我倒不怎麼關心提示框,SABLOG怎麼知道我的版本有漏洞呢,程式肯定有後門.每次登陸後台自動檢測官方版本跟目前的版本對比.嗯.後來找到了.在templates/admin/main.php最後的一部分.刪掉如下代碼就OK了.
其實這個不足以導致被黑的,現在一般有點常識的,密碼都比較複雜,幾個數字+幾個字母,MD5的話一般很難跑出來.當然有彩虹表的話,另說...
目前流行的程式裡,不止SABLOG一個,Discuz,DEDECMS都是有這樣的後門的.這樣的後門官方的真正用意很難說.
為了讓使用者及時得到最新的補丁,最新的版本是一方面,其他的,隨便人家怎麼發揮了...
但是這個東西有好的一面,也有壞的一面,一旦官方被黑,後果可想而知,所有的使用者就被"批量掛馬"了.
現在乾脆都給發出來吧.先來個DEDECMS的,標示出來的刪掉就行: 複製代碼 代碼如下:/include/inc_functions.php
function GetNewInfo(){
if(!isset($GLOBALS['__funAdmin'])) require_once(dirname(__FILE__)."/inc/inc_fun_funAdmin.php");
return SpGetNewInfo();
}
/include/inc/inc_fun_funAdmin.php
function SpGetNewInfo(){
global $cfg_version;
$nurl = $_SERVER["HTTP_HOST"];
if( eregi("[a-z\-]{1,}\.[a-z]{2,}",$nurl) ){ $nurl = urlencode($nurl); }
else{ $nurl = "test"; }
$gs = "<iframe name='stafrm' src='http://www.dedecms.com/newinfo.php?version=".urlencode($cfg_version)."&formurl=$nurl' frameborder='0' id='stafrm' width='100%' height='50'></iframe>";
return $gs;
}
dede/index_body.php(其中dede為後台目錄)
<div class="bodytitle">
<div class="bodytitleleft"></div>
<div class="bodytitletxt">DedeCms最新訊息</div>
</div>
<table width="96%" border="0" align="center" cellpadding="0" cellspacing="0">
<tr><form name="uploadspider" action="upload_spider.php" method="post">
<td height="80" class="main_dnews">
<?php echo GetNewInfo()?> </td>
</form>
</tr>
</table>
再把DZ的"後門"發出來吧.admin\global.func.php裡面尋找"function cpfooter",替換成如下的function: 複製代碼 代碼如下:function cpfooter() {
global $version, $adminid, $db, $tablepre, $action, $bbname, $charset, $timestamp, $isfounder, $insenz;
global $_COOKIE, $_SESSION, $_DCOOKIE, $_DCACHE, $_DSESSION, $_DCACHE, $_DPLUGIN, $sqldebug, $debuginfo;
$infmessage = '';
?>
<?=$infmessage?>
<?php echo $sqldebug;?>
</div>
</body>
</html>
<?php
updatesession();
}
這個檔案中還有一個function,沒必要的,可以去掉: 複製代碼 代碼如下:function bbsinformation() {
global $db, $timestamp, $tablepre, $charset, $bbname, $_SERVER, $siteuniqueid, $save_mastermobile;
$update = array('uniqueid' => $siteuniqueid, 'version' => DISCUZ_VERSION, 'release' => DISCUZ_RELEASE, 'php' => PHP_VERSION, 'mysql' => $db->version(), 'charset' => $charset, 'bbname' => $bbname, 'mastermobile' => $save_mastermobile);
$updatetime = @filemtime(DISCUZ_ROOT.'./forumdata/updatetime.lock');
if(emptyempty($updatetime) || ($timestamp - $updatetime > 3600 * 4)) {
@touch(DISCUZ_ROOT.'./forumdata/updatetime.lock');
$update['members'] = $db->result_first("SELECT COUNT(*) FROM {$tablepre}members");
$update['threads'] = $db->result_first("SELECT COUNT(*) FROM {$tablepre}threads");
$update['posts'] = $db->result_first("SELECT COUNT(*) FROM {$tablepre}posts");
$query = $db->query("SELECT special, count(*) AS spcount FROM {$tablepre}threads GROUP BY special");
while($thread = $db->fetch_array($query)) {
$thread['special'] = intval($thread['special']);
$update['spt_'.$thread['special']] = $thread['spcount'];
}
}
$data = '';
foreach($update as $key => $value) {
$data .= $key.'='.rawurlencode($value).'&';
}
return 'update='.rawurlencode(base64_encode($data)).'&md5hash='.substr(md5($_SERVER['HTTP_USER_AGENT'].implode('', $update).$timestamp), 8, 8).'×tamp='.$timestamp;
}
還有admin/home.inc.php,大概193~196行(DZ6.1.0 UTF-8官方原版),這裡: 複製代碼 代碼如下:showtablerow('', array('class="vtop td24 lineheight"', 'class="lineheight smallfont"'), array(
lang('home_discuz_version'),
'Discuz! '.DISCUZ_VERSION.' Release '.DISCUZ_RELEASE.' <a href="http://www.discuz.net/forumdisplay.php?fid=10" class="lightlink smallfont" target="_blank">'.lang('home_check_newversion').'</a> '
));
雖然說這裡沒有直接與官方進行通訊,但是,,,我看著不爽,想打補丁自己常去官方看就是了.還有所有檔案名稱中包含insenz的檔案,用不著的話就直接刪除.沒什麼用.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
