一條龍奇蹟私服WEB系統後門及bug

後門，你懂得

 

一條龍開服專用WEB系統。

 

就是那些給幾千元就送個配置好的服務器給你馬上當GM的東西，騙了很多無知少年。

 

加密的，很難找到了解密文件。

 

看代碼。

 

LgKj.LocalDevilRank.asp：

 

開頭省了沒用的

Sc=request.Form("ServerCode")

Job=request.Form("Job")

 

F Sc="" THEN

 

 

    Sql="SELECT Name,cLevel,Class,Money,PkLevel,PkCount,ResetLife,AccountID FROM  Character INNER JOIN memb_info ON AccountID = memb_info.memb___id WHERE  (memb_info.servercode = 0 ) AND (IsNull(CtlCode,0)<>1) ORDER BY PkCount DESC"

    rs1.open sql,conn,1,1

               

Else 

 if Job="" then

 

    Sql="SELECT Name,cLevel,Class,Money,PkLevel,PkCount,ResetLife,AccountID FROM  Character INNER JOIN memb_info ON AccountID = memb_info.memb___id WHERE  (memb_info.servercode = "&Sc&" ) AND (IsNull(CtlCode,0)<>1) ORDER BY PkCount DESC"

                rs1.open sql,conn,1,1

 else

     Sql="SELECT Name,cLevel,Class,Money,PkLevel,PkCount,ResetLife,AccountID FROM  Character INNER JOIN memb_info ON AccountID = memb_info.memb___id WHERE  (memb_info.servercode = "&Sc&" ) AND (Class = "&Job&") AND (IsNull(CtlCode,0)<>1) ORDER BY PkCount DESC"

                rs1.open sql,conn,1,1

前臺惟一能注入的地方就只有這裏

除了沒解密的公用函數庫 看不到

 

而後就是後臺登陸文件 任意一文件

前面代碼沒用省了

<%

'檢查管理員是否登陸

AdminName = ReplaceBadChar(Trim(Request.Cookies(webkey)("AdminName")))

AdminPassword = ReplaceBadChar(Trim(Request.Cookies(webkey)("AdminPassword")))

RndPassword = ReplaceBadChar(Trim(Request.Cookies(webkey)("RndPassword")))

If AdminName = "" Or AdminPassword = "" Or RndPassword = "" Then

        Response.Redirect "default.asp"

End If

%>

這驗證方法真好

webkey

默認是BaiWanMuWebServer

新版本好像是BaiWanMU.Com

後臺沒有任何寫文件方法！

 

還有一處漏洞就是COOKIES修改登陸了的會員 不驗證密碼的 不過沒什麼做用