大商创的开源代码都有哪些后门,如何去除大商创后门

本文共有5164个字,关键词:大商创

大商创的开源代码中有很多后门,以方便官方监控系统的使用,官方做的真是无孔不入啊,我找到了下面几种。

1、数据库表dsc_shop_config 中,code值为certi的记录。我们发现这就是大商创的后门地址了,那我们去代码中看看,大商创是怎么利用的这个地址的吧,我们全局搜索一下。

搜索关键词:write_static_cache('seller_goods_str', $httpData);

搜索结果:

$httpData = array('domain' => $ecs->get_domain(), 'url' => urldecode($shop_url), 'shop_name' => $_CFG['shop_name'], 'shop_title' => $_CFG['shop_title'], 'shop_desc' => $_CFG['shop_desc'], 'shop_keywords' => $_CFG['shop_keywords'], 'country' => $shop_country, 'province' => $shop_province, 'city' => $shop_city, 'address' => $shop_address, 'qq' => $qq, 'ww' => $ww, 'ym' => $service_phone, 'msn' => $_CFG['msn'], 'email' => $service_email, 'phone' => $_CFG['sms_shop_mobile'], 'icp' => $_CFG['icp_number'], 'version' => VERSION, 'release' => RELEASE, 'language' => $_CFG['lang'], 'php_ver' => PHP_VERSION, 'mysql_ver' => $db->version(), 'charset' => EC_CHARSET);
$Http = new Http();
$Http->doPost($_CFG['certi'], $httpData);
write_static_cache('seller_goods_str', $httpData);

好吧,我们可以搜索出N条这样的记录。官方基本上拿到了我们系统的所有信息了,我们把$Http = new Http();$Http->doPost($_CFG['certi'], $httpData);这段代码去掉,那么请求就失效了吧,但是!!!
2、既然certi是官方的地址,那么我们把它改了不更好吗,好了我们把修改成一个无关紧要的地址。但是刷新后,我们发现地址居然又变回之前的地址了。好吧,我们认为代码中应该是更新了这条记录。我们开始全局搜索吧。

搜索词为:http://ecshop.ecmoban.com/dsc.php;
搜索结果:$certi_url = 'http://ecshop.ecmoban.com/dsc.php';

if (empty($arr['certi']) || $arr['certi'] != $certi_url) {
$sql = 'UPDATE ' . $GLOBALS['ecs']->table('shop_config') . (' SET value = \'' . $certi_url . '\' WHERE code = \'certi\'');
$row = $GLOBALS['db']->query($sql);
}
----------------------------------------------------------------------------------------------------------------
$certi_url = $GLOBALS['db']->getOne('SELECT value FROM ' . $GLOBALS['ecs']->table('shop_config') . ' WHERE code = \'certi\'');
$certi_size = 'http://ecshop.ecmoban.com/dsc.php';
if (empty($certi_url) || $certi_url != $certi_size) {
$sql = 'UPDATE ' . $GLOBALS['ecs']->table('shop_config') . (' SET value = \'' . $certi_size . '\' WHERE code = \'certi\'');
$row = $GLOBALS['db']->query($sql);
}

我这里搜到了两处,这不就是直接更新了certi这条记录了嘛,我们把它去掉。

3、既然certi这个地址是官方的授权信息,那我们是不是可以直接去掉呢,好!我们去掉他吧!但是这样官方也是有办法的,这个后门做的,很不好找到的。

搜素关键词:cat_goods_config 或者 aHR0cDovL2Vjc2hvcC5lY21vYmFuLmNvbS9kc2MucGhw

搜素结果:

$cer_url = $GLOBALS['db']->getOne('SELECT value FROM ' . $GLOBALS['ecs']->table('shop_config') . ' WHERE code = \'certi\'');
$post_type = 0;

if (strpos($section, $cp_str) !== false) {
$post_type = 1;
}

if (empty($cer_url) && $post_type != 1) {
$post_type = 2;
}
if (empty($cer_url)) {
if (file_exists(ROOT_PATH . 'temp/static_caches/cat_goods_config.php')) {
require ROOT_PATH . 'temp/static_caches/cat_goods_config.php';
}
else {
$shop_url = urlencode($GLOBALS['ecs']->url());
$shop_country = $GLOBALS['db']->getOne('SELECT region_name FROM ' . $GLOBALS['ecs']->table('region') . ' WHERE region_id=\'' . $GLOBALS['_CFG']['shop_country'] . '\'');
$shop_province = $GLOBALS['db']->getOne('SELECT region_name FROM ' . $GLOBALS['ecs']->table('region') . ' WHERE region_id=\'' . $GLOBALS['_CFG']['shop_province'] . '\'');
$shop_city = $GLOBALS['db']->getOne('SELECT region_name FROM ' . $GLOBALS['ecs']->table('region') . ' WHERE region_id=\'' . $GLOBALS['_CFG']['shop_city'] . '\'');
$url_data = array('domain' => $GLOBALS['ecs']->get_domain(), 'url' => urldecode($shop_url), 'shop_name' => $GLOBALS['_CFG']['shop_name'], 'shop_title' => $GLOBALS['_CFG']['shop_title'], 'shop_desc' => $GLOBALS['_CFG']['shop_desc'], 'shop_keywords' => $GLOBALS['_CFG']['shop_keywords'], 'country' => $shop_country, 'province' => $shop_province, 'city' => $shop_city, 'address' => $GLOBALS['_CFG']['shop_address'], 'qq' => $GLOBALS['_CFG']['qq'], 'ww' => $GLOBALS['_CFG']['ww'], 'ym' => $GLOBALS['_CFG']['service_phone'], 'msn' => $GLOBALS['_CFG']['msn'], 'email' => $GLOBALS['_CFG']['service_email'], 'phone' => $GLOBALS['_CFG']['sms_shop_mobile'], 'icp' => $GLOBALS['_CFG']['icp_number'], 'version' => VERSION, 'release' => RELEASE, 'language' => $GLOBALS['_CFG']['lang'], 'php_ver' => PHP_VERSION, 'mysql_ver' => $GLOBALS['db']->version(), 'charset' => EC_CHARSET, 'post_type' => $post_type);
$cp_url_size = 'base64_decode(\'aHR0cDovL2Vjc2hvcC5lY21vYmFuLmNvbS9kc2MucGhw\')';
$cp_url_size = '$url_http = ' . $cp_url_size . ";\r\n";
$cp_url = $cp_url_size;
$cp_url .= '$purl_http = new Http();' . "\r\n";
$cp_url .= '$purl_http->doPost($url_http, $url_data);';
write_static_cache('cat_goods_config', $cp_url, '/temp/static_caches/', 1, $url_data);
}
}

代码分析:代码最终会生成一个缓存文件,下次请求就直接加载文件了,但是我们发现,这个缓存文件内容就是请求官方地址的,官方将地址base64加密了,aHR0cDovL2Vjc2hvcC5lY21vYmFuLmNvbS9kc2MucGhw,这个就地址的加密后的串,你可以解开看下,就是certi的值啊,就算数据库里没有,我代码中还有加密的呢。(官方好手段!!!!!)那么,我们将这段代码整体删除吧。

4、搜索关键词:http://cloud.ecmoban.com/api.php
搜素结果:

$apiget = 'act=ent_sign&ent_id= ' . $ent_id . ' & certificate_id=' . $certificate_id;
$t->request('http://cloud.ecmoban.com/api.php', $apiget);

虽然不知道这块具体的逻辑,但是请求官方地址,那么我们也要拿掉。

「一键投喂 软糖/蛋糕/布丁/牛奶/冰阔乐!」

大鱼

(๑>ڡ<)☆谢谢老板~

使用微信扫描二维码完成支付

版权声明:本文为作者原创,如需转载须联系作者本人同意,未经作者本人同意不得擅自转载。本站微信公众号:7TEC,敬请关注!
添加新评论
暂无评论