文章
文章用户商铺文档快讯星球网址导航供求信息问答

反代破解宝塔?!

前言

昨天看到MJJ问宝塔反代破解商业版的问题,刚开始我还以为是问反代相关的问题,结果是反代就能破解宝塔商业版

分享者

但是分享者提供的文件是不完全的,

    location /api {
      proxy_pass http://119.147.144.34;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header REMOTE-HOST $remote_addr;

      add_header X-Cache $upstream_cache_status;

      #Set Nginx Cache

      add_header Cache-Control no-cache;
      expires 12h;
    }

    location ~ ^/(api/Plugin/check_plugin_status|api/panel/get_soft_list|api/panel/notpro|api/panel/plugin_total|api/cloudtro/get_product_order_status|api/coll/get_coll_plugin_list) {
      try_files $uri $uri/ /bt.php?$query_string&uri=$uri;
    }

一个不完全的Nginx配置文件

一个不符合规范的PHP文件

// # 记录请求
// $myfile = fopen("newfile.txt", "a") or die("Unable to open file!");
// $txt = "[GET]" . http_build_query($_GET,'',', ') . "\n";
// fwrite($myfile, $txt);
// $txt = "[POST]" . http_build_query($_POST,'',', ') . "\n";
// fwrite($myfile, $txt);
// $txt = "[HEADERS]" . http_build_query($_SERVER,'',', ') . "\n";
// fwrite($myfile, $txt);
// fclose($myfile);

# 未设置请求参数不给请求
if(!isset($_GET['uri'])){
    die("BT crack server 1.0");
}

$base_url = 'http://119.147.144.34';

# 判断GET参数
if($_GET['uri'] == "/api/panel/get_soft_list" || $_GET['uri'] == "/api/panel/get_soft_list_test") {
    $ch = curl_init(); 
    $httpHeader = ['Host: www.bt.cn'];
    // set url 
    curl_setopt($ch, CURLOPT_URL, $base_url . $_GET['uri']); 
    //return the transfer as a string 
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 
    curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']);
    curl_setopt($ch, CURLOPT_HTTPHEADER, $httpHeader);
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($_POST));
    // $output contains the output string 
    $output = curl_exec($ch);
    $output = json_decode($output, true);

    foreach ($output['list'] as $key => &$value) {
        # 付费插件全部到期日期修改
        if(floatval($value['pid']) > 0){
            $value['endtime'] = 253402185600;
        }
    }
    $output['pro'] = 0;
    $output['ltd'] = 1;

    // 返回JSON_ENCODE
    echo(json_encode($output));
    // close curl resource to free up system resources 
    curl_close($ch); 
}elseif ($_GET['uri'] == "/api/Plugin/check_plugin_status") {
    $output['status'] = true;

    // 返回JSON_ENCODE
    echo(json_encode($output));
}elseif ($_GET['uri'] == "/api/panel/plugin_total"){
    echo("1");
}elseif ($_GET['uri'] == "/api/coll/get_coll_plugin_list"){
    $ch = curl_init(); 
    $httpHeader = ['Host: www.bt.cn'];
    // set url 
    curl_setopt($ch, CURLOPT_URL, $base_url . $_GET['uri']); 
    //return the transfer as a string 
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 
    curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']);
    curl_setopt($ch, CURLOPT_HTTPHEADER, $httpHeader);
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($_POST));
    // $output contains the output string 
    $output = curl_exec($ch);
    $output = json_decode($output, true);

    $output['num'] = 99999;
    $output['endtime'] = 253402185600;

    // # 记录请求
    // $myfile = fopen("newfile.txt", "a") or die("Unable to open file!");
    // $txt = "[DATA]" . json_encode($output) . "\n";
    // fwrite($myfile, $txt);
    // fclose($myfile);

    // 返回JSON_ENCODE
    echo(json_encode($output));
    // close curl resource to free up system resources 
    curl_close($ch); 
}elseif ($_GET['uri'] == "/api/cloudtro/get_product_order_status"){
    $ch = curl_init(); 
    $httpHeader = ['Host: www.bt.cn'];
    // set url 
    curl_setopt($ch, CURLOPT_URL, $base_url . $_GET['uri']); 
    //return the transfer as a string 
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 
    curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']);
    curl_setopt($ch, CURLOPT_HTTPHEADER, $httpHeader);
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($_POST));
    // $output contains the output string 
    $output = curl_exec($ch);
    $output = json_decode($output, true);


    if($_POST['uid'] != 0){
        $output['status'] = true;
        $output['msg'] = [];
        $output['msg']['endtime'] = 253402185600;
        $output['msg']['num'] = 99999;
    }

    // # 记录请求
    // $myfile = fopen("newfile.txt", "a") or die("Unable to open file!");
    // $txt = "[DATA]" . json_encode($output) . "\n";
    // fwrite($myfile, $txt);
    // fclose($myfile);

    // 返回JSON_ENCODE
    echo(json_encode($output));
    // close curl resource to free up system resources 
    curl_close($ch); 
}

并且只留下了一句,反代,伪站,改hosts就扬长而去了

思路

首先看伪站:

第一个想到的则是 www.bt.cn 使用tcpdump抓包发现思路正确

之后看到Nginx的配置文件中有一行

try_files $uri $uri/ /bt.php?$query_string&uri=$uri;

所以确定应将php文件放置根目录,且名字为bt.php

之后将这些补充到完整的配置文件中

reload nginx

最后看php文件,

文件并没用一对<?php ?>,所以我们手动加上

扔到虚拟主机的根目录,把www.bt.cn重定向到本地,

更新文件列表,成功!

反代破解宝塔?!

一键变傻

wget https://raw.githubusercontent.com/laoxong/lxongOther/master/Bash/bt.sh | bash bt.sh

请提前安装curl

声明:本站所有文章,如无特殊说明或标注,均为本站原创发布。任何个人或组织,在未征得本站同意时,禁止复制、盗用、采集、发布本站内容到任何网站、书籍等各类媒体平台。如若本站内容侵犯了原著者的合法权益,可联系我们进行处理。

给TA打赏
共{{data.count}}人
人已打赏
反代宝塔破解
字体

一款方正饱满圆润可爱的日文字体—甜瓜体

2022-8-11 23:14:37

宝塔

宝塔Linux破解版

2021-4-19 23:32:09

0 条回复 A文章作者 M管理员
    暂无讨论,说说你的看法吧
个人中心
购物车
优惠劵
今日签到
搜索

  • 扫码打开当前页

返回顶部