Remote Code Execution at wpt.ec2.shopify.com

From Hackipedia
Revision as of 09:05, 19 September 2017 by Hogarth45 (talk | contribs) (Created page with "{{H1Infobox |H1Number = #73567 |target = Shopify |module = WebPageTest |type = RCE |originallink = [//hackerone.com/reports/73567 Link] |payload = $(sleep 20) |archive = [//im...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Hackerone #73567
Target: Shopify
Target Module: WebPageTest
Type: RCE
Payload: $(sleep 20)
Original: Link
CVE:
Archive Screenshot


One of the Shopify subdomains was running an old version of WebPageTest which had a bit of code as so

exec($command, $lines, $result_code);

Originally intended to run grep functions. This could execute user supplied commands.

There was some simple filtering happening to to the user supplied input

$filterstr = trim(escapeshellarg(str_replace(array('"', "'", '\\'), '', trim($filterstr))), "'\""); # basic filtering

Upon the use of the payload the next page would take at least 20 seconds to load, confirming the deployment.

More can be read at the finder's blog

How To Perform

  1. Use $(sleep 20) as a payload in different available inputs
  2. Observe time to respond
  3. Change the amount of sleep time to confirm