Headline
CVE-2022-25101: Vulnerability/WBCE_CMS_second.md at master · dota-st/Vulnerability
A vulnerability in the component /templates/install.php of WBCE CMS v1.5.2 allows attackers to execute arbitrary code via a crafted PHP file.
file contains vulnerabilities****info
Author:dota_st
Target:https://github.com/WBCE/WBCE_CMS
Version:WBCE_CMS 1.5.2(Last updated on 2022-02-09)
Submit date: 2022-02-12
Description:Two files contain vulnerabilities that allow the execution of php scripts and the generation of webshell
No.1
Install Moudule
,The Install Moudule function decompresses the uploaded compressed package file
Here unzip the uploaded zip file to temp/unzip
folder and check if it contains info.php
file
Finally, include and execute the info.php
file extracted in the temp/unzip
directory
We create an info.php
file with the content <?php phpinfo();?>
Compress the info.php
file into a zip file
Upload compressed package
Successful execution of php statements in info.php
No.2
The Install Template
function decompresses the uploaded compressed package file
Here unzip the uploaded zip into the temp/unzip
folder and check if it contains the info.php
file
As before, we create an info.php
file with the content <?php phpinfo();?>
Upload compressed package
Successful execution of php statements in info.php