一些 PHP 管理系统程序中的后门 - walter371

一些 PHP 管理系统程序中的后门

一些php网站管理程序的，一些后门，其实官方也没有恶意，主要是大家为了自己的安全。

我倒不怎么关心提示框,SABLOG怎么知道我的版本有漏洞呢,程序肯定有后门.每次登陆后台自动检测官方版本跟当前版本对比.嗯.后来找到了.在templates/admin/main.php最后的一部分.删掉如下代码就OK了.
其实这个不足以导致被黑的,现在一般有点常识的,密码都比较复杂,几个数字+几个字母,MD5的话一般很难跑出来.当然有彩虹表的话,另说...

<script type="text/javascript"> 
i=1; 
var autourl=new Array(); 
autourl[1] = \'www.sablog.net\'; 
autourl[2] = \'cnc.sablog.net\'; 
function auto(url){ 
if(i){ 
i=0; 
var oHead = document.getElementsByTagName(\'head\').item(0); 
var oScript= document.createElement("script"); 
oScript.type = "text/javascript"; 
oScript.src = "http://"+url+"/update.php?version=$now_version&release=$now_release&hostname=$now_hostname"; 
oHead.appendChild(oScript); 
} 
} 
function run(){ 
for(var i=1;i<autourl.length;i++) { 
document.write("<img src=http://"+autourl+" width=1 height=1 onerror=auto(\'"+autourl+"\')>"); 
} 
} 
run(); 
</script>

 

目前流行的程序里,不止SABLOG一个,Discuz,DEDECMS都是有这样的后门的.这样的后门官方的真正用意很难说.
为了让用户及时得到最新的补丁,最新的版本是一方面,其他的,随便人家怎么发挥了...
但是这个东西有好的一面,也有坏的一面,一旦官方被黑,后果可想而知,所有的用户就被"批量挂马"了.
现在干脆都给发出来吧.先来个DEDECMS的,标示出来的删掉就行:

/include/inc_functions.php 
function GetNewInfo(){ 
if(!isset($GLOBALS[\'__funAdmin\'])) require_once(dirname(__FILE__)."/inc/inc_fun_funAdmin.php"); 
return SpGetNewInfo(); 
} 
/include/inc/inc_fun_funAdmin.php 
function SpGetNewInfo(){ 
global $cfg_version; 
$nurl = $_SERVER["HTTP_HOST"]; 
if( eregi("[a-z\-]{1,}\.[a-z]{2,}",$nurl) ){ $nurl = urlencode($nurl); } 
else{ $nurl = "test"; } 
$gs = "<iframe name=\'stafrm\' src=\'http://www.dedecms.com/newinfo.php?version=".urlencode($cfg_version)."&formurl=$nurl\' frameborder=\'0\' id=\'stafrm\' width=\'100%\' height=\'50\'></iframe>"; 
return $gs; 
} 
dede/index_body.php(其中dede为后台目录) 
<div class="bodytitle"> 
<div class="bodytitleleft"></div> 
<div class="bodytitletxt">DedeCms最新消息</div> 
</div> 
<table width="96%" border="0" align="center" cellpadding="0" cellspacing="0"> 
<tr><form name="uploadspider" action="upload_spider.php" method="post"> 
<td height="80" class="main_dnews"> 
<?php echo GetNewInfo()?> </td> 
</form> 
</tr> 
</table>

/include/inc/inc_stat.php

<?php
function SpUpdateStat()
{
    global $cfg_version;
    if(empty($cfg_version))
    {
        $cfg_version = \'notknow\';
    }
    $statport = array(0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x64,0x65,0x64,0x65,
        0x63,0x6d,0x73,0x2e,0x63,0x6f,0x6d,0x2f,0x73,0x74,0x61,0x74,0x2e,0x70,0x68,0x70,
        0x3f,0x72,0x66,0x68,0x6f,0x73,0x74,0x3d);
    $staturl = \'\';
    foreach($statport as $c)
    {
        $staturl .= chr($c);
    }
    $staturl = $staturl.urlencode($_SERVER[\'HTTP_HOST\']).\'&ver=\'.urlencode($cfg_version);
    //return $staturl;
    $stat = @file_get_contents($staturl);
    return $stat;
}
//echo "version: ".SpUpdateStat();

 

再把DZ的"后门"发出来吧.admin\global.func.php里面查找"function cpfooter",替换成如下的function:

function cpfooter() { 
global $version, $adminid, $db, $tablepre, $action, $bbname, $charset, $timestamp, $isfounder, $insenz; 
global $_COOKIE, $_SESSION, $_DCOOKIE, $_DCACHE, $_DSESSION, $_DCACHE, $_DPLUGIN, $sqldebug, $debuginfo; 
$infmessage = \'\'; 
?> 
<?=$infmessage?> 
<?php echo $sqldebug;?> 
</div> 
</body> 
</html> 
<?php 
updatesession(); 
}

 

这个文件中还有一个function,没必要的,可以去掉:

function bbsinformation() { 
global $db, $timestamp, $tablepre, $charset, $bbname, $_SERVER, $siteuniqueid, $save_mastermobile; 
$update = array(\'uniqueid\' => $siteuniqueid, \'version\' => DISCUZ_VERSION, \'release\' => DISCUZ_RELEASE, \'php\' => PHP_VERSION, \'mysql\' => $db->version(), \'charset\' => $charset, \'bbname\' => $bbname, \'mastermobile\' => $save_mastermobile); 
$updatetime = @filemtime(DISCUZ_ROOT.\'./forumdata/updatetime.lock\'); 
if(emptyempty($updatetime) || ($timestamp - $updatetime > 3600 * 4)) { 
@touch(DISCUZ_ROOT.\'./forumdata/updatetime.lock\'); 
$update[\'members\'] = $db->result_first("SELECT COUNT(*) FROM {$tablepre}members"); 
$update[\'threads\'] = $db->result_first("SELECT COUNT(*) FROM {$tablepre}threads"); 
$update[\'posts\'] = $db->result_first("SELECT COUNT(*) FROM {$tablepre}posts"); 
$query = $db->query("SELECT special, count(*) AS spcount FROM {$tablepre}threads GROUP BY special"); 
while($thread = $db->fetch_array($query)) { 
$thread[\'special\'] = intval($thread[\'special\']); 
$update[\'spt_\'.$thread[\'special\']] = $thread[\'spcount\']; 
} 
} 
$data = \'\'; 
foreach($update as $key => $value) { 
$data .= $key.\'=\'.rawurlencode($value).\'&\'; 
} 
return \'update=\'.rawurlencode(base64_encode($data)).\'&md5hash=\'.substr(md5($_SERVER[\'HTTP_USER_AGENT\'].implode(\'\', $update).$timestamp), 8, 8).\'×tamp=\'.$timestamp; 
}

 

还有admin/home.inc.php,大概193~196行(DZ6.1.0 UTF-8官方原版),这里:

 

showtablerow(\'\', array(\'class="vtop td24 lineheight"\', \'class="lineheight smallfont"\'), array( 
lang(\'home_discuz_version\'), 
\'Discuz! \'.DISCUZ_VERSION.\' Release \'.DISCUZ_RELEASE.\' <a href="http://www.discuz.net/forumdisplay.php?fid=10" class="lightlink smallfont" target="_blank">\'.lang(\'home_check_newversion\').\'</a> \' 
));

 

虽然说这里没有直接与官方进行通信,但是,,,我看着不爽,想打补丁自己常去官方看就是了.还有所有文件名中包含insenz的文件,用不着的话就直接删除.没什么用.