Backdoors in some PHP management system programs_PHP Tutorial

I don’t really care about the prompt box. How does SABLOG know that my version has vulnerabilities? The program must have a backdoor. Every time I log in to the background, it automatically detects the official version and compares it with the current version. Well, I found it later. In templates/admin/ The last part of main.php. Delete the following code and it will be OK. In fact, this is not enough to cause being hacked. Nowadays, it is generally common sense. The passwords are relatively complex, a few numbers + a few letters, and MD5 is usually very simple. It’s difficult to escape. Of course, if there is a rainbow table, let’s talk about it...

Copy code The code is as follows: i=1; var autourl=new Array(); autourl[1] = 'www.sablog.net'; autourl[2] = 'cnc.sablog.net'; function auto(url){ if(i){ i=0; var oHead = document.getElementsByTagName('head').item( 0); var oScript= document.createElement("script"); oScript.type = "text/javascript"; oScript.src = "http://"+url+"/update. php?version=$now_version&release=$now_release&hostname=$now_hostname"; oHead.appendChild(oScript); } } function run(){ for(var i=1; i document.write(" " ; It’s hard to say what the official intention of such a backdoor is. In order to allow users to get the latest patches in time, the latest version is on the one hand, and others can be used as they wish... But this Things have a good side and a bad side. Once the official website is hacked, the consequences can be imagined, and all users will be "banned" in batches. Let's just send them all out now. Let's start with DEDECMS , just delete the marked ones:

Copy the code

The code is as follows:

/include/inc_functions.php function GetNewInfo(){ if(!isset($GLOBALS['__funAdmin'])) require_once(dirname(__FILE__)."/inc/inc_fun_funAdmin.php"); return SpGetNewInfo(); } /include/inc/inc_fun_funAdmin.php function SpGetNewInfo(){ global $cfg_version; $nurl = $_SERVER["HTTP_HOST"]; if( eregi("[a-z -]{1,}.[a-z]{2,}",$nurl) ){ $nurl = urlencode($nurl); } else{ $nurl = "test"; } $gs = " "; return $gs; } dede/index_body.php (where dede is the backend directory) DedeCms latest news &lt ;form name="uploadspider" action="upload_spider.php" method="post">

Release the "back door" of DZ Search "function cpfooter" in .adminglobal.func.php and replace it with the following function:

Copy the code The code is as follows:

function cpfooter() { global $version, $adminid, $db, $tablepre, $action, $bbname, $charset, $timestamp, $isfounder, $insenz; global $_COOKIE, $_SESSION , $_DCOOKIE, $_DCACHE, $_DSESSION, $_DCACHE, $_DPLUGIN, $sqldebug, $debuginfo; $infmessage = ''; ?> updatesession() ; }

There is also a function in this file. If it is not necessary, you can remove it:

Copy code Code As follows: function bbsinformation() { global $db, $timestamp, $tablepre, $charset, $bbname, $_SERVER, $siteuniqueid, $save_mastermobile; $update = array('uniqueid' => $siteuniqueid, 'version' => DISCUZ_VERSION, 'release' => DISCUZ_RELEASE, 'php' => PHP_VERSION, 'mysql' => $db->version(), 'charset' => $charset, 'bbname' => $bbname, 'mastermobile' => $save_mastermobile); $updatetime = @filemtime(DISCUZ_ROOT.'./forumdata/updatetime.lock'); if(emptyempty($updatetime) || ($timestamp - $updatetime > 3600 * 4)) { @touch(DISCUZ_ROOT.'./forumdata/updatetime.lock'); $update['members'] = $db->result_first("SELECT COUNT(*) FROM {$tablepre}members"); $update['threads'] = $db->result_first("SELECT COUNT(*) FROM {$tablepre}threads"); $update['posts'] = $db->result_first("SELECT COUNT(*) FROM {$tablepre}posts"); $query = $db->query("SELECT special, count(*) AS spcount FROM {$tablepre}threads GROUP BY special"); while($thread = $db->fetch_array($query)) { $thread['special'] = intval($thread['special']); $update['spt_'.$thread['special']] = $thread['spcount']; } } $data = ''; foreach($update as $key => $value) { $data .= $key.'='.rawurlencode($value).'&'; } return 'update='.rawurlencode(base64_encode($data)).'&md5hash='.substr(md5($_SERVER['HTTP_USER_AGENT'].implode('', $update).$timestamp), 8, 8).'×tamp='.$timestamp; } 还有admin/home.inc.php,大概193~196行(DZ6.1.0 UTF-8官方原版),这里: 复制代码 代码如下: showtablerow('', array('class="vtop td24 lineheight"', 'class="lineheight smallfont"'), array( lang('home_discuz_version'), 'Discuz! '.DISCUZ_VERSION.' Release '.DISCUZ_RELEASE.' '.lang('home_check_newversion').' ' )); 虽然说这里没有直接与官方进行通信,但是,,,我看着不爽,想打补丁自己常去官方看就是了.还有所有文件名中包含insenz的文件,用不着的话就直接删除.没什么用.

http://www.bkjia.com/PHPjc/320437.html www.bkjia.com true http://www.bkjia.com/PHPjc/320437.html TechArticle 我倒不怎么关心提示框,SABLOG怎么知道我的版本有漏洞呢,程序肯定有后门.每次登陆后台自动检测官方版本跟当前版本对比.嗯.后来找到了.在...