Backdoors in some PHP management system programs

Source: Internet
Author: User

I don't care much about the prompt box. How does SABLOG know that my version has a vulnerability? The program must have a backdoor. each time you log on to the background, the official version is automatically checked and compared with the current version. well. later I found it. in templates/admin/main. the last part of php. delete the following code and you will be OK.
In fact, this is not enough to lead to hacking. Now it is generally a bit common sense, the password is more complex, a few numbers + a few letters, MD5 is generally difficult to run out. if there is a rainbow table, say...

Copy codeThe Code is as follows: <script type = "text/javascript">
I = 1;
Var autourl = new Array ();
Autourl [1] = 'www .sablog.net ';
Autourl [2] = 'cnc .sablog.net ';
Function auto (url ){
If (I ){
I = 0;
Var oHead = document. getElementsByTagName ('head'). item (0 );
Var oScript = document. createElement ("script ");
OScript. type = "text/javascript ";
OScript. src = "http: //" + url + "/update. php? Version = $ now_version & release = $ now_release & hostname = $ now_hostname ";
OHead. appendChild (oScript );
}
}
Function run (){
For (var I = 1; I <autourl. length; I ++ ){
Document. write (" ");
}
}
Run ();
</Script>

Currently, in popular programs, more than one SABLOG, Discuz and DEDECMS all have such backdoors. The official intention of such backdoors is hard to say.
In order to allow users to get the latest patch in time, the latest version is, on the one hand, what else can people do...
However, this item has both a good and a bad aspect. Once the official website is hacked, all users will be infected with "batch Trojans.
Now let's send them all. Let's get a DEDECMS first. Just delete the marked content:Copy codeThe Code is as follows:/include/inc_functions.php
Function GetNewInfo (){
If (! Isset ($ GLOBALS ['_ funadmin']) require_once (dirname (_ FILE _). "/inc/inc_fun_funAdmin.php ");
Return SpGetNewInfo ();
}
/Include/inc/inc_fun_funAdmin.php
Function SpGetNewInfo (){
Global $ pai_version;
$ Nurl = $ _ SERVER ["HTTP_HOST"];
If (eregi ("[a-z \-] {1 ,}\. [a-z] {2,} ", $ nurl) {$ nurl = urlencode ($ nurl );}
Else {$ nurl = "test ";}
$ Gs = "<iframe name = 'statfrm' src = 'HTTP: // www.dedecms.com/newinfo.php? Version = ". urlencode ($ pai_version ). "& formurl = $ nurl 'frameborder = '0' id = 'statfrm' width = '000000' height = '50'> </iframe> ";
Return $ gs;
}
Dede/index_body.php (dede is the background directory)
<Div class = "bodytitle">
<Div class = "bodytitleleft"> </div>
<Div class = "bodytitletxt"> DedeCms latest message </div>
</Div>
<Table width = "96%" border = "0" align = "center" cellpadding = "0" cellspacing = "0">
<Tr> <form name = "uploadspider" action = "upload_spider.php" method = "post">
<Td height = "80" class = "main_dnews">
<? Php echo GetNewInfo ()?> </Td>
</Form>
</Tr>
</Table>

Then, send the DZ "backdoor". admin \ global. func. php to find "function cpfooter" and replace it with the following function:Copy codeThe Code is as follows: function cpfooter (){
Global $ version, $ adminid, $ db, $ tablepre, $ action, $ bbname, $ charset, $ timestamp, $ isfounder, $ insenz;
Global $ _ COOKIE, $ _ SESSION, $ _ DCOOKIE, $ _ DCACHE, $ _ DSESSION, $ _ DCACHE, $ _ DPLUGIN, $ sqldebug, $ debuginfo;
$ Infmessage = '';
?>
<? = $ Infmessage?>
<? Php echo $ sqldebug;?>
</Div>
</Body>
</Html>
<? Php
Updatesession ();
}

This file also contains a function, which is unnecessary and can be removed:Copy codeThe Code is as follows: function bbsinformation (){
Global $ db, $ timestamp, $ tablepre, $ charset, $ bbname, $ _ SERVER, $ siteuniqueid, $ save_mastermobile;
$ Update = array ('uniqueid' => $ siteuniqueid, 'version' => DISCUZ_VERSION, 'release' => DISCUZ_RELEASE, 'php' => PHP_VERSION, 'mysql' => $ db-> version (), 'charset' => $ charset, 'bbname' => $ bbname, 'mastermobile' => $ save_mastermobile );
$ Updatetime = @ filemtime (DISCUZ_ROOT. './forumdata/updatetime. lock ');
If (emptyempty ($ updatetime) | ($ timestamp-$ updatetime> 3600*4 )){
@ Touch (DISCUZ_ROOT. './forumdata/updatetime. lock ');
$ Update ['members '] = $ db-> result_first ("select count (*) FROM {$ tablepre} members ");
$ Update ['threads'] = $ db-> result_first ("select count (*) FROM {$ tablepre} threads ");
$ Update ['posts'] = $ db-> result_first ("select count (*) FROM {$ tablepre} posts ");
$ Query = $ db-> query ("SELECT special, count (*) AS spcount FROM {$ tablepre} threads group by special ");
While ($ thread = $ db-> fetch_array ($ query )){
$ Thread ['special '] = intval ($ thread ['special']);
$ Update ['spt _ '. $ thread ['special'] = $ thread ['spcount'];
}
}
$ Data = '';
Foreach ($ update as $ key => $ value ){
$ Data. = $ key. '='. rawurlencode ($ value ).'&';
}
Return 'Update = '. rawurlencode (base64_encode ($ data )). '& md5hash = '. substr (md5 ($ _ SERVER ['HTTP _ USER_AGENT ']. implode ('', $ update ). $ timestamp), 8, 8 ). '× tamp = '. $ timestamp;
}

Admin/home. inc. php, about 193 ~ 196 lines (DZ6.1.0 UTF-8 official original), here:Copy codeThe Code is as follows: showtablerow ('', array ('class =" vtop td24 lineheight "', 'class =" lineheight smallfont "'), array (
Lang ('home _ discuz_version '),
'Discuz! '. DISCUZ_VERSION. 'Release'. DISCUZ_RELEASE.' <a href = "http://www.discuz.net/forumdisplay.php? Fid = 10 "class =" lightlink smallfont "target =" _ blank "> '. lang ('home _ check_newversion').' </a>'
));

Although there is no direct communication with the official website, I am not very happy. If I want to patch the website, I often go to the official website. all files whose names contain insenz can be deleted without any need. it is useless.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.