文章
文章用户商铺文档快讯星球网址导航供求信息问答

反代破解宝塔?!

前言

昨天看到MJJ问宝塔反代破解商业版的问题,刚开始我还以为是问反代相关的问题,结果是反代就能破解宝塔商业版

分享者

但是分享者提供的文件是不完全的,

    location /api {
      proxy_pass http://119.147.144.34;
      proxy_set_header Host host;
      proxy_set_header X-Real-IPremote_addr;
      proxy_set_header X-Forwarded-For proxy_add_x_forwarded_for;
      proxy_set_header REMOTE-HOSTremote_addr;

      add_header X-Cache upstream_cache_status;

      #Set Nginx Cache

      add_header Cache-Control no-cache;
      expires 12h;
    }

    location ~ ^/(api/Plugin/check_plugin_status|api/panel/get_soft_list|api/panel/notpro|api/panel/plugin_total|api/cloudtro/get_product_order_status|api/coll/get_coll_plugin_list) {
      try_filesuri uri/ /bt.php?query_string&uri=$uri;
    }

一个不完全的Nginx配置文件

一个不符合规范的PHP文件

// # 记录请求
// myfile = fopen("newfile.txt", "a") or die("Unable to open file!");
//txt = "[GET]" . http_build_query(_GET,'',', ') . "\n";
// fwrite(myfile, txt);
//txt = "[POST]" . http_build_query(_POST,'',', ') . "\n";
// fwrite(myfile, txt);
//txt = "[HEADERS]" . http_build_query(_SERVER,'',', ') . "\n";
// fwrite(myfile, txt);
// fclose(myfile);

# 未设置请求参数不给请求
if(!isset(_GET['uri'])){
    die("BT crack server 1.0");
}base_url = 'http://119.147.144.34';

# 判断GET参数
if(_GET['uri'] == "/api/panel/get_soft_list" ||_GET['uri'] == "/api/panel/get_soft_list_test") {
    ch = curl_init();httpHeader = ['Host: www.bt.cn'];
    // set url 
    curl_setopt(ch, CURLOPT_URL,base_url . _GET['uri']); 
    //return the transfer as a string 
    curl_setopt(ch, CURLOPT_RETURNTRANSFER, 1); 
    curl_setopt(ch, CURLOPT_USERAGENT,_SERVER['HTTP_USER_AGENT']);
    curl_setopt(ch, CURLOPT_HTTPHEADER,httpHeader);
    curl_setopt(ch, CURLOPT_POSTFIELDS, http_build_query(_POST));
    // output contains the output stringoutput = curl_exec(ch);output = json_decode(output, true);

    foreach (output['list'] as key => &value) {
        # 付费插件全部到期日期修改
        if(floatval(value['pid'])>0){value['endtime'] = 253402185600;
        }
    }
    output['pro'] = 0;output['ltd'] = 1;

    // 返回JSON_ENCODE
    echo(json_encode(output));
    // close curl resource to free up system resources 
    curl_close(ch); 
}elseif (_GET['uri'] == "/api/Plugin/check_plugin_status") {output['status'] = true;

    // 返回JSON_ENCODE
    echo(json_encode(output));
}elseif (_GET['uri'] == "/api/panel/plugin_total"){
    echo("1");
}elseif (_GET['uri'] == "/api/coll/get_coll_plugin_list"){ch = curl_init(); 
    httpHeader = ['Host: www.bt.cn'];
    // set url 
    curl_setopt(ch, CURLOPT_URL, base_url ._GET['uri']); 
    //return the transfer as a string 
    curl_setopt(ch, CURLOPT_RETURNTRANSFER, 1); 
    curl_setopt(ch, CURLOPT_USERAGENT, _SERVER['HTTP_USER_AGENT']);
    curl_setopt(ch, CURLOPT_HTTPHEADER, httpHeader);
    curl_setopt(ch, CURLOPT_POSTFIELDS, http_build_query(_POST));
    //output contains the output string 
    output = curl_exec(ch);
    output = json_decode(output, true);

    output['num'] = 99999;output['endtime'] = 253402185600;

    // # 记录请求
    // myfile = fopen("newfile.txt", "a") or die("Unable to open file!");
    //txt = "[DATA]" . json_encode(output) . "\n";
    // fwrite(myfile, txt);
    // fclose(myfile);

    // 返回JSON_ENCODE
    echo(json_encode(output));
    // close curl resource to free up system resources 
    curl_close(ch); 
}elseif (_GET['uri'] == "/api/cloudtro/get_product_order_status"){ch = curl_init(); 
    httpHeader = ['Host: www.bt.cn'];
    // set url 
    curl_setopt(ch, CURLOPT_URL, base_url ._GET['uri']); 
    //return the transfer as a string 
    curl_setopt(ch, CURLOPT_RETURNTRANSFER, 1); 
    curl_setopt(ch, CURLOPT_USERAGENT, _SERVER['HTTP_USER_AGENT']);
    curl_setopt(ch, CURLOPT_HTTPHEADER, httpHeader);
    curl_setopt(ch, CURLOPT_POSTFIELDS, http_build_query(_POST));
    //output contains the output string 
    output = curl_exec(ch);
    output = json_decode(output, true);


    if(_POST['uid'] != 0){output['status'] = true;
        output['msg'] = [];output['msg']['endtime'] = 253402185600;
        output['msg']['num'] = 99999;
    }

    // # 记录请求
    //myfile = fopen("newfile.txt", "a") or die("Unable to open file!");
    // txt = "[DATA]" . json_encode(output) . "\n";
    // fwrite(myfile,txt);
    // fclose(myfile);

    // 返回JSON_ENCODE
    echo(json_encode(output));
    // close curl resource to free up system resources 
    curl_close($ch); 
}

并且只留下了一句,反代,伪站,改hosts就扬长而去了

思路

首先看伪站:

第一个想到的则是 www.bt.cn 使用tcpdump抓包发现思路正确

之后看到Nginx的配置文件中有一行

try_files uriuri/ /bt.php?query_string&uri=uri;

所以确定应将php文件放置根目录,且名字为bt.php

之后将这些补充到完整的配置文件中

reload nginx

最后看php文件,

文件并没用一对<?php ?>,所以我们手动加上

扔到虚拟主机的根目录,把www.bt.cn重定向到本地,

更新文件列表,成功!

反代破解宝塔?!

一键变傻

wget https://raw.githubusercontent.com/laoxong/lxongOther/master/Bash/bt.sh | bash bt.sh

请提前安装curl

声明:本站所有文章,如无特殊说明或标注,均为本站原创发布。任何个人或组织,在未征得本站同意时,禁止复制、盗用、采集、发布本站内容到任何网站、书籍等各类媒体平台。如若本站内容侵犯了原著者的合法权益,可联系我们进行处理。

给TA打赏
共{{data.count}}人
人已打赏
反代宝塔破解
硬件科普

【硬件科普】全网最简洁易懂的OLED与LCD屏幕工作原理与优劣科普

2023-6-25 15:31:02

宝塔

宝塔Linux破解版

2021-4-19 23:32:09

0 条回复 A文章作者 M管理员
    暂无讨论,说说你的看法吧
个人中心
购物车
优惠劵
今日签到
搜索

  • 扫码打开当前页

返回顶部