Last active
March 22, 2019 22:37
-
-
Save fuegas/6aa8dc8256858b2fd6c1fd229fcd5482 to your computer and use it in GitHub Desktop.
Auto patch Freemius vulnerability
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| find /var/www/* -type f -name class-freemius.php | while read -r file; do | |
| after=0 | |
| while true; do | |
| ((after++)) | |
| line=$(grep -A${after} "function _set_db_option" "${file}" | tail -n 1) | |
| if [[ "${line}" =~ fs_request_get ]]; then | |
| sed --in-place -E "s/^(.*)(static function _set_db_option.*)$/\1\2\n\1 check_admin_referer( 'fs_set_db_option' );/" "${file}" | |
| echo "FIXED - ${file}" | |
| break | |
| elif [[ "${line}" =~ check_admin_referer ]]; then | |
| echo "SAFE - ${file}" | |
| break | |
| elif [[ ${after} -gt 5 ]]; then | |
| echo "TOO_FAR - ${file}" | |
| break | |
| fi | |
| done | |
| done |
Author
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
A small script that tries to patch all vulnerable
class-freemius.phpfiles. If you want to deploy this using SSH you can use a base64 encoded version so you won't have to upload the script. If your websites are located in a different folder, change/var/wwwto the folder you have your sites in.Create a base64 encoded version:
cat patch-freemius.sh | base64 --wrap=0Run it on a server over SSH:
ssh -t example.com 'echo <base64_encoded_string> | base64 --decode | sudo bash'If you want to store the output into a log file you can use: