先占个位置:
飘零网络验证采用 易语言客户端和asp服务端(access|sqlserver2000)的架构
网上有两位已经对飘零网络验证系统做了研究
其一:通过eval的方式注册帐号,并控制服务器,我测试了,没成功,可能我对拿站不懂
其二:通过脱壳,debug,对易语言的客户端进行了破解,达到不去服务器验证
我的方法和他们有点区别,研究还在进行中......欢迎大家一起讨论,需要资料的,可以直接联系我。
12.23进展,飘零数据包传输加密方式过于简单,很容易拿到数据包的加密密码。而且还能成功操作数据库。
格式化后的piao7.asp
<%@LANGUAGE="VBSCRIPT"%>
<%
dim csmi,mdb,sfqczx,qjsjbz,qxbz,daan,ymgg,cjmm,zcsjjg
mdb="# piaosydata #.mdb" '数据库路径
csmi = "19910122" '这里设置密码,要以管理端和客户端相同,要以这种格式长度不限,只能是数字,前后不能为零
sfqczx = "1" '这里是设置用户非法退出时是否要自动清除在线,1 为要 2为不要,用模块开发别的软件则填写2
ymgg = "欢迎使用飘零网络验证商业版" '访问该文件时的信息。
qxbz= "piao8" '用户自定义 随意字符 请自行修改!
daan= "pl8" '用户自定义 随意字符 请自行修改!
cjmm= "piaoling" '获取管理权限的超级密码。非常重要。。
zcsjjg =1 '注册时间间隔,单位为分钟。。
qjsjbz = "{[good-piao]}"
%>
<% if rose(request.Form("p")) = "1" then %>
<%
ling=dosql()
ling=now() & qjsjbz & ling
ling=wen(ling)
%>
<% = ling %>
<% elseif rose(request.Form("p")) = "2" then %>
<%
piao= getstr()
if session(qxbz) <> daan and UBound(split(piao,"々☆")) >2 then
piao = "2"
end if
piao= now() & qjsjbz & piao
piao= wen(piao)
%>
<% = piao %>
<% elseif rose(request.Form("p")) = "3" then %>
<% = wen(plfhq(rose(request.Form("f")))) %>
<% elseif rose(request.Form("p")) = "4" then %>
<%
pzd8 = rose(request.Form("pzdm"))
if sfqczx="1" and pzd8 = "" then
plzx()
end if
pdrose=pdsql(pzd8)
pdrose=now() & qjsjbz & pdrose
pdrose=wen(pdrose)
%>
<% = pdrose %>
<% elseif rose(request.Form("p")) = "5" then %>
<%
plpo=plfp(rose(request.Form("us")),rose(request.Form("mi")),ys(request.Form("m5i")))
plpo=now() & qjsjbz & plpo
plpo=wen(plpo)
%>
<% = plpo %>
<% elseif rose(request.Form("p")) = "6" then %>
<%
pldong=pldt(rose(request.Form("u3")),rose(request.Form("m3")),ys(request.Form("s3")))
pldong=now() & qjsjbz & pldong
pldong=wen(pldong)
%>
<% = pldong %>
<% elseif rose(request.Form("p")) = "7" then %>
<%
plglsq=plsq(rose(request.Form("u7")),rose(request.Form("m7")),ys(request.Form("c7")))
plglsq=now() & qjsjbz & plglsq
plglsq=wen(plglsq)
%>
<% = plglsq %>
<% elseif ys(request.Form("p")) = "8" then %>
<%
plysdb = plBackupDB()
plysdb = now() & qjsjbz & plysdb
plysdb = wen(plysdb)
%>
<% = plysdb %>
<% else %>
<% = ymgg & wen("-1") %>
<% end if %>
<%
Function getstr()
set conn = Server.CreateObject("ADODB.Connection")
on error resume next
conn.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.MapPath(mdb)
if err then
getstr="1" '数据库不存在
conn.close
set conn = Nothing
exit Function
end if
set rs = Server.CreateObject("ADODB.Recordset")
sqi = getpdqx(ys(request.Form("post")))
rs.Open sqi, conn, 3
if err then
getstr="2" 'SQL语句出错
rs.close
conn.close
Set rs = Nothing
set conn = Nothing
exit Function
end if
rs.MoveFirst
For Each varItem In rs.Fields
getstr = getstr & varItem.name & "々"
Next
getstr = getstr & "☆"
Do While NOT rs.EOF
For Each varItem In rs.Fields
getstr = getstr & varItem.value & "々"
Next
getstr = getstr & "☆"
rs.MoveNext
Loop
rs.close
conn.close
Set rs = Nothing
set conn = Nothing
End Function
%>
<%
Function dosql()
set conn = Server.CreateObject("ADODB.Connection")
on error resume next
conn.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.MapPath(mdb)
if err then
dosql="1" '数据库不存在
conn.close
set conn = Nothing
exit Function
end if
set rs = Server.CreateObject("ADODB.Recordset")
sqi = dopdqx(ys(request.Form("post")))
rs.Open sqi, conn, 3
if err then
dosql="2" 'SQL语句出错
rs.close
conn.close
Set rs = Nothing
set conn = Nothing
exit Function
end if
rs.close
conn.close
Set rs = Nothing
set conn = Nothing
dosql = 6
End Function
%>
<%
Function pdsql(pzd)
set conn = Server.CreateObject("ADODB.Connection")
on error resume next
conn.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.MapPath(mdb)
if err then
pdsql="1" '数据库不存在
conn.close
set conn=nothing
exit function
end if
set rs = Server.CreateObject("ADODB.Recordset")
sqi=getpdqx(ys(request.Form("post")))
rs.open sqi,conn,1,1
if err then
pdsql="2" 'SQL语句出错
rs.close
conn.close
set rs=nothing
set conn=nothing
exit Function
end if
if rs.bof and rs.eof then
rs.close
conn.close
set rs=nothing
set conn=nothing
pdsql="no"
exit Function
else
if pzd <> "" Then
pdsql1=rs(pzd)
rs.close
conn.close
set rs=nothing
set conn=nothing
pdsql = pdsql1
else
rs.close
conn.close
set rs=nothing
set conn=nothing
pdsql="ok"
end if
end if
end Function
%>
<%
Function ys(w)
dim fen,shi,shu
fen=split(rose(w),"{[good-rose]}")
shi=formatdatetime(fen(0),0)
if datediff("s",shi,time()) < 90 then
shu=fen(1)
Else
shu="3" '命令超时
end if
ys=shu
End Function
%>
<%
Function wen(a)
dim q, fe, fq, shu, tioe
fe = 1
for q = 1 to len(a)
fq = cint(mid(csmi,fe,1))+1
shu =hex(asc(mid(a,q,1)) xor fq)
if len(shu)=4 then
tioe=tioe & cstr(shu)
else
tioe=tioe & "00" & cstr(shu)
end if
if fe < len(csmi) Then
fe = fe + 1
Else
fe=1
End If
next
wen=tioe
End Function
%>
<%
function rose(x)
dim xun, disc, ism
xun=1
for i=1 to len(x) step 4
ism=cint(mid(csmi,xun,1))+1
disc=disc & chr(int("&H" & mid(x,i,4))xor ism)
if xun < len(csmi) Then
xun=xun + 1
else
xun=1
end if
next
rose=disc
end function
%>
<%
function plzx()
dim fen,shi,shu,miao,zong
fen=split(time(),":")
shi=fen(0)*60*60
shu=fen(1)*60
miao=fen(2)
zong=shi+shu+miao
set conn = Server.CreateObject("ADODB.Connection")
on error resume next
conn.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.MapPath(mdb)
set rs=createobject("ADODB.recordset")
if err then
rs.Close
Set rs = Nothing
conn.Close
set conn = Nothing
exit Function
end if
set rs = Server.CreateObject("ADODB.Recordset")
sqi = "update admin set zaixian=2 where "&zong&"- jubing > 305 or jubing -"&zong&" > 305"
rs.Open sqi,conn,1,3
if err then
rs.Close
Set rs = Nothing
conn.Close
set conn = Nothing
exit Function
end if
rs.Close
Set rs = Nothing
conn.Close
set conn = Nothing
plzx = 0
End Function
%>
<%
Function plfp(u,m,m5)
dim dqi,tez,mos
set conn = Server.CreateObject("ADODB.Connection")
on error resume next
conn.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.MapPath(mdb)
if err then
plfp="|1|" '数据库不存在
conn.close
set conn=nothing
exit function
end if
set rs = Server.CreateObject("ADODB.Recordset")
sqp="select * from safe where ip='" & u & "' and lx='3'"
rs.open sqp,conn,1,1
if rs.bof and rs.eof then
rs.Close
sql="select * from sys where gongneng='md5' and zhuangtai='" & m5 & "'"
rs.open sql,conn,1,1
if rs.bof and rs.eof then
rs.Close
conn.Close
set rs=nothing
set conn=nothing
plfp="|2|" 'md5错误
else
rs.Close
sqk="select * from admin where use='" & u & "' and pass='" & m & "'"
rs.open sqk,conn,1,1
if rs.bof and rs.eof then
rs.Close
conn.Close
set rs=nothing
set conn=nothing
plfp="|3|" '账号密码错误
else
dqi=rs("daoqi")
rs.Close
sqlm="select * from sys where gongneng='moshi'"
rs.open sqlm,conn,1,1
if rs.bof and rs.eof then
rs.close
conn.close
set rs=nothing
set conn=nothing
plfp="|6|" '读取模式错误
else
mos=rs("zhuangtai")
rs.close
if mos="1" or mos="4" then
if datediff("s",dqi,now()) > 0 then
rs.Close
conn.Close
set rs=nothing
set conn=nothing
plfp="|4|" '账号过期
exit function
end if
end if
sqly="select * from sys where gongneng='tzsj'"
rs.open sqly,conn,1,1
if rs.bof and rs.eof then
rs.close
conn.close
set rs=nothing
set conn=nothing
plfp="|5|" '特征数据不存在
else
tez=rs("zhuangtai")
rs.close
conn.close
set rs=nothing
set conn=nothing
plfp=tez
end if
end if
end if
end if
else
rs.Close
conn.Close
set rs=nothing
set conn=nothing
plfp=now()
end if
end function
%>
<%
Function pldt(u2,m2,s2)
dim dqi, tez
set conn = Server.CreateObject("ADODB.Connection")
on error resume next
conn.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.MapPath(mdb)
if err then
pldt="|1|" '数据库不存在
conn.close
set conn=nothing
exit function
end if
set rs = Server.CreateObject("ADODB.Recordset")
sqi="select * from sys where gongneng='dtyz' and zhuangtai='1'"
rs.open sqi,conn,1,1
if rs.bof and rs.eof then
rs.Close
conn.Close
set rs=nothing
set conn=nothing
pldt="|2|" '未开启动态验证
else
rs.Close
sqk="select * from admin where use='" & u2 & "' and pass='" & m2 & "'"
rs.open sqk,conn,1,1
if rs.bof and rs.eof then
rs.Close
conn.Close
set rs=nothing
set conn=nothing
pldt="|3|" '账号密码错误
else
rs.Close
conn.close
set rs=nothing
set conn=nothing
pldt=s2
end if
end if
end function
%>
<%
Function plfhq(f2)
IPString = Request.ServerVariables("HTTP_X_FORWARDED_FOR")
If IPString = "" Then
IPString = Request.ServerVariables("REMOTE_ADDR")
End If
set conn = Server.CreateObject("ADODB.Connection")
on error resume next
conn.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.MapPath(mdb)
if err then
plfhq="1" '数据库不存在
conn.close
set conn=nothing
exit function
end if
set rs = Server.CreateObject("ADODB.Recordset")
sqi="select * from safe where ip='" & IPString & "' and lx='1'"
rs.open sqi,conn,1,1
if rs.bof and rs.eof then
rs.Close
sqk="select * from safe where ip='" & f2 & "' and lx='2'"
rs.open sqk,conn,1,1
if rs.bof and rs.eof then
rs.Close
conn.Close
set rs=nothing
set conn=nothing
plfhq=now() & qjsjbz & IPString
else
rs.Close
conn.Close
set rs=nothing
set conn=nothing
plfhq="11" '机器码被封
end if
else
rs.Close
conn.close
set rs=nothing
set conn=nothing
plfhq="12" 'IP被封
end if
end function
%>
<%
Function plsq(u8,m8,c8)
if c8 <> cjmm Then
session(qxbz) = ""
plsq="no"
exit function
end if
set conn = Server.CreateObject("ADODB.Connection")
on error resume next
conn.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.MapPath(mdb)
if err then
plsq="1" '数据库不存在
conn.close
set conn=nothing
exit function
end if
set rs = Server.CreateObject("ADODB.Recordset")
sqi="select * from list where use='" & u8 & "' and pass='" & m8 & "' and zt='1'"
rs.open sqi,conn,1,1
if rs.bof and rs.eof then
rs.Close
conn.Close
set rs=nothing
set conn=nothing
session(qxbz) = ""
plsq="no"
else
rs.Close
conn.Close
set rs=nothing
set conn=nothing
session(qxbz) = daan
plsq="ok"
end if
end function
%>
<%
Function dopdqx(ssj)
if session(qxbz) = daan then
dopdqx=ssj
Else
If Instr(LCase(ssj),LCase("delete"))<>0 Then
dopdqx="2"
elseif Instr(LCase(ssj),LCase("select"))<>0 Then
dopdqx="2"
elseif Instr(LCase(ssj),LCase("conn"))<>0 Then
dopdqx="2"
elseif Instr(LCase(ssj),LCase("safe"))<>0 Then
dopdqx="2"
elseif Instr(LCase(ssj),LCase("sys"))<>0 Then
dopdqx="2"
elseif Instr(LCase(ssj),LCase("list"))<>0 Then
dopdqx="2"
elseif Instr(LCase(ssj),LCase("insert into data"))<>0 Then
dopdqx="2"
elseif Instr(LCase(ssj),LCase("id<"))<>0 or Instr(LCase(ssj),LCase(">id"))<>0 Then
dopdqx="2"
elseif Instr(LCase(ssj),LCase("id>"))<>0 or Instr(LCase(ssj),LCase("<id"))<>0 Then
dopdqx="2"
elseif Instr(LCase(ssj),LCase("=id"))<>0 Then
dopdqx="2"
elseif Instr(LCase(ssj),LCase("id="))<>0 and Instr(LCase(ssj),LCase("ypid='"))=0 Then
dopdqx="2"
elseif Instr(LCase(ssj),LCase("update"))<>0 and Instr(LCase(ssj),LCase("where"))=0 Then
dopdqx="2"
elseif plcookies(ssj)=2 Then
dopdqx="2"
Else
dopdqx=ssj
end if
end if
End Function
%>
<%
Function getpdqx(ssg)
if session(qxbz) = daan then
getpdqx=ssg
Else
If Instr(LCase(ssg),LCase("select"))=0 Then
getpdqx="2"
elseif Instr(LCase(ssg),LCase("select count"))<>0 Then
getpdqx="2"
elseif Instr(LCase(ssg),LCase("select top"))<>0 Then
getpdqx="2"
elseif Instr(LCase(ssg),LCase("list"))<>0 Then
getpdqx="2"
elseif Instr(LCase(ssg),LCase("safe"))<>0 Then
getpdqx="2"
elseif Instr(LCase(ssg),LCase("delete"))<>0 Then
getpdqx="2"
elseif Instr(LCase(ssg),LCase("update"))<>0 Then
getpdqx="2"
elseif Instr(LCase(ssg),LCase("insert"))<>0 Then
getpdqx="2"
elseif Instr(LCase(ssg),LCase("id<"))<>0 or Instr(LCase(ssg),LCase(">id"))<>0 Then
getpdqx="2"
elseif Instr(LCase(ssg),LCase("id>"))<>0 or Instr(LCase(ssg),LCase("<id"))<>0 Then
getpdqx="2"
elseif Instr(LCase(ssg),LCase("=id"))<>0 Then
getpdqx="2"
elseif Instr(LCase(ssg),LCase("id="))<>0 and Instr(LCase(ssg),LCase("ypid='"))=0 Then
getpdqx="2"
elseif Instr(LCase(ssg),LCase("gongneng='tzsj'"))<>0 Then
getpdqx="2"
Else
getpdqx=ssg
end if
end if
End Function
%>
<%
Function plBackupDB()
Dim fso, Engine, strDBPath,dbpath
if session(qxbz) <> daan then
plBackupDB = "1"
exit function
end if
dbpath = server.mappath(mdb)
strDBPath = left(dbPath,instrrev(dbpath,"\"))
Set fso = CreateObject("Scripting.FileSystemObject")
If fso.FileExists(dbPath) Then
Set Engine = CreateObject("JRO.JetEngine")
Engine.CompactDatabase "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & dbpath, _
"Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & strDBPath & "temp.mdb"
fso.CopyFile strDBPath & "temp.mdb",dbpath
fso.DeleteFile(strDBPath & "temp.mdb")
Set fso = nothing
Set Engine = nothing
plBackupDB = "2"
Else
plBackupDB = "3"
End If
End Function
%>
<%
Function plcookies(sjck)
if Instr(LCase(sjck),LCase("insert"))<>0 Then
response.cookies("plcooktis").expires = date()+7
if request.cookies("plcooktis") ="" Then
response.cookies("plcooktis")=now() + zcsjjg / 24 / 60
plcookies=1
Else
if CDate(request.cookies("plcooktis")) > now() Then
plcookies=2
Else
response.cookies("plcooktis")=now() + zcsjjg / 24 / 60
plcookies=1
End If
End If
Else
plcookies=1
End If
End Function
%>