昨天看到MJJ问宝塔反代破解商业版的问题,刚开始我还以为是问反代相关的问题,结果是反代就能破解宝塔商业版
但是分享者提供的文件是不完全的,
location /api { proxy_pass http://119.147.144.34; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header REMOTE-HOST $remote_addr; add_header X-Cache $upstream_cache_status; #Set Nginx Cache add_header Cache-Control no-cache; expires 12h; } location ~ ^/(api/Plugin/check_plugin_status|api/panel/get_soft_list|api/panel/notpro|api/panel/plugin_total|api/cloudtro/get_product_order_status|api/coll/get_coll_plugin_list) { try_files $uri $uri/ /bt.php?$query_string&uri=$uri; }
一个不完全的Nginx配置文件
一个不符合规范的PHP文件
// # 记录请求 // $myfile = fopen("newfile.txt", "a") or die("Unable to open file!"); // $txt = "[GET]" . http_build_query($_GET,'',', ') . "\n"; // fwrite($myfile, $txt); // $txt = "[POST]" . http_build_query($_POST,'',', ') . "\n"; // fwrite($myfile, $txt); // $txt = "[HEADERS]" . http_build_query($_SERVER,'',', ') . "\n"; // fwrite($myfile, $txt); // fclose($myfile); # 未设置请求参数不给请求 if(!isset($_GET['uri'])){ die("BT crack server 1.0"); } $base_url = 'http://119.147.144.34'; # 判断GET参数 if($_GET['uri'] == "/api/panel/get_soft_list" || $_GET['uri'] == "/api/panel/get_soft_list_test") { $ch = curl_init(); $httpHeader = ['Host: www.bt.cn']; // set url curl_setopt($ch, CURLOPT_URL, $base_url . $_GET['uri']); //return the transfer as a string curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']); curl_setopt($ch, CURLOPT_HTTPHEADER, $httpHeader); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($_POST)); // $output contains the output string $output = curl_exec($ch); $output = json_decode($output, true); foreach ($output['list'] as $key => &$value) { # 付费插件全部到期日期修改 if(floatval($value['pid']) > 0){ $value['endtime'] = 253402185600; } } $output['pro'] = 0; $output['ltd'] = 1; // 返回JSON_ENCODE echo(json_encode($output)); // close curl resource to free up system resources curl_close($ch); }elseif ($_GET['uri'] == "/api/Plugin/check_plugin_status") { $output['status'] = true; // 返回JSON_ENCODE echo(json_encode($output)); }elseif ($_GET['uri'] == "/api/panel/plugin_total"){ echo("1"); }elseif ($_GET['uri'] == "/api/coll/get_coll_plugin_list"){ $ch = curl_init(); $httpHeader = ['Host: www.bt.cn']; // set url curl_setopt($ch, CURLOPT_URL, $base_url . $_GET['uri']); //return the transfer as a string curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']); curl_setopt($ch, CURLOPT_HTTPHEADER, $httpHeader); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($_POST)); // $output contains the output string $output = curl_exec($ch); $output = json_decode($output, true); $output['num'] = 99999; $output['endtime'] = 253402185600; // # 记录请求 // $myfile = fopen("newfile.txt", "a") or die("Unable to open file!"); // $txt = "[DATA]" . json_encode($output) . "\n"; // fwrite($myfile, $txt); // fclose($myfile); // 返回JSON_ENCODE echo(json_encode($output)); // close curl resource to free up system resources curl_close($ch); }elseif ($_GET['uri'] == "/api/cloudtro/get_product_order_status"){ $ch = curl_init(); $httpHeader = ['Host: www.bt.cn']; // set url curl_setopt($ch, CURLOPT_URL, $base_url . $_GET['uri']); //return the transfer as a string curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']); curl_setopt($ch, CURLOPT_HTTPHEADER, $httpHeader); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($_POST)); // $output contains the output string $output = curl_exec($ch); $output = json_decode($output, true); if($_POST['uid'] != 0){ $output['status'] = true; $output['msg'] = []; $output['msg']['endtime'] = 253402185600; $output['msg']['num'] = 99999; } // # 记录请求 // $myfile = fopen("newfile.txt", "a") or die("Unable to open file!"); // $txt = "[DATA]" . json_encode($output) . "\n"; // fwrite($myfile, $txt); // fclose($myfile); // 返回JSON_ENCODE echo(json_encode($output)); // close curl resource to free up system resources curl_close($ch); }
并且只留下了一句,反代,伪站,改hosts就扬长而去了
首先看伪站:
第一个想到的则是 www.bt.cn
使用tcpdump
抓包发现思路正确
之后看到Nginx的配置文件中有一行
try_files $uri $uri/ /bt.php?$query_string&uri=$uri;
所以确定应将php文件放置根目录,且名字为bt.php
之后将这些补充到完整的配置文件中
reload nginx
最后看php文件,
文件并没用一对,所以我们手动加上
扔到虚拟主机的根目录,把www.bt.cn重定向到本地,
更新文件列表,成功!
wget https://raw.githubusercontent.com/laoxong/lxongOther/master/Bash/bt.sh | bash bt.sh bash bt.sh
请提前安装curl