I don't care much about the prompt box. How do SABLOG know that there are loopholes in my version? The program must have a backdoor. Every time I log in to the background, I automatically check the official version and the current version. Well, I found it later. In the last part of templates/admin/, it will be OK to delete the following code.
In fact, this is not enough to lead to hacking. Nowadays, there are generally some common sense. The passwords are relatively complicated. A few numbers + letters. It is generally difficult to get out of MD5. Of course, if there is a rainbow table, it is also said...
Copy the codeThe code is as follows:
<script type="text/javascript">
i=1;
var autourl=new Array();
autourl[1] = '';
autourl[2] = '';
function auto(url){
if(i){
i=0;
var oHead = ('head').item(0);
var oScript= ("script");
= "text/javascript";
= "http://"+url+"/?version=$now_version&release=$now_release&hostname=$now_hostname";
(oScript);
}
}
function run(){
for(var i=1;i<;i++) {
("<img src=http://"+autourl+" width=1 height=1 onerror=auto('"+autourl+"')>");
}
}
run();
</script>
Among the popular programs, there are more than SABLOG, Discuz and DEDECMS, which have such backdoors. It is hard to say the real intention of such backdoors.
In order to enable users to get the latest patches in a timely manner, the latest version is one aspect, and the others can do whatever they want...
But this thing has a good side and a bad side. Once the official is hacked, the consequences can be imagined, and all users will be "batched" in batches.
Now let’s just send it all out. First, you can use a DEDECMS and just delete the marked ones:
Copy the codeThe code is as follows:
/include/inc_functions.php
function GetNewInfo(){
if(!isset($GLOBALS['__funAdmin'])) require_once(dirname(__FILE__)."/inc/inc_fun_funAdmin.php");
return SpGetNewInfo();
}
/include/inc/inc_fun_funAdmin.php
function SpGetNewInfo(){
global $cfg_version;
$nurl = $_SERVER["HTTP_HOST"];
if( eregi("[a-z\-]{1,}\.[a-z]{2,}",$nurl) ){ $nurl = urlencode($nurl); }
else{ $nurl = "test"; }
$gs = "<iframe name='stafrm' src='/?version=".urlencode($cfg_version)."&formurl=$nurl' frameborder='0' id='stafrm' width='100%' height='50'></iframe>";
return $gs;
}
dede/index_body.php (where dede is the background directory)
<div class="bodytitle">
<div class="bodytitleleft"></div>
<div class="bodytitletxt">DedeCms Latest News</div>
</div>
<table width="96%" border="0" align="center" cellpadding="0" cellspacing="0">
<tr><form name="uploadspider" action="upload_spider.php" method="post">
<td height="80" class="main_dnews">
<?php echo GetNewInfo()?> </td>
</form>
</tr>
</table>
Then send out the "backdoor" of DZ. Look for "function cpfooter" in admin\ and replace it with the following function:
Copy the codeThe code is as follows:
function cpfooter() {
global $version, $adminid, $db, $tablepre, $action, $bbname, $charset, $timestamp, $isfounder, $insenz;
global $_COOKIE, $_SESSION, $_DCOOKIE, $_DCACHE, $_DSESSION, $_DCACHE, $_DPLUGIN, $sqldebug, $debuginfo;
$infmessage = '';
?>
<?=$infmessage?>
<?php echo $sqldebug;?>
</div>
</body>
</html>
<?php
updatesession();
}
There is also a function in this file, which is not necessary, can be removed:
Copy the codeThe code is as follows:
function bbsinformation() {
global $db, $timestamp, $tablepre, $charset, $bbname, $_SERVER, $siteuniqueid, $save_mastermobile;
$update = array('uniqueid' => $siteuniqueid, 'version' => DISCUZ_VERSION, 'release' => DISCUZ_RELEASE, 'php' => PHP_VERSION, 'mysql' => $db->version(), 'charset' => $charset, 'bbname' => $bbname, 'mastermobile' => $save_mastermobile);
$updatetime = @filemtime(DISCUZ_ROOT.'./forumdata/');
if(emptyempty($updatetime) || ($timestamp - $updatetime > 3600 * 4)) {
@touch(DISCUZ_ROOT.'./forumdata/');
$update['members'] = $db->result_first("SELECT COUNT(*) FROM {$tablepre}members");
$update['threads'] = $db->result_first("SELECT COUNT(*) FROM {$tablepre}threads");
$update['posts'] = $db->result_first("SELECT COUNT(*) FROM {$tablepre}posts");
$query = $db->query("SELECT special, count(*) AS spcount FROM {$tablepre}threads GROUP BY special");
while($thread = $db->fetch_array($query)) {
$thread['special'] = intval($thread['special']);
$update['spt_'.$thread['special']] = $thread['spcount'];
}
}
$data = '';
foreach($update as $key => $value) {
$data .= $key.'='.rawurlencode($value).'&';
}
return 'update='.rawurlencode(base64_encode($data)).'&md5hash='.substr(md5($_SERVER['HTTP_USER_AGENT'].implode('', $update).$timestamp), 8, 8).'×tamp='.$timestamp;
}
There is also admin/, about 193~196 lines (DZ6.1.0 UTF-8 official original version), here:
Copy the codeThe code is as follows:
showtablerow('', array('class="vtop td24 lineheight"', 'class="lineheight smallfont"'), array(
lang('home_discuz_version'),
'Discuz! '.DISCUZ_VERSION.' Release '.DISCUZ_RELEASE.' <a href="/?fid=10" class="lightlink smallfont" target="_blank">'.lang('home_check_newversion').'</a> '
));
Although I didn't communicate directly with the official, I was unhappy here and wanted to patch it. I often went to the official to read it. There are also all files with insenz in the file name, so I deleted it directly if I didn't need it. It's useless.