Remote Code Execution at wpt.ec2.shopify.com
One of the Shopify subdomains was running an old version of WebPageTest which had a bit of code as so
exec($command, $lines, $result_code);
Originally intended to run grep functions. This could execute user supplied commands.
There was some simple filtering happening to to the user supplied input
$filterstr = trim(escapeshellarg(str_replace(array('"', "'", '\\'), '', trim($filterstr))), "'\""); # basic filtering
Upon the use of the payload the next page would take at least 20 seconds to load, confirming the deployment.
How To Perform
- Use $(sleep 20) as a payload in different available inputs
- Observe time to respond
- Change the amount of sleep time to confirm