验证服务器也无法删除 用户数据了,看下边:
<%
'=====================================================================
' 软件名称:飘零网络验证系统
' 软件作者:飘零QQ:251527112
' 官方网站:www.plgzs.com
' 文件名称:piaomanage.asp
' 更新日期:2013-11-13
'=====================================================================
%>
<!--#include file="xxxxconfig.asp"-->
<%
if rose(request("p")) = "3" then
response.write wen(plfhq(rose(request("f"))))
response.end
End if
piaol=ys(request("p"))
if piaol = "1" then
if session(Cachename&"piao8") <> Cachename&"pl8" then
response.write wenc("2")
response.end
end if
ling=dosql()
response.write wenc(ling)
response.end
elseif piaol = "2" then
if session(Cachename&"piao8") <> Cachename&"pl8" then
response.write wenc("2")
response.end
end if
piao= getstr()
response.write wenc(piao)
response.end
elseif piaol = "4" then
if session(Cachename&"piao8") <> Cachename&"pl8" then
response.write wenc("2")
response.end
end if
pzd8 = ys(request("pzdm"))
pdrose=pdsql(pzd8)
response.write wenc(pdrose)
response.end
elseif piaol = "7" then
plglsq=plsq(ys(request("u7")),ys(request("m7")),ys(request("c7")))
response.write wenc(plglsq)
response.end
elseif piaol = "8" then
plysdb = plBackupDB()
response.write wenc(plysdb)
response.end
else
response.write ymgg
response.end
end if
%>
<%
Function getstr()
call ConnectionDatabase
sqi = ys(request("post"))
sqi=Replace(sqi,"delete","""")
set rs = conn.execute(sqi)
if err then
getstr="2"'SQL语句出错
conn.close
set conn = Nothing
exit Function
end if
rs.MoveFirst
For Each varItem In rs.Fields
getstr = getstr & varItem.name & "々"
Next
getstr = getstr & "☆"
Do While NOT rs.EOF
For Each varItem In rs.Fields
getstr = getstr & varItem.value & "々"
Next
getstr = getstr & "☆"
rs.MoveNext
Loop
rs.close
conn.close
Set rs = Nothing
set conn = Nothing
End Function
%>
<%
Function dosql()
call ConnectionDatabase
sqi = ys(request("post"))
sqi=Replace(sqi,"delete","""")
set rs = conn.execute(sqi)
if err then
dosql="2" 'SQL语句出错
conn.close
set conn = Nothing
exit Function
end if
conn.close
set conn = Nothing
dosql = 6
End Function
%>
<%
Function pdsql(pzd)
call ConnectionDatabase
sqi=ys(request("post"))
sqi=Replace(sqi,"delete","""")
set rs = conn.execute(sqi)
if err then
pdsql="2"'SQL语句出错
conn.close
set conn=nothing
exit Function
end if
if rs.bof and rs.eof then
conn.close
set conn=nothing
pdsql="no"
exit Function
else
if pzd <> "" Then
pdsql1=rs(pzd)
conn.close
set conn=nothing
pdsql = pdsql1
else
conn.close
set conn=nothing
pdsql="ok"
end if
end if
end Function
%>
<%
Function ys(w)
Dim fen,shi,shu,fen0
If w<>"" Then
fen=split(rose(w),"{}")
fen0=fen(0)
If IsEmpty(fen0) Or Not IsNumeric(fen0) Then fen0=0
fen0=CLng(fen0)
'shi=formatdatetime(fen(0),0)
'If datediff("s",shi,time()) < 90 then
If ToUnixTime(now()) - fen0 < 90 then
shu=fen(1)
Else
shu="3"'命令超时
End if
End if
ys=shu
End Function
%>
<%
Function wenc(c)
Dim wencz
wencz = ToUnixTime(now()) & qjsjbz & c
wenc = wen(wencz)
End Function
Function wen(a)
dim q, fe, fq, shu, tioe
fe = 1
for q = 1 to len(a)
fq = cint(mid(glcsmi,fe,1))+1
shu =hex(asc(mid(a,q,1)) xor fq)
if len(shu)=4 then
tioe=tioe & cstr(shu)
else
tioe=tioe & "00" & cstr(shu)
end if
if fe < len(glcsmi) Then
fe = fe + 1
Else
fe=1
End If
next
wen=tioe
End Function
%>
<%
function rose(x)
dimxun, disc, ism
xun=1
for i=1 to len(x) step 4
ism=cint(mid(glcsmi,xun,1))+1
disc=disc & chr(int("&H" & mid(x,i,4))xor ism)
if xun < len(glcsmi) Then
xun=xun + 1
else
xun=1
end if
next
rose=disc
end function
%>
<%
Function plsq(u8,m8,c8)
if c8 <> glcjmm Then
session(Cachename&"piao8") = ""
plsq="no"
exit function
end if
call ConnectionDatabase
set rs = Server.CreateObject("ADODB.Recordset")
sqi="select * from list where use='" & u8 & "' and pass='" & m8 & "' and zt='1'"
rs.open sqi,conn,1,1
if rs.bof and rs.eof then
rs.Close
conn.Close
set rs=nothing
set conn=nothing
session(Cachename&"piao8") = ""
plsq="no"
else
rs.Close
conn.Close
set rs=nothing
set conn=nothing
session(Cachename&"piao8") = Cachename&"pl8"
plsq="ok"
end if
end function
%>
<%
Function plBackupDB()
Dim fso, Engine, strDBPath,dbpath
if session(Cachename&"piao8") <> Cachename&"pl8" then
plBackupDB = "1"
exit function
end if
dbpath = server.mappath(mdb)
strDBPath = left(dbPath,instrrev(dbpath,"\"))
Set fso = CreateObject("Scripting.FileSystemObject")
If fso.FileExists(dbPath) Then
Set Engine = CreateObject("JRO.JetEngine")
Engine.CompactDatabase "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & dbpath, _
"Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & strDBPath & "temp.mdb"
fso.CopyFile strDBPath & "temp.mdb",dbpath
fso.DeleteFile(strDBPath & "temp.mdb")
Set fso = nothing
Set Engine = nothing
plBackupDB = "2"
Else
plBackupDB = "3"
End If
End Function
Function plfhq(f2)
IPString = Request.ServerVariables("HTTP_X_FORWARDED_FOR")
If IPString = "" Then
IPString = Request.ServerVariables("REMOTE_ADDR")
End If
call ConnectionDatabase
set rs = Server.CreateObject("ADODB.Recordset")
sqi="select * from safe where ip='" & IPString & "' and lx='1'"
rs.open sqi,conn,1,1
if rs.bof and rs.eof then
rs.Close
sqk="select * from safe where ip='" & f2 & "' and lx='2'"
rs.open sqk,conn,1,1
if rs.bof and rs.eof then
rs.Close
conn.Close
set rs=nothing
set conn=nothing
plfhq=ToUnixTime(now()) & qjsjbz & IPString
else
rs.Close
conn.Close
set rs=nothing
set conn=nothing
plfhq="11"'机器码被封
end if
else
rs.Close
conn.close
set rs=nothing
set conn=nothing
plfhq="12"'IP被封
end if
end function
%>
<%
Sub ConnectionDatabase
on error resume next
set conn = Server.CreateObject("ADODB.Connection")
conn.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.MapPath(mdb)
if err then
Err.Clear
set conn = Nothing
Response.Write "数据库连接出错,请检查数据库名。"
Response.End
end if
End Sub
Function ToUnixTime(strTime)
If IsEmpty(strTime) or Not IsDate(strTime) Then strTime = Now
ToUnixTime = DateDiff("s","2013-1-1 08:0:0", strTime)
End Function
%> 为什么会有两个帖,,请把这个删除 对于网络验证,还是新人,需要学习。。。 明确的告诉你就是有后门,我几年前用过一段时间,用没多久就被清。
你直接把数据库的表名改了对方就咬不了你了
这验证太烂还是换个吧 学习大佬操作 学习永不间断! 如果楼主能每天都分享一些,那就更好了 看着很不错,回复一个看看
[快捷回复]-软件反汇编逆向分析,软件安全必不可少! 谢谢分享