<?php
if(isset($_GET['action'])) {
$Host = 'esales.shanda.com.cn';
$User = $_POST['vid'];
$Pass = $_POST['vpw'];
$VCodeURL = '/NumCode/NumImage.asp';
$LoginURL = '/chklogin.asp';
$FormURL1 = '/pay/m_check_gamer1.asp';
$FormURL2 = '/pay/pay_do_mir2.asp?m=0.1234567890';
$IP = gethostbyname($Host); /* 因为对方服务器使用负载分流,为了保证提交的网页信息由相同服务器处理,
所以在此先获取域名IP */
function GetVCode($ImgBuffer) {
$vcode = '';
/* 这里有16行代码,因为这属于商业代码,所以我无法公开,见谅 */
return $vcode;
}
/* 取得验证码 */
$IMGP = @fsockopen($IP, 80, $errno, $errstr, 10);
if(!$IMGP) {
echo $errstr .'('. $errno .')<br>服务器连接失败<br>';
exit;
} else {
fputs($IMGP, "GET ". $VCodeURL ." HTTP/1.1\r\n".
"Host: ". $Host ."\r\n".
"Referer: http://esales.shanda.com.cn/homepage.htm\r\n".
"Accept: */*\r\n".
"Connection: close\n\n");
$GLine = '';
while(!feof($IMGP)) {
if($GLine == '') {
if($ImgBuffer = strstr(fgets($IMGP, 255), "Set-Cookie:")) $GLine = $ImgBuffer;
} else $ImgBuffer = fgets($IMGP, 4096);
}
fclose($IMGP);
$GLine = explode(";", $GLine);
$Cookie = substr($GLine[0], 12);
$vcode = GetVCode($ImgBuffer);
}
/* END */
/* 发送登录表单 */
$LOGP = @fsockopen($IP, 80, $errno, $errstr, 10);
if(!$LOGP) {
echo $errstr .'('. $errno .')<br>服务器连接失败<br>';
exit;
} else {
$FormStr = "vendor_id=". $User ."&vendor_pwd=". $Pass ."&extcode=". $vcode;
$FormLen = strlen($FormStr);
fputs($LOGP, "POST ". $LoginURL ." HTTP/1.1\n".
"Content-Type: application/x-www-form-urlencoded\n".
"Host: ". $Host ."\n".
"Accept: */*\n".
"Cookie: ". $Cookie ."\n".
"Referer: http://esales.shanda.com.cn/homepage.htm\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)\n".
"Content-Length: ". $FormLen ."\n\n".
$FormStr ."\n\n");
$Flag = '';
while(!feof($LOGP)) {
if($Flag = strstr(fgets($LOGP, 255), "Location:")) break;
}
fclose($LOGP);
$Flag = explode("=", $Flag);
$Flag = substr($Flag[1], 0, 8);
}
$Form = $FormURL ."?". $Flag;
/* 取得冲值验证码 */
$IMGP = @fsockopen($IP, 80, $errno, $errstr, 10);
if(!$IMGP) {
echo $errstr .'('. $errno .')<br>服务器连接失败<br>';
exit;
} else {
fputs($IMGP, "GET ". $VCodeURL ."?m=0.0.1234567890 HTTP/1.1\n".
"Host: ". $Host ."\n".
"Referer: http://esales.shanda.com.cn/pay/mir2.asp?". $Flag ."\n".
"Accept: * / *\n".
"Cookie: ". $Cookie ."\n".
"Connection: Keep-Alive\n\n");
while(!feof($IMGP)) {
$ImgBuffer = fgets($IMGP, 4096);
}
fclose($IMGP);
$fcode = GetVCode($ImgBuffer);
}
/* END */
/* 发送冲值表单 */
$FORMP = @fsockopen($IP, 80, $errno, $errstr, 10);
if(!$FORMP) {
echo $errstr .'('. $errno .')<br>服务器连接失败<br>';
exit;
} else {
$FormStr = "LoginID1=". $_POST['LoginID1'] ."&LoginID2=". $_POST['LoginID2'] ."&cardtype=". $_POST['cardtype']
."&ValidFld=". $_POST['ValidFld'] ."&ValidFld1=". $_POST['ValidFld1'] ."&h_pay_type=". $_POST['h_pay_type']
."&cardtype1=". $_POST['cardtype1'] ."&hideval=". $_POST['hideval'] ."&area=". $_POST['area'] ."&extcode=". $fcode;
$FormLen = strlen($FormStr);
fputs($FORMP, "POST ". $FormURL1 ." HTTP/1.1\n".
"Content-Type: application/x-www-form-urlencoded\n".
"Host: ". $Host ."\n".
"Accept: */*\n".
"Cookie: ". $Cookie ."\n".
"Referer: http://esales.shanda.com.cn/pay/mir2.asp?". $Flag ."\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)\n".
"Content-Length: ". $FormLen ."\n\n".
$FormStr ."\n\n");
$Account = $ACERR = '';
$AEF = FALSE;
while(!feof($FORMP)) {
$Account = fgets($FORMP, 255);
if(!$AEF && strstr($Account, "Location:")) break;
if(!$AEF && strstr($Account, "<html>")) $AEF = TRUE;
if($AEF) {
if(strstr($Account, "location.href")) $ACERR .= "location.href='mir2.php';\n";
elseif(strstr($Account, 'action="pay_do_mir2.asp"')) $ACERR .= '<form name="form1" method="post" action="mir2.php" onsubmit="return sel_click();">';
else $ACERR .= $Account;
}
}
fclose($FORMP);
}
if(!$AEF) {
$FORMP = @fsockopen($IP, 80, $errno, $errstr, 10);
if(!$FORMP) {
echo $errstr .'('. $errno .')<br>服务器连接失败<br>';
exit;
} else {
fputs($FORMP, "GET ". $FormURL2 ." HTTP/1.1\n".
"Content-Type: application/x-www-form-urlencoded\n".
"Host: ". $Host ."\n".
"Accept: */*\n".
"Cookie: ". $Cookie ."\n".
"Referer: http://esales.shanda.com.cn/pay/mir2.asp?". $Flag ."\n".
"Connection: Keep-Alive\n\n");
while(!feof($FORMP)) {
if($Alert = strstr(fgets($FORMP, 255), "alert")) break;
}
fclose($FORMP);
$Alert = explode(';', $Alert);
$Alert = '<script>'. $Alert[0] .';location.href=\'mir2.php\';</script>';
}
}
echo $Alert . $ACERR;
} else {
/*以下大家不用细看。因为在这排版的原因,部分行我直接换行以避免单行太长影响查看,
所以可能会出现网页格式错误,如想调试,只需把传奇充值页面源码直接copy过来,加上经销商用户名及密码填写,去掉
验证码填写,即可 */
echo '
<HTML><HEAD><TITLE>∷∷传 奇[legend of mir]</TITLE>
<META http-equiv=Content-Type content="text/html; charset=gb2312">
<LINK href="mir2_files/esales.css" type=text/css rel=stylesheet>
<SCRIPT>
function checksignup() {
if ( document.form.LoginID1.value == \'\' ) {
window.alert(\'请输入充值用户名\');
document.form.LoginID1.focus();
return false;
}
if ( document.form.LoginID2.value == \'\' ) {
window.alert(\'请输入检验充值用户名\');
document.form.LoginID2.focus();
return false;
}
if (document.form.LoginID1.value!=document.form.LoginID2.value)
{ alert(\'两次输入不匹配,请重新确认帐户!\');
document.form.LoginID2.focus();
return false;
}
if ( document.form.ValidFld.value == \'\' ) {
window.alert(\'请输入充值方式\');
return false;
}
if ( document.form.cardtype.value == \'\' ) {
window.alert(\'请输入卡的类型\');
return false;
}
if ( document.form.area.value == \'0\' ) {
window.alert(\'请输入用户所在区\');
return false;
}
if (confirm("您确认要用"+document.form.cardtype.value+"卡按"+document.form.h_pay_type.value+"方式给 "
+document.form.LoginID1.value+" 充值到 "+document.form.area.value+" 区吗?")==true ) {
return true;
} else {
return false;
}
}
</SCRIPT>
<META content="MSHTML 6.00.3790.0" name=GENERATOR></HEAD>
<BODY class=indexbg text=#000000 leftMargin=0 topMargin=20">
<FORM name=form onsubmit="document.form.Submit.disabled=\'true\';return checksignup()" action="mir2.php?action=do" method=post>
<TABLE borderColor=#ffe1d2 cellSpacing=1 cellPadding=0 width=450 align=center border=1>
<TBODY>
<TR height=40>
<TD align=middle colSpan=2>热血传奇充值</TD>
</TR>
<TR>
<TD align=middle width=106><B><font color="#ff0000">直销商帐号</font></B></TD>
<TD width=388>
<INPUT name=vid class=INPUT id="vid" size=30 maxLength=20> </TD>
</TR>
<TR>
<TD align=middle width=106 height=20><B><font color="#ff0000">直销商密码</font></B></TD>
<TD width=388 height=20>
<INPUT name=vpw type="password" class=INPUT id="vpw" size=30 maxLength=30> </TD>
</TR>
<TR>
<TD align=middle width=106>用户<B><FONT color=#ff0000>帐户</FONT></B>名</TD>
<TD width=388>
<INPUT class=INPUT maxLength=20 size=30 name=LoginID1> </TD>
</TR>
<TR>
<TD align=middle width=106 height=20>校验<B><FONT color=#ff0000>帐户</FONT></B>名</TD>
<TD width=388 height=20>
<INPUT class=INPUT maxLength=20 size=30 name=LoginID2> </TD>
</TR>
<INPUT type=hidden name=cardtype>
<INPUT type=hidden name=ValidFld>
<TR>
<TD align=middle width=106>选择卡类型</TD>
<TD width=388> <TABLE width="100%" border=0>
<TBODY>
<TR>
<TD></TD>
<TD>卡类型</TD>
<TD>游戏时间</TD>
<TD align=middle>建议零售价</TD>
</TR>
<TR>
<TD><INPUT onclick="document.form.cardtype.value=\'10\';" type=radio value=10 name=ValidFld1></TD>
<TD>传奇充值卡(10卡)</TD>
<TD>30天/120小时</TD>
<TD align=middle>35元</TD>
</TR>
<TR>
<TD><INPUT onclick="document.form.cardtype.value=\'68\';" type=radio value=68 name=ValidFld1></TD>
<TD>盛大网络游戏卡(68卡)</TD>
<TD><FONT color=red><STRONG>30天/120小时</STRONG></FONT></TD>
<TD align=middle>35元</TD>
</TR>
<TR>
<TD><INPUT onclick="document.form.cardtype.value=\'69\';" type=radio value=69 name=ValidFld1></TD>
<TD>盛大网络游戏卡(69卡)</TD>
<TD>7天/30小时</TD>
<TD align=middle>10元</TD>
</TR>
</TBODY>
</TABLE></TD>
</TR>
<TR>
<TD align=middle width=106>充值方式</TD>
<INPUT type=hidden name=h_pay_type>
<TD width=388><INPUT onclick="document.form.ValidFld.value=\'0\';document.form.h_pay_type.value=\'包月包日\';"
type=radio value=0 name=cardtype1>
包月包日
<INPUT onclick="document.form.ValidFld.value=\'1\';document.form.h_pay_type.value=\'按秒计时\';" type=radio value=1 name=cardtype1>
按秒计时</TD>
</TR>
<TR>
<TD align=middle>区域选择 </TD>
<TD><INPUT id=hideval type=hidden name=hideval>
<SELECT onchange=form.hideval.value=form.area.item(form.area.selectedIndex).text; name=area>
<OPTION value=0 selected>--请选择充值的区--</OPTION>
<OPTION
value=A01>传奇一区</OPTION>
<OPTION value=A02>传奇二区</OPTION>
<OPTION
value=A03>传奇三区</OPTION>
<OPTION value=A04>传奇四区</OPTION>
<OPTION
value=A05>传奇五区</OPTION>
<OPTION value=A06>传奇六区</OPTION>
<OPTION
value=A07>传奇七区</OPTION>
<OPTION value=A08>传奇八区</OPTION>
<OPTION
value=A09>传奇九区</OPTION>
<OPTION value=A10>传奇十区</OPTION>
<OPTION
value=A11>传奇十一区</OPTION>
<OPTION value=A12>传奇十二区</OPTION>
<OPTION
value=A13>传奇十三区</OPTION>
<OPTION value=A14>传奇十四区</OPTION>
<OPTION
value=A15>传奇十五区</OPTION>
<OPTION value=A16>传奇十六区</OPTION>
<OPTION
value=A17>传奇十七区</OPTION>
<OPTION value=A18>传奇十八区</OPTION>
<OPTION
value=A19>传奇十九区</OPTION>
<OPTION value=A20>传奇二十区</OPTION>
<OPTION
value=A21>传奇二一区</OPTION>
<OPTION value=A22>传奇二二区</OPTION>
<OPTION
value=A23>传奇二三区</OPTION>
<OPTION value=A24>传奇二四区</OPTION>
<OPTION
value=A25>传奇二五区</OPTION>
<OPTION value=A26>传奇二六区</OPTION>
<OPTION
value=A27>传奇二七区</OPTION>
<OPTION value=A28>传奇二八区</OPTION>
<OPTION
value=A29>传奇二九区</OPTION>
<OPTION value=A30>传奇三十区</OPTION>
<OPTION
value=A31>传奇三一区</OPTION>
<OPTION value=A32>传奇三二区</OPTION>
<OPTION
value=A33>传奇三三区</OPTION>
<OPTION value=A34>传奇三四区</OPTION>
<OPTION
value=A35>传奇三五区</OPTION>
<OPTION value=A36>传奇三六区</OPTION>
<OPTION
value=A37>传奇三七区</OPTION>
<OPTION value=A38>传奇三八区</OPTION>
<OPTION
value=A39>传奇三九区</OPTION>
<OPTION value=A40>传奇四十区</OPTION>
<OPTION
value=A41>传奇四一区</OPTION>
<OPTION value=A42>传奇四二区</OPTION>
<OPTION
value=A43>传奇四三区</OPTION>
<OPTION value=A44>传奇四四区</OPTION>
<OPTION
value=A45>传奇四五区</OPTION>
<OPTION value=A46>传奇四六区</OPTION>
<OPTION
value=A47>传奇四七区</OPTION>
<OPTION value=A48>传奇四八区</OPTION>
<OPTION
value=A49>传奇四九区</OPTION>
<OPTION value=A50>传奇五十区</OPTION>
<OPTION
value=A51>传奇五一区</OPTION>
<OPTION value=A52>传奇五二区</OPTION>
<OPTION
value=A53>传奇五三区</OPTION>
<OPTION value=A54>传奇五四区</OPTION>
<OPTION
value=A55>传奇五五区</OPTION>
<OPTION value=A56>传奇五六区</OPTION>
<OPTION
value=A57>传奇五七区</OPTION>
<OPTION value=A58>传奇五八区</OPTION>
<OPTION
value=A59>传奇五九区</OPTION>
<OPTION value=A60>传奇六十区</OPTION>
<OPTION
value=A61>传奇六一区</OPTION>
<OPTION value=A62>传奇六二区</OPTION>
<OPTION
value=A63>传奇六三区</OPTION>
<OPTION value=A64>传奇六四区</OPTION>
<OPTION
value=A65>传奇六五区</OPTION>
<OPTION value=A66>传奇六六区</OPTION>
<OPTION
value=A67>传奇六七区</OPTION>
<OPTION value=A68>传奇六八区</OPTION>
<OPTION
value=V01>传奇超级玩家区</OPTION>
</SELECT> </TD>
</TR>
<TR>
<TD align=middle
colSpan=2><INPUT type=submit value="充 值" name=Submit>
<INPUT onclick=history.back(); type=button value="返 回" name=backup> </TD>
</TR></TBODY>
</TABLE>
<BR>
<TABLE cellSpacing=0 cellPadding=0 width=450 align=center border=0>
<TBODY>
<TR>
<TD>
<P><FONT
color=#ff0000>简要说明:</FONT><BR> 请问清用户要购买的卡的类型,在用户帐
户名一栏中输入用户进行游戏的ID,并在校验帐户名一栏中再次输入,然后选择正确的充值方
式(包月或计秒),并一定要正确的选择用户游戏服务器所在的区域</P></TD></TR></TBODY></TABLE></FORM>
</BODY></HTML>';
}
论坛用户
论坛: 编程破解
标题: 传奇在线充值系统绕过验证码以达到直储的部分代码