飘零网络验证-商业版3和金盾版1.5-研究中
先占个位置:
飘零网络验证采用 易语言客户端和asp服务端(access|sqlserver2000)的架构
网上有两位已经对飘零网络验证系统做了研究
其一:通过eval的方式注册帐号,并控制服务器,我测试了,没成功,可能我对拿站不懂
其二:通过脱壳,debug,对易语言的客户端进行了破解,达到不去服务器验证
我的方法和他们有点区别,研究还在进行中......欢迎大家一起讨论,需要资料的,可以直接联系我。
12.23进展,飘零数据包传输加密方式过于简单,很容易拿到数据包的加密密码。而且还能成功操作数据库。
格式化后的piao7.asp
<%@LANGUAGE="VBSCRIPT"%> <% dim csmi,mdb,sfqczx,qjsjbz,qxbz,daan,ymgg,cjmm,zcsjjg mdb="# piaosydata #.mdb" '数据库路径 csmi = "19910122" '这里设置密码,要以管理端和客户端相同,要以这种格式长度不限,只能是数字,前后不能为零 sfqczx = "1" '这里是设置用户非法退出时是否要自动清除在线,1 为要 2为不要,用模块开发别的软件则填写2 ymgg = "欢迎使用飘零网络验证商业版" '访问该文件时的信息。 qxbz= "piao8" '用户自定义 随意字符 请自行修改! daan= "pl8" '用户自定义 随意字符 请自行修改! cjmm= "piaoling" '获取管理权限的超级密码。非常重要。。 zcsjjg =1 '注册时间间隔,单位为分钟。。 qjsjbz = "{[good-piao]}" %> <% if rose(request.Form("p")) = "1" then %> <% ling=dosql() ling=now() & qjsjbz & ling ling=wen(ling) %> <% = ling %> <% elseif rose(request.Form("p")) = "2" then %> <% piao= getstr() if session(qxbz) <> daan and UBound(split(piao,"々☆")) >2 then piao = "2" end if piao= now() & qjsjbz & piao piao= wen(piao) %> <% = piao %> <% elseif rose(request.Form("p")) = "3" then %> <% = wen(plfhq(rose(request.Form("f")))) %> <% elseif rose(request.Form("p")) = "4" then %> <% pzd8 = rose(request.Form("pzdm")) if sfqczx="1" and pzd8 = "" then plzx() end if pdrose=pdsql(pzd8) pdrose=now() & qjsjbz & pdrose pdrose=wen(pdrose) %> <% = pdrose %> <% elseif rose(request.Form("p")) = "5" then %> <% plpo=plfp(rose(request.Form("us")),rose(request.Form("mi")),ys(request.Form("m5i"))) plpo=now() & qjsjbz & plpo plpo=wen(plpo) %> <% = plpo %> <% elseif rose(request.Form("p")) = "6" then %> <% pldong=pldt(rose(request.Form("u3")),rose(request.Form("m3")),ys(request.Form("s3"))) pldong=now() & qjsjbz & pldong pldong=wen(pldong) %> <% = pldong %> <% elseif rose(request.Form("p")) = "7" then %> <% plglsq=plsq(rose(request.Form("u7")),rose(request.Form("m7")),ys(request.Form("c7"))) plglsq=now() & qjsjbz & plglsq plglsq=wen(plglsq) %> <% = plglsq %> <% elseif ys(request.Form("p")) = "8" then %> <% plysdb = plBackupDB() plysdb = now() & qjsjbz & plysdb plysdb = wen(plysdb) %> <% = plysdb %> <% else %> <% = ymgg & wen("-1") %> <% end if %> <% Function getstr() set conn = Server.CreateObject("ADODB.Connection") on error resume next conn.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.MapPath(mdb) if err then getstr="1" '数据库不存在 conn.close set conn = Nothing exit Function end if set rs = Server.CreateObject("ADODB.Recordset") sqi = getpdqx(ys(request.Form("post"))) rs.Open sqi, conn, 3 if err then getstr="2" 'SQL语句出错 rs.close conn.close Set rs = Nothing set conn = Nothing exit Function end if rs.MoveFirst For Each varItem In rs.Fields getstr = getstr & varItem.name & "々" Next getstr = getstr & "☆" Do While NOT rs.EOF For Each varItem In rs.Fields getstr = getstr & varItem.value & "々" Next getstr = getstr & "☆" rs.MoveNext Loop rs.close conn.close Set rs = Nothing set conn = Nothing End Function %> <% Function dosql() set conn = Server.CreateObject("ADODB.Connection") on error resume next conn.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.MapPath(mdb) if err then dosql="1" '数据库不存在 conn.close set conn = Nothing exit Function end if set rs = Server.CreateObject("ADODB.Recordset") sqi = dopdqx(ys(request.Form("post"))) rs.Open sqi, conn, 3 if err then dosql="2" 'SQL语句出错 rs.close conn.close Set rs = Nothing set conn = Nothing exit Function end if rs.close conn.close Set rs = Nothing set conn = Nothing dosql = 6 End Function %> <% Function pdsql(pzd) set conn = Server.CreateObject("ADODB.Connection") on error resume next conn.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.MapPath(mdb) if err then pdsql="1" '数据库不存在 conn.close set conn=nothing exit function end if set rs = Server.CreateObject("ADODB.Recordset") sqi=getpdqx(ys(request.Form("post"))) rs.open sqi,conn,1,1 if err then pdsql="2" 'SQL语句出错 rs.close conn.close set rs=nothing set conn=nothing exit Function end if if rs.bof and rs.eof then rs.close conn.close set rs=nothing set conn=nothing pdsql="no" exit Function else if pzd <> "" Then pdsql1=rs(pzd) rs.close conn.close set rs=nothing set conn=nothing pdsql = pdsql1 else rs.close conn.close set rs=nothing set conn=nothing pdsql="ok" end if end if end Function %> <% Function ys(w) dim fen,shi,shu fen=split(rose(w),"{[good-rose]}") shi=formatdatetime(fen(0),0) if datediff("s",shi,time()) < 90 then shu=fen(1) Else shu="3" '命令超时 end if ys=shu End Function %> <% Function wen(a) dim q, fe, fq, shu, tioe fe = 1 for q = 1 to len(a) fq = cint(mid(csmi,fe,1))+1 shu =hex(asc(mid(a,q,1)) xor fq) if len(shu)=4 then tioe=tioe & cstr(shu) else tioe=tioe & "00" & cstr(shu) end if if fe < len(csmi) Then fe = fe + 1 Else fe=1 End If next wen=tioe End Function %> <% function rose(x) dim xun, disc, ism xun=1 for i=1 to len(x) step 4 ism=cint(mid(csmi,xun,1))+1 disc=disc & chr(int("&H" & mid(x,i,4))xor ism) if xun < len(csmi) Then xun=xun + 1 else xun=1 end if next rose=disc end function %> <% function plzx() dim fen,shi,shu,miao,zong fen=split(time(),":") shi=fen(0)*60*60 shu=fen(1)*60 miao=fen(2) zong=shi+shu+miao set conn = Server.CreateObject("ADODB.Connection") on error resume next conn.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.MapPath(mdb) set rs=createobject("ADODB.recordset") if err then rs.Close Set rs = Nothing conn.Close set conn = Nothing exit Function end if set rs = Server.CreateObject("ADODB.Recordset") sqi = "update admin set zaixian=2 where "&zong&"- jubing > 305 or jubing -"&zong&" > 305" rs.Open sqi,conn,1,3 if err then rs.Close Set rs = Nothing conn.Close set conn = Nothing exit Function end if rs.Close Set rs = Nothing conn.Close set conn = Nothing plzx = 0 End Function %> <% Function plfp(u,m,m5) dim dqi,tez,mos set conn = Server.CreateObject("ADODB.Connection") on error resume next conn.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.MapPath(mdb) if err then plfp="|1|" '数据库不存在 conn.close set conn=nothing exit function end if set rs = Server.CreateObject("ADODB.Recordset") sqp="select * from safe where ip='" & u & "' and lx='3'" rs.open sqp,conn,1,1 if rs.bof and rs.eof then rs.Close sql="select * from sys where gongneng='md5' and zhuangtai='" & m5 & "'" rs.open sql,conn,1,1 if rs.bof and rs.eof then rs.Close conn.Close set rs=nothing set conn=nothing plfp="|2|" 'md5错误 else rs.Close sqk="select * from admin where use='" & u & "' and pass='" & m & "'" rs.open sqk,conn,1,1 if rs.bof and rs.eof then rs.Close conn.Close set rs=nothing set conn=nothing plfp="|3|" '账号密码错误 else dqi=rs("daoqi") rs.Close sqlm="select * from sys where gongneng='moshi'" rs.open sqlm,conn,1,1 if rs.bof and rs.eof then rs.close conn.close set rs=nothing set conn=nothing plfp="|6|" '读取模式错误 else mos=rs("zhuangtai") rs.close if mos="1" or mos="4" then if datediff("s",dqi,now()) > 0 then rs.Close conn.Close set rs=nothing set conn=nothing plfp="|4|" '账号过期 exit function end if end if sqly="select * from sys where gongneng='tzsj'" rs.open sqly,conn,1,1 if rs.bof and rs.eof then rs.close conn.close set rs=nothing set conn=nothing plfp="|5|" '特征数据不存在 else tez=rs("zhuangtai") rs.close conn.close set rs=nothing set conn=nothing plfp=tez end if end if end if end if else rs.Close conn.Close set rs=nothing set conn=nothing plfp=now() end if end function %> <% Function pldt(u2,m2,s2) dim dqi, tez set conn = Server.CreateObject("ADODB.Connection") on error resume next conn.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.MapPath(mdb) if err then pldt="|1|" '数据库不存在 conn.close set conn=nothing exit function end if set rs = Server.CreateObject("ADODB.Recordset") sqi="select * from sys where gongneng='dtyz' and zhuangtai='1'" rs.open sqi,conn,1,1 if rs.bof and rs.eof then rs.Close conn.Close set rs=nothing set conn=nothing pldt="|2|" '未开启动态验证 else rs.Close sqk="select * from admin where use='" & u2 & "' and pass='" & m2 & "'" rs.open sqk,conn,1,1 if rs.bof and rs.eof then rs.Close conn.Close set rs=nothing set conn=nothing pldt="|3|" '账号密码错误 else rs.Close conn.close set rs=nothing set conn=nothing pldt=s2 end if end if end function %> <% Function plfhq(f2) IPString = Request.ServerVariables("HTTP_X_FORWARDED_FOR") If IPString = "" Then IPString = Request.ServerVariables("REMOTE_ADDR") End If set conn = Server.CreateObject("ADODB.Connection") on error resume next conn.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.MapPath(mdb) if err then plfhq="1" '数据库不存在 conn.close set conn=nothing exit function end if set rs = Server.CreateObject("ADODB.Recordset") sqi="select * from safe where ip='" & IPString & "' and lx='1'" rs.open sqi,conn,1,1 if rs.bof and rs.eof then rs.Close sqk="select * from safe where ip='" & f2 & "' and lx='2'" rs.open sqk,conn,1,1 if rs.bof and rs.eof then rs.Close conn.Close set rs=nothing set conn=nothing plfhq=now() & qjsjbz & IPString else rs.Close conn.Close set rs=nothing set conn=nothing plfhq="11" '机器码被封 end if else rs.Close conn.close set rs=nothing set conn=nothing plfhq="12" 'IP被封 end if end function %> <% Function plsq(u8,m8,c8) if c8 <> cjmm Then session(qxbz) = "" plsq="no" exit function end if set conn = Server.CreateObject("ADODB.Connection") on error resume next conn.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.MapPath(mdb) if err then plsq="1" '数据库不存在 conn.close set conn=nothing exit function end if set rs = Server.CreateObject("ADODB.Recordset") sqi="select * from list where use='" & u8 & "' and pass='" & m8 & "' and zt='1'" rs.open sqi,conn,1,1 if rs.bof and rs.eof then rs.Close conn.Close set rs=nothing set conn=nothing session(qxbz) = "" plsq="no" else rs.Close conn.Close set rs=nothing set conn=nothing session(qxbz) = daan plsq="ok" end if end function %> <% Function dopdqx(ssj) if session(qxbz) = daan then dopdqx=ssj Else If Instr(LCase(ssj),LCase("delete"))<>0 Then dopdqx="2" elseif Instr(LCase(ssj),LCase("select"))<>0 Then dopdqx="2" elseif Instr(LCase(ssj),LCase("conn"))<>0 Then dopdqx="2" elseif Instr(LCase(ssj),LCase("safe"))<>0 Then dopdqx="2" elseif Instr(LCase(ssj),LCase("sys"))<>0 Then dopdqx="2" elseif Instr(LCase(ssj),LCase("list"))<>0 Then dopdqx="2" elseif Instr(LCase(ssj),LCase("insert into data"))<>0 Then dopdqx="2" elseif Instr(LCase(ssj),LCase("id<"))<>0 or Instr(LCase(ssj),LCase(">id"))<>0 Then dopdqx="2" elseif Instr(LCase(ssj),LCase("id>"))<>0 or Instr(LCase(ssj),LCase("<id"))<>0 Then dopdqx="2" elseif Instr(LCase(ssj),LCase("=id"))<>0 Then dopdqx="2" elseif Instr(LCase(ssj),LCase("id="))<>0 and Instr(LCase(ssj),LCase("ypid='"))=0 Then dopdqx="2" elseif Instr(LCase(ssj),LCase("update"))<>0 and Instr(LCase(ssj),LCase("where"))=0 Then dopdqx="2" elseif plcookies(ssj)=2 Then dopdqx="2" Else dopdqx=ssj end if end if End Function %> <% Function getpdqx(ssg) if session(qxbz) = daan then getpdqx=ssg Else If Instr(LCase(ssg),LCase("select"))=0 Then getpdqx="2" elseif Instr(LCase(ssg),LCase("select count"))<>0 Then getpdqx="2" elseif Instr(LCase(ssg),LCase("select top"))<>0 Then getpdqx="2" elseif Instr(LCase(ssg),LCase("list"))<>0 Then getpdqx="2" elseif Instr(LCase(ssg),LCase("safe"))<>0 Then getpdqx="2" elseif Instr(LCase(ssg),LCase("delete"))<>0 Then getpdqx="2" elseif Instr(LCase(ssg),LCase("update"))<>0 Then getpdqx="2" elseif Instr(LCase(ssg),LCase("insert"))<>0 Then getpdqx="2" elseif Instr(LCase(ssg),LCase("id<"))<>0 or Instr(LCase(ssg),LCase(">id"))<>0 Then getpdqx="2" elseif Instr(LCase(ssg),LCase("id>"))<>0 or Instr(LCase(ssg),LCase("<id"))<>0 Then getpdqx="2" elseif Instr(LCase(ssg),LCase("=id"))<>0 Then getpdqx="2" elseif Instr(LCase(ssg),LCase("id="))<>0 and Instr(LCase(ssg),LCase("ypid='"))=0 Then getpdqx="2" elseif Instr(LCase(ssg),LCase("gongneng='tzsj'"))<>0 Then getpdqx="2" Else getpdqx=ssg end if end if End Function %> <% Function plBackupDB() Dim fso, Engine, strDBPath,dbpath if session(qxbz) <> daan then plBackupDB = "1" exit function end if dbpath = server.mappath(mdb) strDBPath = left(dbPath,instrrev(dbpath,"\")) Set fso = CreateObject("Scripting.FileSystemObject") If fso.FileExists(dbPath) Then Set Engine = CreateObject("JRO.JetEngine") Engine.CompactDatabase "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & dbpath, _ "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & strDBPath & "temp.mdb" fso.CopyFile strDBPath & "temp.mdb",dbpath fso.DeleteFile(strDBPath & "temp.mdb") Set fso = nothing Set Engine = nothing plBackupDB = "2" Else plBackupDB = "3" End If End Function %> <% Function plcookies(sjck) if Instr(LCase(sjck),LCase("insert"))<>0 Then response.cookies("plcooktis").expires = date()+7 if request.cookies("plcooktis") ="" Then response.cookies("plcooktis")=now() + zcsjjg / 24 / 60 plcookies=1 Else if CDate(request.cookies("plcooktis")) > now() Then plcookies=2 Else response.cookies("plcooktis")=now() + zcsjjg / 24 / 60 plcookies=1 End If End If Else plcookies=1 End If End Function %>