飘零网络验证-商业版3和金盾版1.5-研究中

先占个位置:

飘零网络验证采用 易语言客户端和asp服务端(access|sqlserver2000)的架构

 

网上有两位已经对飘零网络验证系统做了研究

 

其一:通过eval的方式注册帐号,并控制服务器,我测试了,没成功,可能我对拿站不懂

 

其二:通过脱壳,debug,对易语言的客户端进行了破解,达到不去服务器验证

 

我的方法和他们有点区别,研究还在进行中......欢迎大家一起讨论,需要资料的,可以直接联系我。

 

12.23进展,飘零数据包传输加密方式过于简单,很容易拿到数据包的加密密码。而且还能成功操作数据库。

 

格式化后的piao7.asp   

<%@LANGUAGE="VBSCRIPT"%>
<%
  dim csmi,mdb,sfqczx,qjsjbz,qxbz,daan,ymgg,cjmm,zcsjjg
  mdb="# piaosydata  #.mdb"    '数据库路径
  csmi = "19910122"       '这里设置密码,要以管理端和客户端相同,要以这种格式长度不限,只能是数字,前后不能为零
  sfqczx = "1"            '这里是设置用户非法退出时是否要自动清除在线,1 为要  2为不要,用模块开发别的软件则填写2
  ymgg = "欢迎使用飘零网络验证商业版"    '访问该文件时的信息。
  qxbz= "piao8"           '用户自定义 随意字符 请自行修改!
  daan= "pl8"             '用户自定义 随意字符 请自行修改!
  cjmm= "piaoling"        '获取管理权限的超级密码。非常重要。。
  zcsjjg =1               '注册时间间隔,单位为分钟。。
  qjsjbz = "{[good-piao]}"
%>
<% if rose(request.Form("p")) = "1" then %>
<%
  ling=dosql()
  ling=now() & qjsjbz & ling
  ling=wen(ling)
%>
<% = ling %>
<% elseif rose(request.Form("p")) = "2" then %>
<%
  piao= getstr()
  if session(qxbz) <> daan and UBound(split(piao,"々☆")) >2 then
    piao = "2"
  end if
  piao= now() & qjsjbz & piao
  piao= wen(piao)
%>
<% = piao %>
<% elseif rose(request.Form("p")) = "3" then %>
<% = wen(plfhq(rose(request.Form("f")))) %>
<% elseif rose(request.Form("p")) = "4" then %>
<%
  pzd8 = rose(request.Form("pzdm"))
  if sfqczx="1" and pzd8 = "" then
    plzx()
  end if
  pdrose=pdsql(pzd8)
  pdrose=now() & qjsjbz & pdrose
  pdrose=wen(pdrose)
%>
<% = pdrose %>
<% elseif rose(request.Form("p")) = "5" then %>
<%
  plpo=plfp(rose(request.Form("us")),rose(request.Form("mi")),ys(request.Form("m5i")))
  plpo=now() & qjsjbz & plpo
  plpo=wen(plpo)
%>
<% = plpo %>
<% elseif rose(request.Form("p")) = "6" then %>
<%
  pldong=pldt(rose(request.Form("u3")),rose(request.Form("m3")),ys(request.Form("s3")))
  pldong=now() & qjsjbz & pldong
  pldong=wen(pldong)
%>
<% = pldong %>
<% elseif rose(request.Form("p")) = "7" then %>
<%
  plglsq=plsq(rose(request.Form("u7")),rose(request.Form("m7")),ys(request.Form("c7")))
  plglsq=now() & qjsjbz & plglsq
  plglsq=wen(plglsq)
%>
<% = plglsq %>
<% elseif ys(request.Form("p")) = "8" then %>
<%
  plysdb = plBackupDB()
  plysdb = now() & qjsjbz & plysdb
  plysdb = wen(plysdb)
%>
<% = plysdb %>
<% else %>
<% = ymgg & wen("-1") %>
<% end if %>
<%
  Function getstr()
    set conn = Server.CreateObject("ADODB.Connection")
    on error resume next 
    conn.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.MapPath(mdb)
    if err then 
      getstr="1"  '数据库不存在
      conn.close
      set conn = Nothing
      exit Function
    end if
    set rs = Server.CreateObject("ADODB.Recordset")
    sqi = getpdqx(ys(request.Form("post")))
    rs.Open sqi, conn, 3
    if err then 
      getstr="2"  'SQL语句出错
      rs.close
      conn.close
      Set rs = Nothing 
      set conn = Nothing
      exit Function
    end if
    rs.MoveFirst
    For Each varItem In rs.Fields 
      getstr = getstr & varItem.name & "々"
    Next 
    getstr = getstr & "☆" 
    Do While NOT rs.EOF
      For Each varItem In rs.Fields 
        getstr = getstr & varItem.value & "々" 
      Next 
      getstr = getstr & "☆" 
      rs.MoveNext 
    Loop 
    rs.close
    conn.close
    Set rs = Nothing 
    set conn = Nothing
  End Function
%>
<%
  Function dosql()
    set conn = Server.CreateObject("ADODB.Connection")
    on error resume next 
    conn.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.MapPath(mdb)
    if err then 
      dosql="1"   '数据库不存在
      conn.close
      set conn = Nothing
      exit Function
    end if
    set rs = Server.CreateObject("ADODB.Recordset")
    sqi = dopdqx(ys(request.Form("post")))
    rs.Open sqi, conn, 3
    if err then 
      dosql="2"   'SQL语句出错
      rs.close
      conn.close
      Set rs = Nothing 
      set conn = Nothing
      exit Function
    end if
    rs.close
    conn.close
    Set rs = Nothing 
    set conn = Nothing
    dosql = 6
  End Function
%>
<%
  Function pdsql(pzd)
  set conn = Server.CreateObject("ADODB.Connection")
  on error resume next 
  conn.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.MapPath(mdb)
  if err then 
    pdsql="1"  '数据库不存在
    conn.close
    set conn=nothing
    exit function
  end if
  set rs = Server.CreateObject("ADODB.Recordset")
  sqi=getpdqx(ys(request.Form("post")))
  rs.open sqi,conn,1,1
  if err then 
    pdsql="2"  'SQL语句出错
    rs.close
    conn.close
    set rs=nothing
    set conn=nothing
    exit Function
  end if
  if rs.bof and rs.eof then
    rs.close
    conn.close
    set rs=nothing
    set conn=nothing
    pdsql="no"
    exit Function
  else
    if pzd <> "" Then
      pdsql1=rs(pzd)
      rs.close
      conn.close
      set rs=nothing
      set conn=nothing
      pdsql = pdsql1
    else
      rs.close
      conn.close
      set rs=nothing
      set conn=nothing
      pdsql="ok"
    end if
  end if
  end Function
%>
<%
  Function ys(w)
    dim fen,shi,shu
    fen=split(rose(w),"{[good-rose]}")
    shi=formatdatetime(fen(0),0)
    if datediff("s",shi,time()) < 90 then 
      shu=fen(1)
    Else
      shu="3"  '命令超时
    end if
    ys=shu
  End Function
%>
<%
  Function wen(a)
    dim q, fe, fq, shu, tioe
    fe = 1
    for q = 1 to len(a)
      fq = cint(mid(csmi,fe,1))+1
      shu =hex(asc(mid(a,q,1)) xor fq)
      if len(shu)=4 then
        tioe=tioe & cstr(shu)
      else
        tioe=tioe & "00" & cstr(shu)
      end if
      if fe < len(csmi) Then
        fe = fe + 1
      Else
        fe=1
      End If
    next
    wen=tioe
  End Function
%>
<%
  function rose(x)
    dim  xun, disc, ism
    xun=1
    for i=1 to len(x) step 4
      ism=cint(mid(csmi,xun,1))+1
      disc=disc & chr(int("&H" & mid(x,i,4))xor ism)
      if xun < len(csmi) Then
        xun=xun + 1
      else
        xun=1
      end if
    next
    rose=disc
  end function
%>
<%
  function plzx()
    dim fen,shi,shu,miao,zong
    fen=split(time(),":")
    shi=fen(0)*60*60
    shu=fen(1)*60
    miao=fen(2)
    zong=shi+shu+miao
    set conn = Server.CreateObject("ADODB.Connection")
    on error resume next 
    conn.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.MapPath(mdb)
    set rs=createobject("ADODB.recordset")
    if err then 
      rs.Close
      Set rs = Nothing 
      conn.Close
      set conn = Nothing
      exit Function
    end if
    set rs = Server.CreateObject("ADODB.Recordset")
    sqi = "update admin set zaixian=2 where "&zong&"- jubing > 305 or jubing -"&zong&" > 305"
    rs.Open sqi,conn,1,3
    if err then 
      rs.Close
      Set rs = Nothing 
      conn.Close
      set conn = Nothing
      exit Function
    end if
    rs.Close
    Set rs = Nothing 
    conn.Close
    set conn = Nothing
    plzx = 0
  End Function
%>
<%
  Function plfp(u,m,m5)
    dim dqi,tez,mos
    set conn = Server.CreateObject("ADODB.Connection")
    on error resume next
    conn.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.MapPath(mdb)
    if err then
      plfp="|1|"  '数据库不存在
      conn.close
      set conn=nothing
      exit function
    end if
    set rs = Server.CreateObject("ADODB.Recordset")
    sqp="select * from safe where ip='" & u & "' and lx='3'"
    rs.open sqp,conn,1,1
    if rs.bof and rs.eof then
      rs.Close
    sql="select * from sys where gongneng='md5' and zhuangtai='" & m5 & "'"
    rs.open sql,conn,1,1
    if rs.bof and rs.eof then
      rs.Close
      conn.Close
      set rs=nothing
      set conn=nothing
      plfp="|2|"  'md5错误
    else
      rs.Close
      sqk="select * from admin where use='" & u & "' and pass='" & m & "'"
      rs.open sqk,conn,1,1
      if rs.bof and rs.eof then
         rs.Close
         conn.Close
         set rs=nothing
         set conn=nothing
         plfp="|3|"  '账号密码错误
      else
       dqi=rs("daoqi")
       rs.Close
       sqlm="select * from sys where gongneng='moshi'"
       rs.open sqlm,conn,1,1
       if rs.bof and rs.eof then
           rs.close
           conn.close
           set rs=nothing
           set conn=nothing
           plfp="|6|"  '读取模式错误
        else
         mos=rs("zhuangtai")
         rs.close
         if mos="1" or mos="4" then
          if datediff("s",dqi,now()) > 0 then
           rs.Close
           conn.Close
           set rs=nothing
           set conn=nothing
           plfp="|4|"  '账号过期
          exit function
          end if
         end if
        sqly="select * from sys where gongneng='tzsj'"
        rs.open sqly,conn,1,1
        if rs.bof and rs.eof then
         rs.close
         conn.close
         set rs=nothing
         set conn=nothing
         plfp="|5|"  '特征数据不存在
        else
         tez=rs("zhuangtai")
         rs.close
         conn.close
         set rs=nothing
         set conn=nothing
         plfp=tez
         end if 
        end if
      end if
    end if
    else
      rs.Close
      conn.Close
      set rs=nothing
      set conn=nothing
      plfp=now()
    end if
  end function
%>
<%
  Function pldt(u2,m2,s2)
    dim dqi, tez
    set conn = Server.CreateObject("ADODB.Connection")
    on error resume next 
    conn.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.MapPath(mdb)
    if err then 
      pldt="|1|"  '数据库不存在
      conn.close
      set conn=nothing
      exit function
    end if
    set rs = Server.CreateObject("ADODB.Recordset")
    sqi="select * from sys where gongneng='dtyz' and zhuangtai='1'"
    rs.open sqi,conn,1,1
    if rs.bof and rs.eof then
      rs.Close
      conn.Close
      set rs=nothing
      set conn=nothing
      pldt="|2|"  '未开启动态验证
    else
      rs.Close
      sqk="select * from admin where use='" & u2 & "' and pass='" & m2 & "'"
      rs.open sqk,conn,1,1
      if rs.bof and rs.eof then
         rs.Close
         conn.Close
         set rs=nothing
         set conn=nothing
         pldt="|3|"  '账号密码错误
      else
        rs.Close
        conn.close
        set rs=nothing
        set conn=nothing
        pldt=s2
      end if
    end if
  end function
%>
<%
  Function plfhq(f2)
    IPString = Request.ServerVariables("HTTP_X_FORWARDED_FOR")
    If IPString = "" Then
      IPString = Request.ServerVariables("REMOTE_ADDR")
    End If
    set conn = Server.CreateObject("ADODB.Connection")
    on error resume next
    conn.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.MapPath(mdb)
    if err then 
      plfhq="1"  '数据库不存在
      conn.close
      set conn=nothing
      exit function
    end if
    set rs = Server.CreateObject("ADODB.Recordset")
    sqi="select * from safe where ip='" & IPString & "' and lx='1'"
    rs.open sqi,conn,1,1
    if rs.bof and rs.eof then
      rs.Close
      sqk="select * from safe where ip='" & f2 & "' and lx='2'"
      rs.open sqk,conn,1,1
      if rs.bof and rs.eof then
        rs.Close
        conn.Close
        set rs=nothing
        set conn=nothing
        plfhq=now() & qjsjbz & IPString
      else
        rs.Close
        conn.Close
        set rs=nothing
        set conn=nothing
        plfhq="11"  '机器码被封
      end if
    else
      rs.Close
      conn.close
      set rs=nothing
      set conn=nothing
      plfhq="12"  'IP被封
    end if
  end function
%>
<%
  Function plsq(u8,m8,c8)
    if c8 <> cjmm Then
      session(qxbz) = ""
      plsq="no"
      exit function
    end if
    set conn = Server.CreateObject("ADODB.Connection")
    on error resume next
    conn.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.MapPath(mdb)
    if err then
    plsq="1"  '数据库不存在
    conn.close
    set conn=nothing
    exit function
    end if
    set rs = Server.CreateObject("ADODB.Recordset")
    sqi="select * from list where use='" & u8 & "' and pass='" & m8 & "' and zt='1'"
    rs.open sqi,conn,1,1
    if rs.bof and rs.eof then
      rs.Close
      conn.Close
      set rs=nothing
      set conn=nothing
      session(qxbz) = ""
      plsq="no"
    else
      rs.Close
      conn.Close
      set rs=nothing
      set conn=nothing
      session(qxbz) = daan
      plsq="ok"
    end if
  end function
%>
<%
  Function dopdqx(ssj)
    if session(qxbz) = daan then
      dopdqx=ssj
    Else
      If Instr(LCase(ssj),LCase("delete"))<>0 Then
        dopdqx="2"
      elseif Instr(LCase(ssj),LCase("select"))<>0 Then
        dopdqx="2"
      elseif Instr(LCase(ssj),LCase("conn"))<>0 Then
        dopdqx="2"
      elseif Instr(LCase(ssj),LCase("safe"))<>0 Then
        dopdqx="2"
      elseif Instr(LCase(ssj),LCase("sys"))<>0 Then
        dopdqx="2"
      elseif Instr(LCase(ssj),LCase("list"))<>0 Then
        dopdqx="2"
      elseif Instr(LCase(ssj),LCase("insert into data"))<>0 Then
        dopdqx="2"
      elseif Instr(LCase(ssj),LCase("id<"))<>0 or Instr(LCase(ssj),LCase(">id"))<>0 Then
        dopdqx="2"
      elseif Instr(LCase(ssj),LCase("id>"))<>0 or Instr(LCase(ssj),LCase("<id"))<>0 Then
        dopdqx="2"
      elseif Instr(LCase(ssj),LCase("=id"))<>0 Then
        dopdqx="2"
      elseif Instr(LCase(ssj),LCase("id="))<>0 and Instr(LCase(ssj),LCase("ypid='"))=0 Then
        dopdqx="2"
      elseif Instr(LCase(ssj),LCase("update"))<>0 and Instr(LCase(ssj),LCase("where"))=0 Then
        dopdqx="2"
      elseif plcookies(ssj)=2 Then
        dopdqx="2"
      Else
      dopdqx=ssj
      end if
    end if
  End Function
%>
<%
  Function getpdqx(ssg)
    if session(qxbz) = daan then
    getpdqx=ssg
    Else
      If Instr(LCase(ssg),LCase("select"))=0 Then
        getpdqx="2"
      elseif Instr(LCase(ssg),LCase("select count"))<>0 Then
        getpdqx="2"
      elseif Instr(LCase(ssg),LCase("select top"))<>0 Then
        getpdqx="2"
      elseif Instr(LCase(ssg),LCase("list"))<>0 Then
        getpdqx="2"
      elseif Instr(LCase(ssg),LCase("safe"))<>0 Then
        getpdqx="2"
      elseif Instr(LCase(ssg),LCase("delete"))<>0 Then
        getpdqx="2"
      elseif Instr(LCase(ssg),LCase("update"))<>0 Then
        getpdqx="2"
      elseif Instr(LCase(ssg),LCase("insert"))<>0 Then
        getpdqx="2"
      elseif Instr(LCase(ssg),LCase("id<"))<>0 or Instr(LCase(ssg),LCase(">id"))<>0 Then
        getpdqx="2"
      elseif Instr(LCase(ssg),LCase("id>"))<>0 or Instr(LCase(ssg),LCase("<id"))<>0 Then
        getpdqx="2"
      elseif Instr(LCase(ssg),LCase("=id"))<>0 Then
        getpdqx="2"
      elseif Instr(LCase(ssg),LCase("id="))<>0 and Instr(LCase(ssg),LCase("ypid='"))=0 Then
        getpdqx="2"
      elseif Instr(LCase(ssg),LCase("gongneng='tzsj'"))<>0 Then
        getpdqx="2"
      Else
        getpdqx=ssg
      end if
    end if
  End Function
%>
<%
  Function plBackupDB()
    Dim fso, Engine, strDBPath,dbpath
    if session(qxbz) <> daan then
      plBackupDB = "1"
      exit function
    end if
    dbpath = server.mappath(mdb)
    strDBPath = left(dbPath,instrrev(dbpath,"\"))
    Set fso = CreateObject("Scripting.FileSystemObject")
    If fso.FileExists(dbPath) Then
      Set Engine = CreateObject("JRO.JetEngine")
         Engine.CompactDatabase "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & dbpath, _
         "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & strDBPath & "temp.mdb"
      fso.CopyFile strDBPath & "temp.mdb",dbpath
      fso.DeleteFile(strDBPath & "temp.mdb")
      Set fso = nothing
      Set Engine = nothing
      	plBackupDB = "2"
    Else
    	plBackupDB = "3"
    End If
  End Function
%>
<%
  Function plcookies(sjck)
    if Instr(LCase(sjck),LCase("insert"))<>0 Then
      response.cookies("plcooktis").expires = date()+7
      if request.cookies("plcooktis") ="" Then
        response.cookies("plcooktis")=now() + zcsjjg / 24 / 60
        plcookies=1
      Else
        if CDate(request.cookies("plcooktis")) > now() Then
          plcookies=2
        Else
          response.cookies("plcooktis")=now() + zcsjjg / 24 / 60
          plcookies=1
        End If
      End If
    Else
      plcookies=1
    End If
  End Function
%>

  

posted on 2012-12-18 17:01  s3  阅读(1737)  评论(0编辑  收藏  举报