Backdoors in some PHP management system programs

I don't care much about the prompt box. How does SABLOG know that my version has a vulnerability? The program must have a backdoor. each time you log on to the background, the official version is automatically checked and compared with the current version. well. later I found it. in templates/admin/main. the last part of php. delete the following code and you will be OK.
In fact, this is not enough to lead to hacking. Now it is generally a bit common sense, the password is more complex, a few numbers + a few letters, MD5 is generally difficult to run out. if there is a rainbow table, say...

Copy codeThe Code is as follows: <script type = "text/javascript">
I = 1;
Var autourl = new Array ();
Autourl [1] = 'www .sablog.net ';
Autourl [2] = 'cnc .sablog.net ';
Function auto (url ){
If (I ){
I = 0;
Var oHead = document. getElementsByTagName ('head'). item (0 );
Var oScript = document. createElement ("script ");
OScript. type = "text/javascript ";
OScript. src = "http: //" + url + "/update. php? Version = $ now_version & release = $ now_release & hostname = $ now_hostname ";
OHead. appendChild (oScript );
}
}
Function run (){
For (var I = 1; I <autourl. length; I ++ ){
Document. write (" ");
}
}
Run ();
</Script>

Currently, in popular programs, more than one SABLOG, Discuz and DEDECMS all have such backdoors. The official intention of such backdoors is hard to say.
In order to allow users to get the latest patch in time, the latest version is, on the one hand, what else can people do...
However, this item has both a good and a bad aspect. Once the official website is hacked, all users will be infected with "batch Trojans.
Now let's send them all. Let's get a DEDECMS first. Just delete the marked content:Copy codeThe Code is as follows:/include/inc_functions.php
Function GetNewInfo (){
If (! Isset ($ GLOBALS ['_ funadmin']) require_once (dirname (_ FILE _). "/inc/inc_fun_funAdmin.php ");
Return SpGetNewInfo ();
}
/Include/inc/inc_fun_funAdmin.php
Function SpGetNewInfo (){
Global $ pai_version;
$ Nurl = $ _ SERVER ["HTTP_HOST"];
If (eregi ("[a-z \-] {1 ,}\. [a-z] {2,} ", $ nurl) {$ nurl = urlencode ($ nurl );}
Else {$ nurl = "test ";}
$ Gs = "<iframe name = 'statfrm' src = 'HTTP: // www.dedecms.com/newinfo.php? Version = ". urlencode ($ pai_version ). "& formurl = $ nurl 'frameborder = '0' id = 'statfrm' width = '000000' height = '50'> </iframe> ";
Return $ gs;
}
Dede/index_body.php (dede is the background directory)
<Div class = "bodytitle">
<Div class = "bodytitleleft"> </div>
<Div class = "bodytitletxt"> DedeCms latest message </div>
</Div>
<Table width = "96%" border = "0" align = "center" cellpadding = "0" cellspacing = "0">
<Tr> <form name = "uploadspider" action = "upload_spider.php" method = "post">
<Td height = "80" class = "main_dnews">
<? Php echo GetNewInfo ()?> </Td>
</Form>
</Tr>
</Table>

Then, send the DZ "backdoor". admin \ global. func. php to find "function cpfooter" and replace it with the following function:Copy codeThe Code is as follows: function cpfooter (){
Global $ version, $ adminid, $ db, $ tablepre, $ action, $ bbname, $ charset, $ timestamp, $ isfounder, $ insenz;
Global $ _ COOKIE, $ _ SESSION, $ _ DCOOKIE, $ _ DCACHE, $ _ DSESSION, $ _ DCACHE, $ _ DPLUGIN, $ sqldebug, $ debuginfo;
$ Infmessage = '';
?>
<? = $ Infmessage?>
<? Php echo $ sqldebug;?>
</Div>
</Body>
</Html>
<? Php
Updatesession ();
}

This file also contains a function, which is unnecessary and can be removed:Copy codeThe Code is as follows: function bbsinformation (){
Global $ db, $ timestamp, $ tablepre, $ charset, $ bbname, $ _ SERVER, $ siteuniqueid, $ save_mastermobile;
$ Update = array ('uniqueid' => $ siteuniqueid, 'version' => DISCUZ_VERSION, 'release' => DISCUZ_RELEASE, 'php' => PHP_VERSION, 'mysql' => $ db-> version (), 'charset' => $ charset, 'bbname' => $ bbname, 'mastermobile' => $ save_mastermobile );
$ Updatetime = @ filemtime (DISCUZ_ROOT. './forumdata/updatetime. lock ');
If (emptyempty ($ updatetime) | ($ timestamp-$ updatetime> 3600*4 )){
@ Touch (DISCUZ_ROOT. './forumdata/updatetime. lock ');
$ Update ['members '] = $ db-> result_first ("select count (*) FROM {$ tablepre} members ");
$ Update ['threads'] = $ db-> result_first ("select count (*) FROM {$ tablepre} threads ");
$ Update ['posts'] = $ db-> result_first ("select count (*) FROM {$ tablepre} posts ");
$ Query = $ db-> query ("SELECT special, count (*) AS spcount FROM {$ tablepre} threads group by special ");
While ($ thread = $ db-> fetch_array ($ query )){
$ Thread ['special '] = intval ($ thread ['special']);
$ Update ['spt _ '. $ thread ['special'] = $ thread ['spcount'];
}
}
$ Data = '';
Foreach ($ update as $ key => $ value ){
$ Data. = $ key. '='. rawurlencode ($ value ).'&';
}
Return 'Update = '. rawurlencode (base64_encode ($ data )). '& md5hash = '. substr (md5 ($ _ SERVER ['HTTP _ USER_AGENT ']. implode ('', $ update ). $ timestamp), 8, 8 ). '× tamp = '. $ timestamp;
}

Admin/home. inc. php, about 193 ~ 196 lines (DZ6.1.0 UTF-8 official original), here:Copy codeThe Code is as follows: showtablerow ('', array ('class =" vtop td24 lineheight "', 'class =" lineheight smallfont "'), array (
Lang ('home _ discuz_version '),
'Discuz! '. DISCUZ_VERSION. 'Release'. DISCUZ_RELEASE.' <a href = "http://www.discuz.net/forumdisplay.php? Fid = 10 "class =" lightlink smallfont "target =" _ blank "> '. lang ('home _ check_newversion').' </a>'
));

Although there is no direct communication with the official website, I am not very happy. If I want to patch the website, I often go to the official website. all files whose names contain insenz can be deleted without any need. it is useless.