一个行网后台进不去的解决方法
事由
某个行业网站在登录过程显示请调整服务器设置,以保证网站的正常运行,网站负责人找开发商,结果开发商人都找不到了,没有解决方案,网站也成为死站,辛苦这么多年结果可知。
那么为什么进不去呢,是因为进入管理后台必须去开发商的网站认证一下,开发商认证网站倒了,所以就管理后台就进不去,这个就恶心了。破解的方法也就是让它不通过开发商网站认证,绕开它,通过反编译dll生成il代码,然后修改il把认证的代码删除,重新编译生成dll,然后替换。
首先下载反编译工具进行反编译 dnSpy
下载地址:Latest release: https://github.com/0xd4d/dnSpy/releases
D:\tools\dnSpy-netcore-win64
反编译找出问题代码
根据URL大致判断地址
- 按钮点击代码
protected void btnlogin_Click(object sender, EventArgs e)
{
if (this.txtVerifyCode.Text != UserManageAdmin.VerifyCode)
{
base.Response.Write("<script>alert('校验码错误!')</script>");
this.txtVerifyCode.Text = "";
}
else
{
int num = 0;
***UserManageAdminInfo byName = UserManageAdmin.GetByName(this.TbxUserName.Text.Trim(),HttpContext.Current.Request.Url.AbsoluteUri, out num);***
if (num != 0)
{
base.Response.Write("<script>alert('请调整服务器设置,以保证网站的正常运行')</script>");
UserManageAdmin.SetVerifyCode();
}
else if (byName == null)
{
base.Response.Write("<script>alert('无此用户!')</script>");
UserManageAdmin.SetVerifyCode();
}
else if (SecurityUtility.Encrypt("", this.TbxPassword.Text) != byName.ManagerPassWord)
{
base.Response.Write("<script>alert('用户密码不正确!')</script>");
UserManageAdmin.SetVerifyCode();
}
else
{
UserManageAdmin.Login(byName);
byName.LoginCount++;
byName.LoginIP = base.Request.UserHostAddress;
byName.LastLoginDate = DateTime.Now;
UserManageAdmin.Update(byName);
base.Response.Redirect(UrlUtility.GetBaseURL() + "/admin/index.htm");
}
}
}
- 看看得到用户信息 UserManageAdmin.GetByName,看看这个代码怎样的。
public static UserManageAdminInfo GetByName(string AdminName, string UserUrl, out int ErrorInt)
{
ErrorInt = 0;
IUserManageAdmin userManageAdmin = UserManageAdmin.Create();
UserManageAdminInfo userManageAdminInfo = null;
SmartsiteVerify smartsiteVerify = new SmartsiteVerify();
UserManageAdminInfo result;
if (smartsiteVerify.UserMasterLogin(UserUrl.ToLower())){
userManageAdminInfo = userManageAdmin.GetByName(AdminName);
result = userManageAdminInfo;}
else{
ErrorInt = -1;
result = userManageAdminInfo;
}
return result;
}
- 原来要验证smartsiteVerify.UserMasterLogin,看看这是怎样的
namespace TradeSite.UserMaster
{
// Token: 0x02000002 RID: 2
public class SmartsiteVerify
{
// Token: 0x06000001 RID: 1 RVA: 0x000020D0 File Offset: 0x000010D0
public bool UserMasterLogin(string strUrl)
{
Site5verify site5verify = new Site5verify();
string text = this.DecryptGuid(ConfigurationSettings.AppSettings["Guid"]);
string rnumber = "";
bool result;
if (text == "")
{
result = false;
}
else
{
string mainoneSmartsite = this.EncryptGuid(this.xmlPublicKey, text);
try
{
string b = site5verify.**VerifyMainone**(mainoneSmartsite, out rnumber);
if (text != b)
{
return false;
}
if (!site5verify.Validatepath(strUrl, text, rnumber))
{
return false;
}
}
catch
{
return false;
}
result = true;
}
return result;
}
- 验证函数 VerifyMainone 是怎样的呢,原来通过webserivce 调研远程服务认证。
// Token: 0x06000012 RID: 18 RVA: 0x0000243C File Offset: 0x0000143C
[SoapDocumentMethod("http://tempuri.org/VerifyMainone", RequestNamespace = "http://tempuri.org/", ResponseNamespace = "http://tempuri.org/", Use = SoapBindingUse.Literal, ParameterStyle = SoapParameterStyle.Wrapped)]
public string VerifyMainone(string MainoneSmartsite, out string RNumber)
{
object[] array = base.Invoke("VerifyMainone", new object[]
{
MainoneSmartsite
});
RNumber = (string)array[1];
return (string)array[0];
}
解决方法就是把上面第二步分析的代码修改绕过认证
public static UserManageAdminInfo GetByName(string AdminName, string UserUrl, out int ErrorInt)
{
ErrorInt = 0;
IUserManageAdmin userManageAdmin = UserManageAdmin.Create();
UserManageAdminInfo userManageAdminInfo = null;
SmartsiteVerify smartsiteVerify = new SmartsiteVerify();
UserManageAdminInfo result;
if (smartsiteVerify.UserMasterLogin(UserUrl.ToLower()))
{
userManageAdminInfo = userManageAdmin.GetByName(AdminName);
result = userManageAdminInfo;
}
else
{
ErrorInt = -1;
result = userManageAdminInfo;
}
return result;
}
修改成
public static UserManageAdminInfo GetByName(string AdminName, string UserUrl, out int ErrorInt)
{
ErrorInt = 0;
IUserManageAdmin userManageAdmin = UserManageAdmin.Create();
return userManageAdmin.GetByName(AdminName);
}
通过微软的反编译工具编辑指令
“C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\ildasm.exe”
然后转储为 il和res文件
或者执行命令行:“C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\ildasm.exe” TradeSite.UserManage.Component.dll /output: TradeSite.UserManage.Component.il
编辑il文件
.method public hidebysig static class TradeSite.UserManage.Model.UserManageAdminInfo
GetByName(string AdminName,
string UserUrl,
[out] int32& ErrorInt) cil managed
{
// 代码大小 61 (0x3d)
.maxstack 2
.locals init (class TradeSite.UserManage.IDAL.IUserManageAdmin V_0,
class TradeSite.UserManage.Model.UserManageAdminInfo V_1,
class [TradeSite.UserMaster]TradeSite.UserMaster.SmartsiteVerify V_2,
class TradeSite.UserManage.Model.UserManageAdminInfo V_3,
bool V_4)
IL_0000: nop
IL_0001: ldarg.2
IL_0002: ldc.i4.0
IL_0003: stind.i4
IL_0004: call class TradeSite.UserManage.IDAL.IUserManageAdmin TradeSite.UserManage.DALFactory.UserManageAdmin::Create()
IL_0009: stloc.0
IL_000a: ldnull
IL_000b: stloc.1
IL_000c: newobj instance void [TradeSite.UserMaster]TradeSite.UserMaster.SmartsiteVerify::.ctor()
IL_0011: stloc.2
IL_0012: ldloc.2
IL_0013: ldarg.1
IL_0014: callvirt instance string [mscorlib]System.String::ToLower()
IL_0019: callvirt instance bool [TradeSite.UserMaster]TradeSite.UserMaster.SmartsiteVerify::UserMasterLogin(string)
IL_001e: ldc.i4.0
IL_001f: ceq
IL_0021: stloc.s V_4
IL_0023: ldloc.s V_4
IL_0025: brtrue.s IL_0034
IL_0027: nop
IL_0028: ldloc.0
IL_0029: ldarg.0
IL_002a: callvirt instance class TradeSite.UserManage.Model.UserManageAdminInfo TradeSite.UserManage.IDAL.IUserManageAdmin::GetByName(string)
IL_002f: stloc.1
IL_0030: ldloc.1
IL_0031: stloc.3
IL_0032: br.s IL_003b
IL_0034: ldarg.2
IL_0035: ldc.i4.m1
IL_0036: stind.i4
IL_0037: ldloc.1
IL_0038: stloc.3
IL_0039: br.s IL_003b
IL_003b: ldloc.3
IL_003c: ret
} // end of method UserManageAdmin::GetByName
找到相关代码并修改成如下
.method public hidebysig static class TradeSite.UserManage.Model.UserManageAdminInfo
GetByName(string AdminName,
string UserUrl,
[out] int32& ErrorInt) cil managed
{
// 代码大小 61 (0x3d)
.maxstack 2
.locals init (class TradeSite.UserManage.IDAL.IUserManageAdmin V_0,
class TradeSite.UserManage.Model.UserManageAdminInfo V_1,
class [TradeSite.UserMaster]TradeSite.UserMaster.SmartsiteVerify V_2,
class TradeSite.UserManage.Model.UserManageAdminInfo V_3,
bool V_4)
IL_0000: nop
IL_0001: ldarg.2
IL_0002: ldc.i4.0
IL_0003: stind.i4
IL_0005: call class TradeSite.UserManage.IDAL.IUserManageAdmin TradeSite.UserManage.DALFactory.UserManageAdmin::Create()
IL_0006: stloc.0
IL_0007: ldloc.0
IL_0008: ldarg.0
IL_0009: callvirt instance class TradeSite.UserManage.Model.UserManageAdminInfo TradeSite.UserManage.IDAL.IUserManageAdmin::GetByName(string)
IL_000e: stloc.1
IL_000f: ldloc.1
IL_0010: stloc.2
IL_0011: br.s IL_0013
IL_0013: ldloc.2
IL_0014: ret
} // end of method UserManageAdmin::GetByName
重新编译
Framework64,注意.net 版本
“C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe” /dll /resource=TradeSite.UserManage.Component.res TradeSite.UserManage.Component.il /output:TradeSite.UserManage.Component.dll
替换dll文件
幸运的是TradeSite.UserManage.Component.dll 没有强签, 强签了也没有什么办法了。