最近看到Tide安全团队的文章,介绍了宝塔的新旧版绑定相关功能点,尝试对新版的手机号绑定进行绕过


绕过手机号绑定

麻烦且粗暴的方法

经过一番摸索,可以不用绑定,但后台几处功能点无法正常使用,比较蛋疼

用户协议 确认

1
2
3
/www/server/panel/data/licenes.pl

True

建一个假的userInfo.json

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
/www/server/panel/data/userInfo.json

{
    "uid": 111111,
    "address": "127.0.0.1",
    "access_key": "",
    "secret_key": "",
    "addtime": 1664633884,
    "username": "11111111111",
    "idc_code": "",
    "state": 1,
    "serverid": "1111111111111111111111111111111111111111111111111111111111111111",
    "ukey": ""
  }
1
2
3
/www/server/panel/data/sid.pl

111

修改 softList 的值

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
/www/server/panel/class/panelPlugin.py

990-994
把以下5
if not 'list' in softList:
            if 'msg' in softList:
                raise public.PanelError(softList['msg'])
            else:
                raise public.PanelError('获取插件列表失败!')

改为
softList={"list":[]}

删除get_pd

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
/www/server/panel/BTPanel/__init__.py

855
defs = ('get_lines', 'php_info', 'change_phpmyadmin_ssl_port', 'set_phpmyadmin_ssl', 'get_phpmyadmin_ssl','get_pd','get_pay_type',
            'check_user_auth', 'to_not_beta', 'get_beta_logs', 'apple_beta', 'GetApacheStatus', 'GetCloudHtml',
            'get_load_average', 'GetOpeLogs', 'GetFpmLogs', 'GetFpmSlowLogs', 'SetMemcachedCache', 'GetMemcachedStatus',
            'GetRedisStatus', 'GetWarning', 'SetWarning', 'CheckLogin', 'GetSpeed', 'GetAd', 'phpSort', 'ToPunycode',
            'GetBetaStatus', 'SetBeta', 'setPHPMyAdmin', 'delClose', 'KillProcess', 'GetPHPInfo', 'GetQiniuFileList','get_process_tops','get_process_cpu_high',
            'UninstallLib', 'InstallLib', 'SetQiniuAS', 'GetQiniuAS', 'GetLibList', 'GetProcessList', 'GetNetWorkList',
            'GetNginxStatus', 'GetPHPStatus', 'GetTaskCount', 'GetSoftList', 'GetNetWorkIo', 'GetDiskIo', 'GetCpuIo','ignore_version',
            'CheckInstalled', 'UpdatePanel', 'GetInstalled', 'GetPHPConfig', 'SetPHPConfig','log_analysis','speed_log','get_result','get_detailed')

改为
defs = ('get_lines', 'php_info', 'change_phpmyadmin_ssl_port', 'set_phpmyadmin_ssl', 'get_phpmyadmin_ssl','get_pay_type',
            'check_user_auth', 'to_not_beta', 'get_beta_logs', 'apple_beta', 'GetApacheStatus', 'GetCloudHtml',
            'get_load_average', 'GetOpeLogs', 'GetFpmLogs', 'GetFpmSlowLogs', 'SetMemcachedCache', 'GetMemcachedStatus',
            'GetRedisStatus', 'GetWarning', 'SetWarning', 'CheckLogin', 'GetSpeed', 'GetAd', 'phpSort', 'ToPunycode',
            'GetBetaStatus', 'SetBeta', 'setPHPMyAdmin', 'delClose', 'KillProcess', 'GetPHPInfo', 'GetQiniuFileList','get_process_tops','get_process_cpu_high',
            'UninstallLib', 'InstallLib', 'SetQiniuAS', 'GetQiniuAS', 'GetLibList', 'GetProcessList', 'GetNetWorkList',
            'GetNginxStatus', 'GetPHPStatus', 'GetTaskCount', 'GetSoftList', 'GetNetWorkIo', 'GetDiskIo', 'GetCpuIo','ignore_version',
            'CheckInstalled', 'UpdatePanel', 'GetInstalled', 'GetPHPConfig', 'SetPHPConfig','log_analysis','speed_log','get_result','get_detailed')

修改check_user_auth函数的返回

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
/www/server/panel/class/ajax.py

1300行左右的
				try:
            userInfo = json.loads(public.ReadFile(u_path))
        except:
            if os.path.exists(u_path): os.remove(u_path)
            return public.returnMsg(False,'宝塔帐户绑定已失效,请在[设置]页面重新绑定!')

改为
				try:
            userInfo = json.loads(public.ReadFile(u_path))
        except:
            userInfo = json.loads(public.ReadFile(u_path))

1300行左右的
if result == '0':
            if os.path.exists(u_path): os.remove(u_path)
            return public.returnMsg(False,'宝塔帐户绑定已失效,请在[设置]页面重新绑定!')

改为
if result == '0':
            session[m_key] = public.returnMsg(True,'绑定有效!')
            return session[m_key]

修改 is_verify_unbinding 函数的判断

1
2
3
4
5
6
7
/www/server/panel/class/panelPlugin.py

 3050行左右的
							if not list_body['status']:
                if os.path.exists(path):os.remove(path)
                return False
3行删掉

命令 bt 然后 1 重启服务即可,后台docker(专业版)和防火墙(专业版)和软件商店无法正常使用,其余正常