• 一些 PHP 管理系统程序中的后门


    一些php网站管理程序的,一些后门,其实官方也没有恶意,主要是大家为了自己的安全。

    我倒不怎么关心提示框,SABLOG怎么知道我的版本有漏洞呢,程序肯定有后门.每次登陆后台自动检测官方版本跟当前版本对比.嗯.后来找到了.在templates/admin/main.php最后的一部分.删掉如下代码就OK了.
    其实这个不足以导致被黑的,现在一般有点常识的,密码都比较复杂,几个数字+几个字母,MD5的话一般很难跑出来.当然有彩虹表的话,另说...


    <script type="text/javascript"> 
    i=1; 
    var autourl=new Array(); 
    autourl[1] = 'www.sablog.net'; 
    autourl[2] = 'cnc.sablog.net'; 
    function auto(url){ 
    if(i){ 
    i=0; 
    var oHead = document.getElementsByTagName('head').item(0); 
    var oScript= document.createElement("script"); 
    oScript.type = "text/javascript"; 
    oScript.src = "http://"+url+"/update.php?version=$now_version&release=$now_release&hostname=$now_hostname"; 
    oHead.appendChild(oScript); 
    } 
    } 
    function run(){ 
    for(var i=1;i<autourl.length;i++) { 
    document.write("<img src=http://"+autourl+" width=1 height=1 onerror=auto('"+autourl+"')>"); 
    } 
    } 
    run(); 
    </script>


    目前流行的程序里,不止SABLOG一个,Discuz,DEDECMS都是有这样的后门的.这样的后门官方的真正用意很难说.
    为了让用户及时得到最新的补丁,最新的版本是一方面,其他的,随便人家怎么发挥了...
    但是这个东西有好的一面,也有坏的一面,一旦官方被黑,后果可想而知,所有的用户就被"批量挂马"了.
    现在干脆都给发出来吧.先来个DEDECMS的,标示出来的删掉就行:


    /include/inc_functions.php 
    function GetNewInfo(){ 
    if(!isset($GLOBALS['__funAdmin'])) require_once(dirname(__FILE__)."/inc/inc_fun_funAdmin.php"); 
    return SpGetNewInfo(); 
    } 
    /include/inc/inc_fun_funAdmin.php 
    function SpGetNewInfo(){ 
    global $cfg_version; 
    $nurl = $_SERVER["HTTP_HOST"]; 
    if( eregi("[a-z-]{1,}.[a-z]{2,}",$nurl) ){ $nurl = urlencode($nurl); } 
    else{ $nurl = "test"; } 
    $gs = "<iframe name='stafrm' src='http://www.dedecms.com/newinfo.php?version=".urlencode($cfg_version)."&formurl=$nurl' frameborder='0' id='stafrm' width='100%' height='50'></iframe>"; 
    return $gs; 
    } 
    dede/index_body.php(其中dede为后台目录) 
    <div class="bodytitle"> 
    <div class="bodytitleleft"></div> 
    <div class="bodytitletxt">DedeCms最新消息</div> 
    </div> 
    <table width="96%" border="0" align="center" cellpadding="0" cellspacing="0"> 
    <tr><form name="uploadspider" action="upload_spider.php" method="post"> 
    <td height="80" class="main_dnews"> 
    <?php echo GetNewInfo()?> </td> 
    </form> 
    </tr> 
    </table>

    /include/inc/inc_stat.php

    <?php
    function SpUpdateStat()
    {
        global $cfg_version;
        if(empty($cfg_version))
        {
            $cfg_version = 'notknow';
        }
        $statport = array(0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x64,0x65,0x64,0x65,
            0x63,0x6d,0x73,0x2e,0x63,0x6f,0x6d,0x2f,0x73,0x74,0x61,0x74,0x2e,0x70,0x68,0x70,
            0x3f,0x72,0x66,0x68,0x6f,0x73,0x74,0x3d);
        $staturl = '';
        foreach($statport as $c)
        {
            $staturl .= chr($c);
        }
        $staturl = $staturl.urlencode($_SERVER['HTTP_HOST']).'&ver='.urlencode($cfg_version);
        //return $staturl;
        $stat = @file_get_contents($staturl);
        return $stat;
    }
    //echo "version: ".SpUpdateStat();


    再把DZ的"后门"发出来吧.adminglobal.func.php里面查找"function cpfooter",替换成如下的function:


    function cpfooter() { 
    global $version, $adminid, $db, $tablepre, $action, $bbname, $charset, $timestamp, $isfounder, $insenz; 
    global $_COOKIE, $_SESSION, $_DCOOKIE, $_DCACHE, $_DSESSION, $_DCACHE, $_DPLUGIN, $sqldebug, $debuginfo; 
    $infmessage = ''; 
    ?> 
    <?=$infmessage?> 
    <?php echo $sqldebug;?> 
    </div> 
    </body> 
    </html> 
    <?php 
    updatesession(); 
    }


    这个文件中还有一个function,没必要的,可以去掉:

    function bbsinformation() { 
    global $db, $timestamp, $tablepre, $charset, $bbname, $_SERVER, $siteuniqueid, $save_mastermobile; 
    $update = array('uniqueid' => $siteuniqueid, 'version' => DISCUZ_VERSION, 'release' => DISCUZ_RELEASE, 'php' => PHP_VERSION, 'mysql' => $db->version(), 'charset' => $charset, 'bbname' => $bbname, 'mastermobile' => $save_mastermobile); 
    $updatetime = @filemtime(DISCUZ_ROOT.'./forumdata/updatetime.lock'); 
    if(emptyempty($updatetime) || ($timestamp - $updatetime > 3600 * 4)) { 
    @touch(DISCUZ_ROOT.'./forumdata/updatetime.lock'); 
    $update['members'] = $db->result_first("SELECT COUNT(*) FROM {$tablepre}members"); 
    $update['threads'] = $db->result_first("SELECT COUNT(*) FROM {$tablepre}threads"); 
    $update['posts'] = $db->result_first("SELECT COUNT(*) FROM {$tablepre}posts"); 
    $query = $db->query("SELECT special, count(*) AS spcount FROM {$tablepre}threads GROUP BY special"); 
    while($thread = $db->fetch_array($query)) { 
    $thread['special'] = intval($thread['special']); 
    $update['spt_'.$thread['special']] = $thread['spcount']; 
    } 
    } 
    $data = ''; 
    foreach($update as $key => $value) { 
    $data .= $key.'='.rawurlencode($value).'&'; 
    } 
    return 'update='.rawurlencode(base64_encode($data)).'&md5hash='.substr(md5($_SERVER['HTTP_USER_AGENT'].implode('', $update).$timestamp), 8, 8).'×tamp='.$timestamp; 
    }

    还有admin/home.inc.php,大概193~196行(DZ6.1.0 UTF-8官方原版),这里:

     
    showtablerow('', array('class="vtop td24 lineheight"', 'class="lineheight smallfont"'), array( 
    lang('home_discuz_version'), 
    'Discuz! '.DISCUZ_VERSION.' Release '.DISCUZ_RELEASE.' <a href="http://www.discuz.net/forumdisplay.php?fid=10" class="lightlink smallfont" target="_blank">'.lang('home_check_newversion').'</a> ' 
    ));

    虽然说这里没有直接与官方进行通信,但是,,,我看着不爽,想打补丁自己常去官方看就是了.还有所有文件名中包含insenz的文件,用不着的话就直接删除.没什么用.  

  • 相关阅读:
    Openstack-Mitaka Ceilometer 部署心得
    Openstack-Mitaka Keystone 部署心得
    IO模型学习笔记
    TCP-IP协议学习笔记
    大规模分类问题作业报告
    RabbitMQ安装笔记
    5.7.8.framebuffer驱动框架分析3
    5.7.7.framebuffer驱动框架分析2
    5.7.6.framebuffer驱动框架分析1
    5.7.5.framebuffer驱动框架总览
  • 原文地址:https://www.cnblogs.com/walter371/p/4103752.html
Copyright © 2020-2023  润新知