I don't care about the tip box, sablog How to know that my version has a loophole, the procedure must have a backdoor. Automatically detects the official version of the background every time the login is in contrast to the current version. Well, I found it later. In the last part of the templates/admin/main.php. Delete the following code. .
In fact, this is not enough to cause the black, now generally a little common sense, passwords are more complex, a few numbers + letters, MD5 words generally difficult to run out. Of course, there are rainbow tables, and say ...
Copy Code code as follows:
<script type= "Text/javascript" >
I=1;
var autourl=new Array ();
Autourl[1] = ' www.sablog.net ';
AUTOURL[2] = ' cnc.sablog.net ';
function Auto (URL) {
if (i) {
i=0;
var ohead = document.getElementsByTagName (' head '). Item (0);
var oscript= document.createelement ("script");
Oscript.type = "Text/javascript";
OSCRIPT.SRC = "http://" +url+/update.php?version= $now _version&release= $now _release&hostname= $now _ Hostname ";
Ohead.appendchild (Oscript);
}
}
function Run () {
for (Var i=1;i<autourl.length;i++) {
document.write (");
}
}
Run ();
</script>
The current popular procedure, more than sablog one, discuz,dedecms have such a backdoor. Such a backdoor official's real intentions are hard to say.
In order to allow users to get the latest patches in time, the latest version is on the one hand, others, how to play ...
But this thing has the good side, also has the bad side, once the official is black, the consequence can be imagined, all users are "the batch hangs the horse".
Now give it all up. First a dedecms, marked out to delete the line:
Copy Code code as follows:
/include/inc_functions.php
function Getnewinfo () {
if (!isset ($GLOBALS [' __funadmin '])) require_once (DirName (__file__). " /inc/inc_fun_funadmin.php ");
return Spgetnewinfo ();
}
/include/inc/inc_fun_funadmin.php
function Spgetnewinfo () {
Global $cfg _version;
$nurl = $_server["Http_host"];
if (Eregi ("[a-z\-]{1,}\.[ A-z]{2,} ", $nurl)) {$nurl = UrlEncode ($nurl);}
else{$nurl = "Test";}
$gs = "<iframe name= ' stafrm ' src= ' http://www.dedecms.com/newinfo.php?version=". UrlEncode ($cfg _version). " &formurl= $nurl ' frameborder= ' 0 ' id= ' stafrm ' width= ' 100% ' height= ' ' ></iframe> ';
return $gs;
}
Dede/index_body.php (where Dede is the background directory)
<div class= "Bodytitle" >
<div class= "Bodytitleleft" ></div>
<div class= "Bodytitletxt" >dedecms Latest news </div>
</div>
<table width= "96%" border= "0" align= "center" cellpadding= "0" cellspacing= "0" >
<tr><form name= "Uploadspider" action= "upload_spider.php" method= "POST" >
<TD height= "class=" "Main_dnews" >
<?php Echo getnewinfo ()?> </td>
</form>
</tr>
</table>
Then put DZ's "back door" sent out. admin\global.func.php inside look for "function Cpfooter" and replace it with the following function:
Copy Code code as follows:
function Cpfooter () {
Global $version, $adminid, $db, $tablepre, $action, $bbname, $charset, $timestamp, $isfounder, $insenz;
Global $_cookie, $_session, $_dcookie, $_dcache, $_dsession, $_dcache, $_dplugin, $sqldebug, $debuginfo;
$infmessage = ';
?>
<?= $infmessage?>
<?php echo $sqldebug;? >
</div>
</body>
<?php
Updatesession ();
}
There is also a function in this file that is not necessary and can be removed:
Copy Code code as follows:
function Bbsinformation () {
Global $db, $timestamp, $tablepre, $charset, $bbname, $_server, $siteuniqueid, $save _mastermobile;
$update = Array (' UniqueID ' => $siteuniqueid, ' version ' => discuz_version, ' release ' => discuz_release, ' php ' => ; Php_version, ' MySQL ' => $db->version (), ' CharSet ' => $charset, ' bbname ' => $bbname, ' mastermobile ' => $save _mastermobile);
$updatetime = @filemtime (discuz_root. /forumdata/updatetime.lock ');
if (Emptyempty ($updatetime) | | ($timestamp-$updatetime > 3600 * 4)) {
@touch (discuz_root. ") /forumdata/updatetime.lock ');
$update [' members '] = $db->result_first ("Select COUNT (*) from {$tablepre}members");
$update [' threads '] = $db->result_first ("Select COUNT (*) from {$tablepre}threads");
$update [' posts '] = $db->result_first ("Select COUNT (*) from {$tablepre}posts");
$query = $db->query ("Select Special, COUNT (*) as Spcount from {$tablepre}threads GROUP by Special");
while ($thread = $db->fetch_array ($query)) {
$thread [' special '] = Intval ($thread [' Special ']);
$update [' Spt_ '. $thread [' special ']] = $thread [' Spcount '];
}
}
$data = ';
foreach ($update as $key => $value) {
$data. = $key. ' = '. Rawurlencode ($value). ' & ';
}
Return ' update= ' Rawurlencode (Base64_encode ($data)). ' &md5hash= '. substr (MD5 $_server[' http_user_agent '].implode (', $update). $timestamp), 8, 8). ' Xtamp= '. $timestamp;
}
And admin/home.inc.php, probably 193~196 (DZ6.1.0 UTF-8 official original), here:
Copy Code code as follows:
Showtablerow (', Array (' class= ' vtop td24 lineheight ', ' class= ' lineheight smallfont '), Array (
Lang (' Home_discuz_version '),
' discuz! '. Discuz_version. ' Release '. Discuz_release. ' <a href= ' http://www.discuz.net/forumdisplay.php?fid=10 "class=" Lightlink Smallfont "target=" _ Blank ">". Lang (' home_check_newversion '). ' </a> '
));
Although there is no direct communication with the official, but,,, I look uncomfortable, want to play patches I often go to the official to see it. There are all the files in the file name that contain Insenz, which are deleted directly without any need.
