大商创的开源代码中有很多后门，以方便官方监控系统的使用，官方做的真是无孔不入啊，我找到了下面几种。

1、数据库表dsc_shop_config 中，code值为certi的记录。我们发现这就是大商创的后门地址了，那我们去代码中看看，大商创是怎么利用的这个地址的吧，我们全局搜索一下。

搜索关键词：write_static_cache('seller_goods_str', $httpData);

搜索结果：$httpData = array('domain' => $ecs->get_domain(), 'url' => urldecode($shop_url), 'shop_name' => $_CFG['shop_name'], 'shop_title' => $_CFG['shop_title'], 'shop_desc' => $_CFG['shop_desc'], 'shop_keywords' => $_CFG['shop_keywords'], 'country' => $shop_country, 'province' => $shop_province, 'city' => $shop_city, 'address' => $shop_address, 'qq' => $qq, 'ww' => $ww, 'ym' => $service_phone, 'msn' => $_CFG['msn'], 'email' => $service_email, 'phone' => $_CFG['sms_shop_mobile'], 'icp' => $_CFG['icp_number'], 'version' => VERSION, 'release' => RELEASE, 'language' => $_CFG['lang'], 'php_ver' => PHP_VERSION, 'mysql_ver' => $db->version(), 'charset' => EC_CHARSET);

$Http = new Http();

$Http->doPost($_CFG['certi'], $httpData);

write_static_cache('seller_goods_str', $httpData);

好吧，我们可以搜索出N条这样的记录。官方基本上拿到了我们系统的所有信息了，我们把$Http = new Http();$Http->doPost($_CFG['certi'], $httpData);这段代码去掉，那么请求就失效了吧，但是！！！

2、既然certi是官方的地址，那么我们把它改了不更好吗，好了我们把修改成一个无关紧要的地址。但是刷新后，我们发现地址居然又变回之前的地址了。好吧，我们认为代码中应该是更新了这条记录。我们开始全局搜索吧。

搜索词为：http://ecshop.ecmoban.com/dsc.php；

搜索结果：$certi_url = 'http://ecshop.ecmoban.com/dsc.php';

if (empty($arr['certi']) || $arr['certi'] != $certi_url) {

$sql = 'UPDATE ' . $GLOBALS['ecs']->table('shop_config') . (' SET value = \'' . $certi_url . '\' WHERE code = \'certi\'');

$row = $GLOBALS['db']->query($sql);

}

----------------------------------------------------------------------------------------------------------------

$certi_url = $GLOBALS['db']->getOne('SELECT value FROM ' . $GLOBALS['ecs']->table('shop_config') . ' WHERE code = \'certi\'');

$certi_size = 'http://ecshop.ecmoban.com/dsc.php';

if (empty($certi_url) || $certi_url != $certi_size) {

$sql = 'UPDATE ' . $GLOBALS['ecs']->table('shop_config') . (' SET value = \'' . $certi_size . '\' WHERE code = \'certi\'');

$row = $GLOBALS['db']->query($sql);

}

我这里搜到了两处，这不就是直接更新了certi这条记录了嘛，我们把它去掉。

3、既然certi这个地址是官方的授权信息，那我们是不是可以直接去掉呢，好！我们去掉他吧！但是这样官方也是有办法的，这个后门做的，很不好找到的。

搜素关键词：cat_goods_config 或者 aHR0cDovL2Vjc2hvcC5lY21vYmFuLmNvbS9kc2MucGhw

搜素结果：

$cer_url = $GLOBALS['db']->getOne('SELECT value FROM ' . $GLOBALS['ecs']->table('shop_config') . ' WHERE code = \'certi\'');

$post_type = 0;

if (strpos($section, $cp_str) !== false) {

$post_type = 1;

}

if (empty($cer_url) && $post_type != 1) {

$post_type = 2;

}

if (empty($cer_url)) {

if (file_exists(ROOT_PATH . 'temp/static_caches/cat_goods_config.php')) {

require ROOT_PATH . 'temp/static_caches/cat_goods_config.php';

}

else {

$shop_url = urlencode($GLOBALS['ecs']->url());

$shop_country = $GLOBALS['db']->getOne('SELECT region_name FROM ' . $GLOBALS['ecs']->table('region') . ' WHERE region_id=\'' . $GLOBALS['_CFG']['shop_country'] . '\'');

$shop_province = $GLOBALS['db']->getOne('SELECT region_name FROM ' . $GLOBALS['ecs']->table('region') . ' WHERE region_id=\'' . $GLOBALS['_CFG']['shop_province'] . '\'');

$shop_city = $GLOBALS['db']->getOne('SELECT region_name FROM ' . $GLOBALS['ecs']->table('region') . ' WHERE region_id=\'' . $GLOBALS['_CFG']['shop_city'] . '\'');

$url_data = array('domain' => $GLOBALS['ecs']->get_domain(), 'url' => urldecode($shop_url), 'shop_name' => $GLOBALS['_CFG']['shop_name'], 'shop_title' => $GLOBALS['_CFG']['shop_title'], 'shop_desc' => $GLOBALS['_CFG']['shop_desc'], 'shop_keywords' => $GLOBALS['_CFG']['shop_keywords'], 'country' => $shop_country, 'province' => $shop_province, 'city' => $shop_city, 'address' => $GLOBALS['_CFG']['shop_address'], 'qq' => $GLOBALS['_CFG']['qq'], 'ww' => $GLOBALS['_CFG']['ww'], 'ym' => $GLOBALS['_CFG']['service_phone'], 'msn' => $GLOBALS['_CFG']['msn'], 'email' => $GLOBALS['_CFG']['service_email'], 'phone' => $GLOBALS['_CFG']['sms_shop_mobile'], 'icp' => $GLOBALS['_CFG']['icp_number'], 'version' => VERSION, 'release' => RELEASE, 'language' => $GLOBALS['_CFG']['lang'], 'php_ver' => PHP_VERSION, 'mysql_ver' => $GLOBALS['db']->version(), 'charset' => EC_CHARSET, 'post_type' => $post_type);

$cp_url_size = 'base64_decode(\'aHR0cDovL2Vjc2hvcC5lY21vYmFuLmNvbS9kc2MucGhw\')';

$cp_url_size = '$url_http = ' . $cp_url_size . ";\r\n";

$cp_url = $cp_url_size;

$cp_url .= '$purl_http = new Http();' . "\r\n";

$cp_url .= '$purl_http->doPost($url_http, $url_data);';

write_static_cache('cat_goods_config', $cp_url, '/temp/static_caches/', 1, $url_data);

}

}

代码分析：代码最终会生成一个缓存文件，下次请求就直接加载文件了，但是我们发现，这个缓存文件内容就是请求官方地址的，官方将地址base64加密了，aHR0cDovL2Vjc2hvcC5lY21vYmFuLmNvbS9kc2MucGhw，这个就地址的加密后的串，你可以解开看下，就是certi的值啊，就算数据库里没有，我代码中还有加密的呢。(官方好手段！！！！！)那么，我们将这段代码整体删除吧。

4、搜索关键词：http://cloud.ecmoban.com/api.php

搜素结果：$apiget = 'act=ent_sign&ent_id= ' . $ent_id . ' & certificate_id=' . $certificate_id;

$t->request('http://cloud.ecmoban.com/api.php', $apiget);

虽然不知道这块具体的逻辑，但是请求官方地址，那么我们也要拿掉。